Much of the material you have read in this book has dealt with the ways in which security incidents can be prevented. The business continuity plan (BCP) and disaster-recovery plan (DRP) domains address what to do and how to respond when things go wrong. This chapter discusses how to preserve business operations in the face of major disruptions. The BCP is about assessing risk and determining how the business would respond should these risks occur. Some of the steps of the BCP process include project management and planning, business impact analysis (BIA), continuity planning design and development, and BCP testing and training. The DRP is a subset of your BCP plan; it is about the planning and restoration actions the business would undertake if a disastrous event occurred.
To pass the business continuity planning domain of the ISC2 Certified Information Systems Security Professional (CISSP) exam, you will need to know the steps that make up the BCP process. You will also need to know the differences between BCP and DRP. Attention to understanding ways in which the BCP can be tested, including tabletop, full interruptions, checklists, and functional tests, is also required.