Tag: BCP

Contingency Planning – Huh?

Before you start reading and understanding the core concepts in the context of BCP – Business Continuity Planning, DRP – Disaster Recovery Planning and Contingency Planning, make sure you understand that these are very important concepts and are interpreted differently by different organizations, individuals and security professionals. The main reason is that we as humans may think differently in terms of countermeasures, we have different risk appetite and so are the organizations that the individuals are made of and are in key positions to propose, accept and finalize on various business and operational contingency plans. 

Before we begin, let us understand some of the core concepts. 

What is a Plan?

Oxford Dictionary defines Planning as “an intention or decision about what one is going to do”.

So what is Contingency planning?

“A contingency plan is a plan devised for an outcome other than in the usual (expected) plan” – From Wikipedia. 

Before we get into what is included in each of the plans, let us look into some definitions.

According to the NIST Special Publication 800-34,  IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. 

Contingency planning generally includes one or more of the approaches to restore disrupted IT services:
ƒ- Restoring IT operations at an alternate location  (Example: Hot Site, Warm Site and Cold Site)
ƒ- Recovering IT operations using alternate equipment  (Example: Secondary Server, High Availability Configuration)
ƒ- Performing some or all of the affected business processes using non-IT (manual) means. (Example: Manually collect a customer’s credit card information through phone)

Because Contingency Plan includes broad scopes for recovery, continuity and response to business needs, business threats and emergencies, it is important to note that an organization may choose to implement the Contingency Plan in many different ways. This is when we start talking about BCP, DRP, COOP, IRP, etc. There are more. See Appendix A for expansion of these acronyms.

For a CISSP, it is important to understand the main differences between various types of plans.

What is a BCP?

Business Continuity Planning (BCP) is a process of creating or putting in place, systems and mechanisms for prevention and recovery of business systems to deal with potential threats to a business goal.

Business Continuity Plan is a formal document consisting of a set of processes, drawings, flow charts, ordered lists etc. that will help a business navigate through a business interruption(s) by providing tested and proven methods to recover and prevent a potential threat to the existence of the business. A BCP can have other plans included as part of its scope.

What is a DRP?

Disaster Recovery Plan (DRP) is a very detailed, hands on plan when compared to a Business Continuity Plan. It is highly reactive. It contains detailed instructions on how to respond to unplanned incidents such as hurricanes, flooding, earthquakes, power outages, cyber attacks and any other event that will cause disruptions to the business operations. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.


Contingency plans help you continue to operate or sustain your business goals and can be reactive such as BCP, DRP and BRP. Parts of these plans can be proactive as well. For example, if you have servers configured in the High Availability (HA) mode, then you will limit downtime and improve performance. This is a proactive approach. If you have a backup server or a warm site, then you are making sure you can continue to operate when servers are down, this represents a reactive approach.

Appendix A

  1. BCP : Business Continuity Planning
  2. DRP : Disaster Recovery Planning 
  3. BRP : Business Recovery Planning
  4. COOP : Continuity of Operations Plan
  5. IRP : Incident Response Plan
  6. OEP: Occupant Emergency Plan

This was chapter 1 on Contingency Planning. If you have any comments or questions, leave them below or message me!

Over and Out! Stay safe, think before you click (anywhere).


If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Quick Reference for DR and BC Metrics – RPO, RTO & WRT Concepts


New Feature: Listen to this Article

How can I not have an article on Disaster Recovery and Business Continuity Planning? A must have understanding for anyone in Security.

If you are a security professional with years of experience, then you are very familiar with these important fundamental metrics that is used in developing a Business Impact Analysis (BIA) Report which will identity your business processes , identify resources required for recovering of these processes in the event of a disaster and a become part of your Business Continuity Plan (BCP).

The metrics I am referring to are RPORTO and WRT. Also, Maximum Tolerable Downtime. I hope someone who is just getting into security and trying to grasp this concept will find this explanation very useful.


Let us assume a business which is operating normally represented by the following chart. Note, the X axis represents Time. The concepts that we are going to learn are a function of time. Time scale = 1 hr

Normal Operation.

Figure 1

Disaster Strikes.

Figure 2

Recovery Efforts Begin

Figure 3

Normal Operation Resumes

Figure 4

A disaster hits a business which is under normal operation at 3 am, recovery starts at 6 am, normal operation resumes at 8 am. Then we can define the terms as follows:

  • Recovery point objective (RPO) is defined as Measures maximum acceptable data point to be recovered.
  • Recovery Time Objective (RTO) is defined as Maximum time needed for data recovery.
  • Work Recovery Time (WRT) is defined as Maximum amount of time needed to verify data integrity to resume operation.

Maximum Tolerable Downtime (MTD) is defined as The amount of time business process can be disrupted without causing significant harm to the organization’s mission.

For this particular example, from Figure 4 shows a RTO of 3 hrs and WRT of 2 hrs. The MTD is calculated as follows:
MTD = 3 hrs. + 2 hrs.
MTD = 5 hrs.

This is a very simple example for understanding the concept of calculating the Maximum Tolerable Downtime. For a deeper understanding I recommend indulging into books and materials written on DR and BC. Note that there is a very thin line and it can get blurred between resuming total business normal operation which may mean that you have switched back to the primary site for operation. For practical purposes , getting back to normal operation is more critical and important than returning to the primary site.

If you would like to get more understanding of these topics please see the following references:

A technical article on RTO Vs RPO by msp360.com

A blog post from Default Reasoning by Marek Zdrojewski