CISSP Domain 1 Contingency Planning MTD / RTO / RPO BIA Governance

How BCP Ties into Risk Management

Continuity planning starts after risk work becomes concrete. The flow is straightforward: potential risks are assessed, identified risks are prioritized, controls reduce exposure, residual risks remain, and contingency planning covers what still can go wrong.

Risk management reduces exposure to acceptable levels. BCP ensures essential business operations continue even when those risks still materialize.

Understanding the Risk Types

Potential Risks

These are the threats an organization could face before formal assessment. The article groups them as:

  • Natural: earthquakes, floods, hurricanes, severe weather
  • Human: employee mistakes, insider threats, sabotage
  • Technological: cyberattacks, hardware failures, system outages, data breaches

Risk Assessment

Once risks are listed, structured assessment evaluates likelihood and impact so recovery planning focuses on what matters first.

Identified Risks and Residual Risks

Identified risks are those confirmed through assessment. Residual risks are what remain after management, operational, and technical controls are applied. Residual risk is where contingency planning becomes non-optional.

Security Controls Before Continuity Planning

The article breaks controls into three layers used to reduce risk before a continuity plan has to activate:

  • Management controls: policies, documented procedures, training
  • Operational controls: monitoring, access restrictions, backup routines
  • Technical controls: firewalls, encryption, intrusion detection

Contingency Planning and Incident Response

Contingency planning defines how the organization will recover and continue operating after disruption. The Incident Response Plan fits into this larger strategy by covering immediate detection, containment, and coordinated action during the incident itself.

Practical distinction: incident response handles the immediate event; continuity planning ensures the business can still function through and after it.

BCP vs DRP

This distinction is a frequent exam trap.

Business Continuity Plan (BCP)

Broad organizational plan covering business processes, critical operations, communications, people, alternate work arrangements, IT recovery, and any other actions needed to keep essential services running.

Disaster Recovery Plan (DRP)

Specialized subset of BCP focused on restoring IT systems, applications, data, facilities, and infrastructure.

The Detailed BCP Process — Seven Steps

  1. Develop the BCP Policy — define intent, scope, governance, roles, assumptions, and secure executive approval.
  2. Conduct the Business Impact Analysis (BIA) — identify critical processes and determine MTD, RTO, and RPO.
  3. Perform the Risk Assessment — identify internal and external threats and map them to business functions.
  4. Identify Recovery Strategies — choose workable recovery options such as alternate sites, remote work, or manual processes.
  5. Develop the BCP and Recovery Plans — document business and IT restoration procedures, communications, and evacuation actions.
  6. Test, Train, and Exercise — run simulations, drills, and training so the plan is executable under pressure.
  7. Maintain and Review the BCP — update after incidents, audits, or major organizational changes.

How to Create a Good BCP

The article adds practical sequence beyond theory:

  • Establish the BCP policy as documented proof of leadership support
  • Schedule the BIA and inventory business processes, dependencies, and resource requirements
  • Perform cost-benefit analysis before over-investing in recovery controls
  • Validate whether the continuity target is realistic
  • Prioritize recovery strategies such as hot, warm, and cold sites based on criticality

Good BCP: RTO is less than MTD. Bad BCP: RTO exceeds MTD.

The Four-Step CBK BCP Model

  1. Project Scope and Planning — define scope, objectives, assumptions, committee structure, resources, and leadership backing.
  2. Business Impact Analysis (BIA) — identify essential services, estimate downtime tolerance, project losses, and prioritize recovery requirements.
  3. Continuity Planning / Contingency Strategies — estimate contingency costs, evaluate external services, secure SLAs, and define recovery options.
  4. Approval and Implementation — obtain executive endorsement, deploy resources, maintain the plan, and train personnel.

Key Recovery Metrics

MTD / MTO

Maximum time a process can be unavailable before severe or unacceptable impact occurs.

RTO

Maximum acceptable outage duration before recovery must be achieved.

RPO

Maximum acceptable data loss measured backward from the disruption point.

WRT

Work Recovery Time — time needed after restoration to verify and return to usable operations.

Useful relation: the article frames MTD as including recovery time and work recovery time, and reinforces that RTO must remain below MTD.

Recovery Site Thinking

The article points to prioritizing recovery strategies based on business criticality:

  • Hot site for mission-critical workloads needing rapid restoration
  • Warm site for moderate criticality
  • Cold site for lower-priority or slower restoration requirements

Continuous Review

A BCP is a living document. It must be revisited when operations change, priorities shift, or incidents and audits reveal gaps. DRP, contingency plans, and business resumption planning must remain aligned with the latest business model.

Brain Ticklers

Q1. Leadership says the portal must be back within 3 hours and the business cannot tolerate more than 5 hours of downtime. What matters most?

Think: feasibility depends on whether recovery target stays below maximum tolerable downtime.

Q2. Databases are restored, but the customer support team has no phones, no workspace, and no routing. Which plan failed?

Think: systems may be back, but non-IT operations still are not.

Q3. In the CBK four-step model, where does BIA sit relative to scope/planning and continuity strategies?

Think: first define the program, then analyze impact, then choose strategies.

Q4. A trading system has aggressive RTO and RPO targets. Which site and replication approach best supports that?

Think: low downtime and low data-loss tolerance require the highest readiness model.

Q5. A safeguard reduces annual outage loss, but its cost exceeds the avoided loss. Is it economically justified?

Think: cost-benefit still matters in continuity planning.

Q6. Before assigning criticality ratings in a BIA, what should be done first to reduce guesswork?

Think: gather structured business data before finalizing recovery values.

Home CISSP Hub Domain Index