How to improve Business Continuity and Disaster Recovery

• Business Continuity Plan: A comprehensive strategy that outlines procedures and actions to ensure critical business functions continue operating during and after a disruptive event.
• Incident Response Plan: A documented approach detailing how an organization detects, responds to, and recovers from cybersecurity incidents to minimize impact and restore normal operations.

• Disaster Recovery Plan: A subset of the BCP focusing specifically on restoring IT systems, data, and infrastructure after a major incident or disaster to ensure operational continuity.

• Business Impact Analysis: An assessment process used to identify critical business functions, evaluate the potential impacts of disruptions, and prioritize resources for recovery efforts.

Each document has its own purpose, target audience, and scope, and knowing their differences is key to effective planning and compliance. The distinctions often come down to who is using the document and what the goal of the plan is. As long as these different factors are clear for everyone in the discussion, your vessel should be going in the right direction. It doesn’t really matter how you call the baby as long as everyone is aligned and understands their responsibilities. In real life we often notice that these documents are used interchangeably or combined, depending on the size of the organization. While there are no strict laws against this practice at this moment, there are clear benefits to separating them. But let’s start with defining them a little bit clearer..

Let’s start with IT’s favourite and most common one. The Disaster Recovery Plan (DRP). Most professionals in IT and cybersecurity are familiar with this document, as it is technical in nature, aimed at restoring IT systems and services to their normal state. In some cases, this may involve implementing temporary solutions until permanent fixes, like replacing failed hardware, are completed.

For example:
“A plane crashed into our server rack…Our main server and database are dead. The DRP might say: Bring up a new server, pull out the backups, and temporarily run on one node until the system is fully restored.Try turning it off and on again (Don’t hate, participate; it works sometimes!”)

The Business Continuity Plan (BCP) has a very different focus. Its purpose is to ensure continuity of critical business operations, on top of IT elements. A BCP focuses on keeping the business running during a disruption, covering all essential functions like staff, facilities, supply chains, and IT systems.

An Incident Response Plan (IRP) provides a how-to process that can be used during cybersecurity incidents, like a ransomware attacks or other breaches. The standard framework here is; preparation, detection, response (containment and expulsion), and recovery of affected systems. The NIST Cyber Security Framework (CSF) or CyFun are relatively aligned to this approach.

Lastly, we have the often ignored but very important Business Impact Analysis (BIA). This document is more analytical and supports a process. It identifies and evaluates the potential effects of a disruption on critical operations and helps prioritize recovery efforts. This document is often a big fat and a lot of people within the organization will be interviewed to understand exactly what keeps the big machine running.

These documents provide guidelines and processes to help your company grow into a Cyber resilient company. They are often mandatory as Frameworks and regulations like ISO9001/ISO27001/NIS2/DORA/… make them a requirement.

Without them, and the supporting processes, companies may fail to meet compliance requirements, lose customer trust, or struggle to recover from disruptions effectively. You might end up being the next company featured in a “What Not to Do” at the next big conference.”

There are a few things you need to consider when building your document library. While it may seem logical to combine everything in one big document, there are good arguments against this practice:

• When the processes are activated, you may not need everything and having a big document may become counterproductive. You’re often better off with supporting documents that help you make the right decisions than the “Lord of The Rings” of response plans that requires hours of reading.

• Separate documents are easier to maintain. With the constant changes in the risk landscape, including compliance requirements, short documents are easy to update, approve, and circulate.

• Auditors often prefer clear delineation between documents with separate functions. Proving compliance becomes easier this way.