Question: What should be the primary focus of Business Continuity Planning (BCP)?

• A. Data Recovery

• B. Maintaining Business Operations

• C. Incident Response

• D. Compliance

Correct Answer: B. Maintaining Business Operations

Understanding the BCP Framework

In the CISSP mindset, Business Continuity Planning (BCP) is a strategic, "big picture" initiative. It is not just about IT or servers; it is about the survival of the organization's mission. The focus is on availability and resilience.

1. Maintaining Business Operations (The Core Mission)

The primary goal of BCP is to ensure that the organization can continue to perform its most critical functions during and after a disaster.

• Resilience over Restoration: BCP looks at how we can keep working while things are broken. This might involve manual workarounds, failing over to a secondary site, or prioritizing specific departments over others.

• The "People" Factor: BCP focuses heavily on the safety of personnel and the continuity of the processes they manage.

2. Data Recovery vs. DRP (Option A)

Many students confuse BCP with Disaster Recovery Planning (DRP).

• The Distinction: DRP is a subset of BCP. While BCP is broad and focuses on the business as a whole, DRP is technical and tactical. DRP's focus is on restoring IT systems, data, and infrastructure to a functional state.

• CISSP Rule: If the question is about restoring a server, it's DRP. If it's about continuing the business mission, it's BCP.

3. Incident Response (Option C)

Incident Response (IR) is the immediate, tactical reaction to a specific threat (like a ransomware attack or a fire).

• The Goal: IR is designed to contain, eradicate, and recover from a specific event. While BCP and IR work together, IR is the "first responder" action, whereas BCP is the plan for the "long-term survival" of the company during the disruption.

4. Compliance (Option D)

While regulations like HIPAA, SOX, or GDPR may mandate that an organization has a BCP, compliance is a reason for the plan, not the focus of it. The functional objective is always the availability of the business.

Key Metrics in BCP and DRP

To truly understand BCP for the exam, you must be familiar with these three time-based metrics:

• RTO (Recovery Time Objective): The maximum amount of time a business process can be down before the damage is irreversible.

• RPO (Recovery Point Objective): The maximum amount of data loss (measured in time) the business can tolerate.

• MTPD (Maximum Tolerable Peak Downtime): The total time a business can survive without its critical functions.

The "CISSP Rule of Thumb"

Think of BCP as the Umbrella. Underneath that umbrella, you have DRP (Technical), Incident Response (Tactical), and Crisis Management (Communications). If the goal is to keep the "lights on" and the "doors open," the answer is Business Continuity.