top of page


In case you haven't studied the BCP/DRP section of your studies yet, here is some information that I sent to the folks on the newsletter:

The topic of proper business continuity and disaster recovery planning is highly testable. Expect to be tested on the following:

  • BCP process and steps (Not specifics, just the general flow)

  • Components of the Business Impact Analysis (ARO, MTTR, MTBF, SLE)

  • The idea that all stakeholders of a BCP should be involved in the planning

  • Business continuation strategies

  • The importance of documentation

Here are some important concepts to remember:

  • The process of recovering an organization's critical business functions after a disaster is known as BCP

  • Dealing with a more immediate or specific emergency is known as DRP.

  • Difference between BCP and DRP

  • BCP is more high-level than DRP. DRP falls under the umbrella of BCP.

  • "What if our main data center was destroyed by an earthquake, what do we do?" - That's BCP.

  • "What if our firewall failed at our main data center, what do we do?" - That's DRP.

  • The start of any organization's DRP/BCP program must have the approval of the senior management team

  • Management's approval is also a show of their support

  • BCP/DRP is all about documentation, documentation, documentation

  • According to the CISSP, the first thing to look for in a disaster is the proper documentation that contains procedures and guidelines on how to deal with a disaster

Here are some types of disasters:

  • Man-made

  • Negligence

  • Warfare

  • Fires

  • Terrorism

  • Insider threat

  • Cyber attack

  • Natural

  • Flood

  • Earthquake

  • Tornado

  • Tsunami

The basic steps of a sound BCP are:

  • Phase 1: Scope and Initiation

  • Phase 2: Business Impact Analysis

  • Phase 3: Recovery Strategies and Continuity Development

  • Phase 4: Implementation and Testing

  • Phase 5: Maintenance

List the steps of the BIA

The below graphic is from Shon Harris AIO 7th Edition page 134. My CISSP-focused BCP/DRP videos that explain this topic in broader detail can be found in my CISSP Course. Until Jul 4, 2024 11:59 PM you can use code "FUTURECISSP15" for 15% off any of the subscription plans.


RTO is the maximum amount of time that is needed to bring critical business functions back to normal operating status before that business is crushed.

RPO is the measure of at what point in time a business can go back and still salvage enough data to fully operate. For example, can a business lose all the data it has accumulated in the last 10 minutes and still operate as a business? Probably. But can it lose all the data it has accumulated in a 12 hour period and still function? This depends on the type of business. A company that deals with the stock market and money, probably has a really short RPO, compared to a school with a database of past test scores, which could have a longer RPO.

MTTF as we stated is the same thing as MTBF. It is the measure of how long something is supposed to operate before failure.

MTTR is the amount of time required that is necessary to bring a critical business function back to operation. The mean time to recovery for your 2nd monitor in a dual monitor setup can probably be 72 hours to a week before you start finding it necessary to have a 2nd monitor again. The mean time to recovery for your mouse is probably a lot shorter, maybe minutes to hours?

Click here for a video and PDF download on MTD, RPO, RTO, WRT.

Due Care vs Due Diligence Example

Differentiating these two is a tough one, it's like comparing when you are angry vs when you are frustrated. The best way to understand it is to keep reading examples of it until it sinks in.

Due Care: Updating, patching, and securing a firewall

Due Diligence: Keep firewall support license warranty up-to-date, review SLA annually, check the news for CVEs against the firewall technology.

Due Care: Doing the immediate right thing, like updating your Windows machine when updates come in Due Diligence: Maybe look into other types of solutions where there aren't so many vulnerabilities. For example, if you have a Windows web server, but Windows is experiencing a lot of vulnerabilities that is affecting your business, research the possibility of moving to a Linux machine.

Due Care: Taking the CISSP exam Due Diligence: Studying everything you can about the exam before taking it

Due Care: An action

Due Diligence: A process or framework

You'll also have to know stuff like hot site, cold site, warm site, and the differences between them, along with when each site should be utilized.


bottom of page