A Business Continuity Plan (BCP) is a documented, strategic plan that details the procedures an organisation will follow to maintain or quickly resume critical business functions during and after a disruption. Its primary goal is to ensure the continuity of operations, protecting the organisation’s information, assets, and reputation from the effects of a disaster or security incident.
BCP vs. Disaster Recovery Plan (DRP)
While often confused, a BCP is broader than a Disaster Recovery Plan (DRP).
- BCP focuses on keeping the entire business running in some capacity during a crisis. It covers all aspects, including people, processes, physical facilities, and communication. Think of it as a proactive strategy to avoid total business interruption.
- DRP is a more specific subset of the BCP. It focuses on the technical recovery of an organisation’s IT systems and infrastructure after a disaster has occurred.
In short, a BCP asks, “How can we keep the business running?”, while a DRP asks, “How do we recover our IT systems?”
ISO 27001 Context
ISO 27001 requires organisations to have robust business continuity processes as part of their Information Security Management System (ISMS). This is covered in ISO 27001 Annex A 5.29 Information Security During Disruption and ISO 27001 Annex A 5.30 ICT Readiness For Business Continuity which focus on ensuring information security continuity and ICT readiness during a disruption. The standard emphasises that the BCP should be regularly tested, reviewed, and evaluated to ensure it remains effective.
