Business Continuity Planning (BCP)

Ideas on how to minimize the effects of a disaster on your business and computer network, so plan now if you want to save money later. Take the necessary steps now to ensure that the resources, personnel, and resources you need to keep operate ring are their when a disaster hits.


If you want to get up and running after a disaster, plan now.


NIST: Special Publication 800-34, Continuity Planning Guide for Information Technology Systems:


Preplanned procedures:

  • Have a response plan to ready when an emergency happens
  • Protect your staff, equipment, and ensure safety.
  • A plan can reduce business impact.
  • Get your critical business functions up and running.
  • Include in the plan your vendors and partners.
  • Reduce confusion and communicate.
  • Ensure your business survives.
  • A plan will not only get you back-up and running faster, it will save you money.
  • Identifying regulatory and legal requirements based on the area of business you operate.

1. Develop a continuity policy statement. Assign roles, and authority to carry out key tasks.

 2. Create a Business impact analysis (BIA). Identify critical functions and systems you need for your business to survive. Identify your vulnerabilities, and threats.

3. Identify and target preventive controls. Once a threat is recognized, implement controls and countermeasures to either remove the risk or lessen it effect on your business.

 4. Have a recovery strategy. How will you bring key systems back online quickly?

 5. How can the business still function if a part of your business is incapacitated?

6. Test and train staff, on whom to call and steps to take.

The BIA or (business impact analysis) starts with interviewing, and collection key components for analysis. You need to document business functions, activities, and transactions. This will guide you in creating a hierarchy of business functions and know what will affect you financially and operationally the most – for example:

MTD: What is you maximum tolerable downtime (MTD) or maximum period time of disruption (MPTD)?


RTO: What is the Recovery Time Objective (RTO) which is the earliest time period a business process must be restored after a disaster?


WRT: The Work Recovery Time (WRT) is the remainder of the overall MTD value. RTO usually deals with getting all the systems running again, and WRT deals with restoring testing and checking all the data is processing correctly ready to go live.

RPO: The Recovery Point Objective (RPO) is the acceptable amount of data loss measured in time. This value represents the earliest point in time at which data must be recovered to go live. The smaller amount of data you loss, the better, because it will reduce cost, and resources.

The actual MTD, RTO, and RPO values are a consequent of the BIA. The better the impact analysis, the better the critical values applied to these business functions.

MTBF: Mean time between failures (MTBF) is the predicted amount of time between

inherent failures of a system during operation.


MTTR: Mean time to repair (MTTR) is a measurement of the maintainability by

representing the average time required to repair a failed component or device.


ISO/IEC 27031:2011 Guidelines for information and communications technology readiness for business continuity. This ISO/IEC standard that is a component of the overall ISO/IEC 27000 standard.


Although the NIST 800-34 document deals specifically with IT contingency plans, these steps are similar when creating enterprise-wide BCPs and BCM programs.

NIST Contingency Planning - Click to Download
Adobe Acrobat document [924.7 KB]

Lance West



  • Cyber-Security


  • Information Assurance training


  • IT Risk Analysis


  • BIA/BCP Development


  • Software Security


  • Databases
Print | Sitemap
© DigiBrains LLC