CISSP: Business continuity planning and exercises

Business continuity planning (BCP) ensures the continuous operation of your business before, during and after a disaster event. The focus of BCP is on business continuation, and it ensures that all services the company provides or critical functions it performs are still carried out in the wake of the disaster. To accomplish this, the organization needs to consider the most common threats to their critical functions and consider any associated vulnerabilities. 

BCP appears in several domains of the CISSP certification exam: 

• Domain 1: Security and Risk Management (16%) - Section 1.7: Identify, analyze, assess, prioritize and implement Business Continuity (BC) requirements. 
• Domain 6: Security Assessment and Testing (12%) - Section 6.3: Collect security process data, including disaster recovery and business continuity. 
• Domain 7: Security Operations (13%) - Section 7.13: Participate in Business Continuity planning and exercises. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

The business continuity planning process

Business continuity planning aims to respond to disruption, activate recovery teams, handle tactical disaster status communication, assess damage caused by disruption, and recover critical assets and processes. 

Developing a BCP plan is vital for an organization. It helps to minimize an interruption in normal business functions for any event, from small to catastrophic. BCP has specific requirements for review and implementation to ensure that all planning has been considered. 

Following are the steps for BCP: 

• Project initiation 
• Scope 
• Business impact analysis 
• Identify preventive control 
• Recovery strategy 
• Designing and development 
• Implementation, training and testing 
• BCP maintenance 

NIST SP800-34 provides a guideline for developing a logical BCP, which can be found here. 

Project initiation

The scope of the project must be defined and agreed upon before developing a BCP. There are seven milestones involved: 

1. Develop a contingency planning policy statement aligned with business strategy. 
2. Conduct business impact analysis (BIA) and risk assessment. 
3. Identify preventive control and risk mitigation strategies. 
4. Develop strategies for recovery. 
5. Develop an IT contingency plan. 
6. Plan testing, training and exercises. 
7. Maintenance planning. 

Project requirements

Management support

Upper-level management support is very important in BCP planning and implementation. C-level management must agree to the plan set forth and must also support the plan's action items. C-level management is an important resource if there is a disruption because they have the power to speak to the entire organization and the external media. Also, they have the power to commit the resources necessary to move from disaster to recovery. 

Project managers

The BCP project manager is the main point of contact; they ensure that the BCP is updated and tested periodically. The project manager should have business skills, be knowledgeable about the organization's mission, and, of course, must have good managerial and leadership skills to handle the tumultuous events that call for BCP measures. 

The BCP team

The BCP team is solely responsible for handling emergencies and carrying out the BCP plans. Before establishing the BCP team, the continuity planning project team (CPPT) must be assembled. This CPPT should represent all the stakeholders in the organization, including HR, IT, physical security, risk management, public relations and all other personnel responsible for effective business operations. The CPPT focuses on identifying the resources and risk mitigation strategies needed to handle a disastrous event. 

Scope

The scope of BCP is very difficult but crucial to define. BCP scoping requires us to define: 

• The exact assets that are covered and protected by the plan 
• Which types of emergency events the plan will address 
• The resources necessary to create and implement the plan 
• Supply chain dependencies and third-party risks 

Many key players in the organization will have to be involved in the scoping of BCP to ensure all aspects of organizational function are represented. It is also crucial to assess the critical state and associated risks. This assessment can be difficult because determining which IT infrastructure is critical isn't always straightforward, especially without consultation from key users and stakeholders. Use a qualitative approach when documenting the assets, groups, impacts, processes and associated risks. 

Executive management support will be needed for the following three steps: 

• Initiation of the plan 
• Final approval of the plan 
• Demonstration of due care and due diligence to the satisfaction of management 

Business impact analysis

Business impact analysis (BIA) is a formal methodology used to determine how a disruption to an organization's IT system will impact its processes, requirements and interdependencies with respect to its business mission. This process determines and prioritizes critical IT systems, allowing the project manager to delineate IT contingency priorities fully. It helps correlate IT system components with the critical services they support and aims to quantify potential damage from disasters. The primary goal of BIA is to calculate the maximum tolerable downtime (MTD) for an IT asset. Other benefits include improvements in business processes and procedures, as it highlights inefficiencies in these areas. 

The main components of BIA are as follows: 

• Identify critical assets and their alignment with business objectives 
• Assess external dependencies and supply chain risks 
• Conduct comprehensive risk assessment, including: 
• Threat and vulnerability identification 
• Risk analysis and scope determination 
• Control assessment effectiveness 
• Determine maximum tolerable downtime (MTD) 
• Define key performance and risk indicators 
• Establish failure and recovery metrics 

Identify preventive controls

Preventive controls are used to stop disruptive events before they start. These controls should align with your risk management strategy and business objectives. Examples include: 

• Environmental controls like HVAC systems to prevent equipment from overheating 
• Physical security measures to prevent unauthorized access 
• Network segmentation to prevent widespread system failures 
• Supply chain controls to prevent service disruption 
• Redundant systems to prevent single points of failure 

Your BIA helps identify risks that can be mitigated through preventive controls. Regular assessment of control effectiveness ensures these measures continue to protect critical assets and operations. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Recovery strategy

Once your BIA is performed successfully, you will be able to devise a recovery strategy. Metrics like maximum tolerable downtime, recovery point objective and recovery time objective are used to determine the strategy for disaster recovery. Technical, physical and administrative controls must be maintained during recovery. Modern recovery strategies should consider: 

• Supply chain resilience (ensuring critical equipment and services remain available) 
• Telecommunication redundancy (maintaining communication through multiple channels) 
• Utility management (ensuring access to power, water and other essential services) 
• Cloud service continuity (managing cloud-based system recovery) 
• Remote work capabilities (supporting distributed workforce operations) 

Redundant site

A redundant site is a duplicate of the production site that can operate seamlessly without loss of services. The redundant site should have live data backup replication to avoid losing user data. 

Hot site

A hot site is a location an organization may relocate to in case of a major disaster. The hot site will install all necessary hardware and applications and mirrored real-time data. This will allow the organization to resume operations in a very short period of time. 

Warm site

As you might expect, a warm site has some of the same aspects as a hot site—for instance, readily available hardware and communication capabilities. However, it will rely on backup data to reconstruct operations. Many organizations go for warm site solutions because of the cost involved in maintaining redundant or hot sites. 

Cold site

This is the least expensive solution to implement. A cold site doesn't contain any readily available hardware or copies of data backups. Setting up a cold site after a disaster will take the longest time. 

Mobile site

This can be described as a data center on wheels. Towable trailers containing racks of computer equipment, HVAC, physical security and fire suppression mechanisms are part of the mobile site. 

Subscription services

BCP planning and/or implementation can sometimes be outsourced to another organization, thus transferring the risk to the insurer company. Various organizations build their profit models by offering BCP services for customers. 

Plan approval

Once the BCP plan is completed and ready for management approval, it is the responsibility of senior management to protect an organization's critical personnel and assets. Senior management must understand that they are responsible for the plan and, therefore, must thoroughly understand the plan, own it, and ensure that they will take the steps necessary to make the plan a success. 

Implementation, training and testing

Training, testing and awareness must be performed for the disaster portion of BCP. Skipping these is one of the most common mistakes. BCP is never complete — it's a continuous process to ensure organizational resilience. While experienced professionals plan, regular testing reveals gaps and needed improvements. 

Each member of the disaster recovery team must thoroughly understand their roles through: 

• Read-through/tabletop exercises 
• Walkthrough testing 
• Simulation exercises 
• Parallel testing 
• Full interruption testing 

Training should cover: 

• Individual roles and responsibilities 
• Emergency response procedures 
• Communication protocols 
• Recovery processes 
• Lessons learned from previous incidents or exercises 

Regular awareness training for all personnel helps ensure everyone understands their part in maintaining operational safety and security. 

BCP maintenance

Once the plan is completed, tested and implemented, it must be kept up to date. Business and IT systems change rapidly, so your BCP must keep pace. BCP maintenance should include: 

• Change management 
• Version control 
• Risk assessment updates 
• Supply chain monitoring 
• Performance metrics review 
• Continuous improvement 

The change management process must track and document changes, approvals and results of completed changes. Version control ensures all parts of the system use the most current documented procedures. Regular review helps identify common issues like: 

• Insufficient management support 
• Limited stakeholder involvement 
• Inadequate supply chain risk management 
• Incomplete testing procedures 
• Outdated training materials 
• Missing performance metrics 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Why business continuity planning matters 

Time becomes critical when catastrophic emergencies strike and shut down your company's network. Every minute of downtime means lost profits, interrupted services and potential damage to your reputation with users and stakeholders. While recovering and restoring operations requires careful problem-solving, your company must resume operations quickly. A comprehensive, tested business continuity plan isn't optional - it's essential for surviving major disruptions and maintaining stakeholder trust. 

Ready to learn more about CISSP certification?  

• Download our cybersecurity certifications and skills roadmap and cybersecurity salary guide to find out how the CISSP fits the cybersecurity landscape.  
• Get the knowledge and skills you need to create effective security programs with our CISSP Boot Camp. 

For more CISSP exam preparation resources, visit our comprehensive CISSP training hub.