Business Continuity and
Disaster Recovery Planning
Disaster: is a natural or man-caused event that
damages property and assets, injures or kills
people, and impairs the ability for organizations
to continue operating.
Business Continuity Planning: is the set of
activities required to ensure the continuation of
critical business processes when a disaster
Disaster Recovery Planning: is the set of
activities concerned with the assessment,
salvage, repair, and restoration of damaged
facilities and assets that support critical business
Two Main Kind of Categories of
How Disaster affect
High Level Contingency and Disaster
Recovery Planning Strategy
• Develop the Business Contingency Planning
Policy and Business Process Priorities
Conduct a Risk Assessment
Conduct the Business Impact Analysis (BIA)
Develop Business Continuity and Recovery
Develop Business Continuity Plans
Conduct awareness, testing, and training of the
Conduct Disaster Recovery Plan maintenance
Identify business processes
ISO 27001 : Requirements for Information
Security Management Systems. Section 14
addresses business continuity management.
ISO 27002: Code of Practice for Business
guide for information
Seven steps process for
BCP and DRP projects.
From U.S. national
Institute for Standards
From U.S. National Fire
NFPA 1620: The recommended practice for
HIPAA: Requires a documented and tested
disaster recovery plan.
U.S. Health Insurance portability
and Accountability Act.
Why BCP/DRP and BCP/DRP
The goal of BCP/DRP is not prevention of the
BCP/DRP is about:
Continuation of critical business processes when
a disaster destroys data processing capabilities
Preparation, testing and maintenance of specific
actions to recover normal processing
BCP/DRP is an ongoing project it is not a project
with beginning and end.
Creating a BCP/DRP requires:
Support of senior management
Must include both business and IT personnel
Obtaining executive support
BCP/DRP is resource intensive, budget, staffing, a year-to year support for the maintenance of the plan is necessary. This is secured through obtaining executive support.
Formally defining the scope of the project
what parts of the organization are included in the project and what parts are excluded from the project.
Choosing project team members
choosing a project team there should be a balance between getting good talent for the project team vs maintaining enough support for day to day operations.
Developing a project charter
where preparation items are to be documented prior to the actual start of the project. It should contain:
Purpose of the BCP/DRP project
Principle team members
There are five phases in developing BCP/DRP
Project management & initiation
Establish needs, work plan and get management support
Business Impact Analysis (BIA)
Analysis of criticality of each of the organization business
process, and obtain formal agreement with senior...
References: Gregory, P. (2010). CISSP Guide to Security
DHS (2012). Business Continuity Plan. Last updated
on 12/19/2012 Retrieved on 07/20/2014 from
FEMA (2012). Continuity of Operations. Retrieved on
July 22, 2014, from http://www.sans.org/readingroom/whitepapers/recovery/disaster-recovery-plantesting-cycle-plan-plan-cycle-563
Please join StudyMode to read the full document