A business continuity plan (BCP) is a plan designed to help an organization continue to operate during and after a disruption. The disruption can be an intentional attack or a natural disaster. The goal is a continuation of operations.

BCPs can address any type of disruption or disaster. Organizations that operate near a Southern U.S. coast plan for hurricanes, businesses in the heartland’s “tornado alley” plan for tornadoes, Californians plan for earthquakes, and everyone plans for fires.

Disruptions can also be from attacks or failures. A critical server going down could have been caused by an attacker through the Internet, a malware infection, or a hardware or software failure. If the server is a CBF, the BCP needs to ensure that plans are in place to get it operational as soon as possible.

The scope of the BCP includes a global view of the organization and the information technology (IT) systems, the facilities, and the personnel, which is not to say that all elements of an organization must continue to operate during a disruption. Instead, this means that the BCP examines all elements and then identifies the elements that are mission critical and need to continue to operate. Non–mission-critical elements that do not need to continue aren’t addressed by the BCP.

Mission-critical systems are those identified as critical to the mission of the organization to keep the organization functioning. The term mission critical can also apply to functions or processes.

A business impact analysis (BIA) is included as part of a BCP. The BIA has several key objectives that directly support the BCP. These include:

• Identifying critical business functions (CBFs)—A CBF is any function considered vital to an organization. If the CBF fails, the organization will lose the ability to perform mission-critical operations.
• Identifying critical processes supporting the CBFs—The critical processes are the steps or actions taken to support the CBFs.
• Identifying critical IT services supporting the CBFs, including any dependencies—These services include the servers and other hardware necessary to support critical processes. Many services have dependencies. For example, an application server may need a database server to remain operational.
• Determining acceptable downtimes for CBFs, processes, and IT service—The BIA defines this downtime as the maximum acceptable outage (MAO). When considering the BCP, whether there are different MAOs for different times of the year should also be determined. For example, a database server may be critical for end-of-year processing but not critical at other times.

All of these objectives come together in the BCP to align the organization’s priorities. The BIA identifies the mission-critical systems, applications, and operations, and the BCP provides the plan to ensure that they continue to operate even if a disaster strikes.

Similarly, the BCP includes disaster recovery plans (DRPs), which help the organization restore IT services after the disaster. Any organization can create its BCP using procedures that match its needs. However, the overall steps of a BCP are:

• Chartering the BCP and creating BCP scope statements
• Completing the BIA
• Identifying countermeasures and controls
• Developing individual DRPs
• Providing training
• Testing and exercising plans
• Maintaining and updating plans