Skip to content

Page323

Relationship Between BCP and DRP

The Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan. Though the focus of the BCP and DRP are distinct, with the former attending to the business as a whole, and the latter being information systems-centric, these two processes overlap. In modern organizations dependent on information systems, how could the goal of continually providing business-critical services in spite of disasters be achieved without the tactical recovery plan offered by a DRP? These two plans, which have different scopes, are intertwined. The Disaster Recovery Plan serves as a subset of the overall Business Continuity Plan, because a BCP would be doomed to fail if it did not contain a tactical method for immediately dealing with disruption of information systems. Fig. 8.18, from NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others.

FIG. 8.18 BCP and related plans [12].

The Business Continuity Plan attends to ensuring that the business is viable before, during, and after significant disruptive events. This continued viability would not be possible without being able to quickly recover critical systems, which is fundamentally what a Disaster Recovery Plan provides. An additional means of differentiating between a Business Continuity Plan and a Disaster Recovery Plan is that the BCP is more holistic in that it is not as overtly systems-focused as the DRP, but rather takes into account items such as people, vital records, and processes in addition to critical systems.

One means of distinguishing Business Continuity Plan from the Disaster Recovery Plan is realizing that the BCP is concerned with the business-critical function or service provided as opposed to the systems that might typically allow that function to be performed. While this might seem an academic distinction in the modern systems-centric organizations common today, consider the role that email plays in most organizations. While most technical persons would consider email to be business-critical, many organizations could continue to operate, albeit painfully, without email. While a DRP would certainly take into account email systems, the BCP might be less concerned with email for its own sake, and more concerned with providing service to customers via other communication. Appreciating this distinction is important to an organization, as it will ultimately help guide considerations such as Maximum Tolerable Downtime (MTD), which will, in turn, be used as an input when determining how to allocate resources and architect recovery strategies.