Business Continuity

Business continuity is concerned with maintaining critical operations during any interruption in a service.

It should make focus on incidents that are not frequent but may cause a big impact on the organization, such as a disaster.

Disaster recovery focuses on resumption of operations after an interruption due to disaster.

Continuity management is a term that groups both business continuity and disaster recovery.

A Business Continuity Plan (BCP) is a plan used by an organization to respond to disruption of critical business process.

Main steps within the BCP, according to CISSP:

1. Project scope and planning
2. Business impact analysis (BIA)
3. Continuity Planning
4. Approval and implementation

Steps to create a BCP:

1. Inventory of assets
2. Risk analysis with Business Impact Analysis (BIA) of the assets
3. Recovery Strategy Development
4. Implementation of BCP
5. Recovery Procedures / Disaster Recovery Plan (DRP)
6. Periodical Test/Simulations

Create a BCP is an iterative and continuous process, so the previous steps may be repeated in cycles.

The recovery steps are not considered within BCP; they are taken in the DRP. BCP is usually managed by the business, and DRP by IT.

Risk analysis provides a broad view of potential risks and threats across the organization, helping prioritize where to focus resources for mitigation.

BIA zooms in on the specific impacts of disruptions to critical business functions, guiding the development of business continuity plans and ensuring resources are allocated effectively to maintain essential operations.

Business Impact Analysis

Identify processes, and then threads and likelihood of that it occurs.

Concepts related to Business Continuity

Disaster Recovery Plan (DRP) covers the technological aspects of business continuity and document the detail procedure of the recovery operations, as for example:

• restoring from backup tapes
• restarting business operations
• relocation

Maximum Tolerable Period of Disruption (MTPD)

Mean Time Between Failures (MTBF) is the average time between failures.

Mean Time to Repair (MTTR)

Mean Time Between Unscheduled Replacement (MTBUR) is the average time between changes or updates are done on the system.

Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Critical Success Factor (CSF)

Key Performance Indicator (KPI) and Key Risk Indicators (KRI)

Risk capacity = Risk Tolerance + Risk Appetite

Individuals with specific business cotinuity roles should receive training on at least an annual basis.

Standards related to Business Continuity

Standards related to business continuity:

• ISO 22301 covers a Business Continuity Management System (BCMS)
• ISO 22317 covers a Business Impact Analysis (BIA)
• ISO 31000 covers overall risk management
• ISO 27005 covers risk management oriented to IT

The only version of ISO 22301 as of 2025 is ISO 22301:2019.

ISO 22301

ISO 22301 covers a Business Continuity Management System (BCMS).

ISO 22301 clauses:

1. Scope
2. Normative references
3. Terms and definitions
4. Context
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The planning clause contains context, leadership, goals, competences, communication and documentation.

You might also be interested in…

• IT Security
• What is the difference between Risk Assessment and Business Impact Analysis

External References

• Various authors; “CISA Review Manual 15th Edition“, ISACA, 2016
• Sherifat Akinwonmi, Geary Sikich; “ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Management“, PECB
• M. Chapple, D. Seidl; “CCSP Study Guide Third Edition“; chapter “Business continuity”, pp. 231-240; Wiley, 2021