Home > Glossary > Certified in Cybersecurity > Business Continuity Plan (BCP)

📖 What is Business Continuity Plan (BCP)?

A strategy for maintaining essential business operations during and after a significant disruption or disaster.

🥋 Sensei Says:

"BCP is about the WHOLE business, not just the IT systems. It keeps the lights on."

📚 Certification: Certified in Cybersecurity (CC)

🔑 What are the Key Concepts of Business Continuity Plan (BCP)?

▸ A BCP identifies critical business functions and resources, prioritizing their recovery based on impact to the organization.
▸ It includes detailed procedures for responding to various disruptions, encompassing communication, evacuation, and system restoration.
▸ Regular testing and updates are crucial; a BCP is a living document that must adapt to changing business needs and threats.
▸ BCP differs from Disaster Recovery (DR) – DR focuses on IT systems, while BCP covers all aspects of business operations.
▸ Key components include a Business Impact Analysis (BIA) to determine acceptable downtime and resource requirements.

🎯 How does Business Continuity Plan (BCP) appear on the CC Exam?

You may be asked to identify the primary goal of a BCP when presented with a scenario involving a natural disaster impacting a company's headquarters.

A scenario might describe a company experiencing a ransomware attack; expect questions about which BCP elements would be activated first.

Expect questions about the order of operations in a BCP, such as prioritizing critical functions versus non-essential ones during a prolonged outage.

❓ Frequently Asked Questions

What's the relationship between a BCP and a Disaster Recovery Plan (DRP)?

A DRP is a *subset* of a BCP. The BCP encompasses the entire organization's response to disruption, while the DRP specifically addresses IT system recovery. A BCP will *include* a DRP.

How often should a BCP be tested and updated?

At a minimum, a BCP should be reviewed and updated annually, and tested at least every other year. Significant changes to the business or threat landscape require immediate updates and testing.

What is a Business Impact Analysis (BIA) and why is it important?

A BIA identifies the potential impact of disruptions on business functions. It helps prioritize recovery efforts by determining the financial, operational, and reputational consequences of downtime for each function.

Related Terms from Certified in Cybersecurity

VPN (Virtual Private Network) Separation of Duties Ransomware Identification Defense in Depth Administrative Controls

📝 Related Study Guides

Study Guide 8 min read

ISC2 CC Certification Guide: Your Free Entry into Cyber

The ISC2 Certified in Cybersecurity (CC) is a free, entry-level certification designed for beginners. It covers five core domains—Security Principles, BCP/DR, Access Control, Network Security, and Security Operations—via a 100-question exam. It's the ideal starting point for career changers to build a foundation without financial barriers.

Exam Tips 8 min read

ISC2 CC Exam Domains: What You Need to Know to Pass

The ISC2 CC exam consists of five domains: Security Principles, Business Continuity (BC), Disaster Recovery (DR), and Incident Response (IR), Access Controls, Network Security, and Security Operations. To pass, you must master the CIA Triad and security governance, while prioritizing high-weight domains through targeted practice and domain-specific analytics.

Comparison 8 min read

CISSP vs CISM: Which Certification Should You Pursue in 2026?

Choose CISSP if you want broad technical security expertise across eight domains, including cryptography, network security, and software development. Choose CISM if you're focused on information security management, governance, and risk management from a leadership perspective. CISSP is ideal for hands-on security architects, while CISM is designed for security managers and directors.