Business Continuity Plan (BCP)
A plan that outlines procedures and instructions for maintaining essential business functions during and after a disaster or disruptive event. BCP encompasses business impact analysis (BIA), recovery strategies, plan development, testing, and maintenance. Key metrics include Recovery Time Objective (RTO — maximum acceptable downtime), Recovery Point Objective (RPO — maximum acceptable data loss), and Maximum Tolerable Downtime (MTD). BCP differs from disaster recovery (DR) — BCP covers the entire business, while DR focuses specifically on IT systems. BCP planning is a critical topic in CISSP Domain 1, CISM, and CBCP certifications.
Why It Matters
In practice, BCP is critical because natural disasters, ransomware attacks, and infrastructure failures can halt business operations entirely, and organizations without tested continuity plans face significantly longer recovery times and higher financial losses. Organizations that fail to develop and test BCPs face existential threats when major disruptions occur, with studies showing that companies unable to resume operations within ten days of a disaster are unlikely to survive long-term. The COVID-19 pandemic exposed gaps in countless business continuity plans that had not accounted for prolonged workforce disruption scenarios. Regular testing through tabletop exercises, structured walkthroughs, and full-scale simulations is essential for plan validation. On certification exams such as CISSP, CISM, and CBCP, expect questions about conducting business impact analysis, calculating RTO and RPO values, comparing BCP with disaster recovery planning, understanding the BCP lifecycle phases, and evaluating different testing methodologies from checklist reviews to full interruption tests.
Practice this topic
Test your knowledge of Business Continuity Plan (BCP) concepts with exam-style practice questions.
Related GRC terms
Risk Assessment
The process of identifying, analyzing, and evaluating potential risks to an organization's information assets to determine the likelihood and impact of threats exploiting vulnerabilities. Risk assessment methodologies include qualitative (rating risks as High/Medium/Low), quantitative (calculating Annual Loss Expectancy using SLE x ARO = ALE), and hybrid approaches. Frameworks like NIST SP 800-30, ISO 27005, and FAIR provide structured risk assessment processes. The output drives risk treatment decisions: accept, mitigate, transfer (insurance), or avoid. Risk assessment is the cornerstone of CISSP Domain 1, CISM, and CISA certifications.
Vulnerability Assessment
A systematic process to identify, quantify, and prioritize security vulnerabilities in systems, applications, and networks using automated scanning tools and manual review. Common tools include Nessus, Qualys, OpenVAS, and Rapid7 InsightVM. Vulnerability assessments differ from penetration testing — they identify weaknesses without actively exploiting them. Results are typically scored using CVSS (Common Vulnerability Scoring System) and prioritized by severity, asset criticality, and exploitability. Regular vulnerability assessments are required by PCI DSS, HIPAA, and other compliance frameworks and are a key topic in Security+, CySA+, and CISSP certifications.
Penetration Testing
An authorized simulated cyberattack on a computer system, network, or application performed to evaluate its security posture and identify exploitable vulnerabilities. Pentest types include black box (no prior knowledge), white box (full system knowledge), and gray box (partial knowledge). The methodology follows phases: planning and scoping, reconnaissance, scanning, exploitation, post-exploitation, and reporting. Industry standards include the PTES, OWASP Testing Guide, and NIST SP 800-115. Penetration testing is the focus of OSCP, PenTest+, CEH, and GPEN certifications and a key assessment method in CISSP Domain 6.
Compliance
The act of conforming to established guidelines, specifications, regulations, or legislation related to information security and data protection. Key compliance frameworks include PCI DSS (payment card data), HIPAA (healthcare data), SOX (financial reporting), GDPR (EU personal data), and FedRAMP (US government cloud). Non-compliance can result in significant fines, legal liability, and reputational damage. Organizations use controls frameworks (NIST CSF, ISO 27001, CIS Controls) to demonstrate compliance. Compliance management is a central topic in CISA, CISM, and CISSP Domain 1 (Security and Risk Management).
NIST Framework
A set of guidelines and best practices published by the National Institute of Standards and Technology to manage cybersecurity risk, most commonly referring to the NIST Cybersecurity Framework (CSF) with its five core functions: Identify, Protect, Detect, Respond, and Recover. NIST also publishes the SP 800 series (including 800-53 for security controls, 800-171 for CUI, and 800-63 for digital identity). The framework is voluntary but widely adopted across industries and required for U.S. federal agencies. NIST provides the foundation for many organizational security programs and is heavily referenced in CISSP, CISM, and Security+ certifications.
ISO 27001
An international standard for information security management systems (ISMS) that specifies requirements for establishing, implementing, maintaining, and continually improving an organization's security management program. ISO 27001 follows a Plan-Do-Check-Act (PDCA) cycle and requires organizations to assess risks, implement appropriate controls (from the Annex A control set), and undergo regular audits. Certification is granted by accredited third-party auditors and is valid for three years with annual surveillance audits. ISO 27001 is globally recognized and often required by enterprise customers and partners. It is a key framework in CISM, CISA, and CISSP GRC domains.