Part Two: Business Continuity and Disaster Recovery Plans
Part Two: Business Continuity and Disaster Recovery Plans

In this course, we will discuss various vitally important metrics used to determine how well we have mitigated risk and how closely we have matched the requirements of our enterprise. These metrics include Annualized Loss Expectancy (ALE), Recovery Time Objective (RTO), Recovery Point Objective (RPO), Service Delivery Objectives (SDO), Maximum Tolerable Outage/Downtime (MTO/MTD), and Allowable Interruption Window (AIW).

We then move on to look at how these metrics can be applied to business continuity (BC) and disaster recovery (DR) planning and we'll also have a look at BC and DR in general, how it works, and the associated processes and techniques. Finally, we move on to testing BC/DR planning and the types of tests we can use.

If you have any feedback relating to this course, please reach out to us at

Learning Objectives

  • Learn about the metrics for measuring performance in managing risk
  • Get a solid understanding of business continuity and disaster recovery
  • Understand how to test business continuity and disaster recovery practices

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.



Now we're going to move into Section 9 in which we will discuss how to employ the metrics we have just discussed in Section 8 in the building of business continuity and disaster recovery plans. There are many terms that cover the activities that we are about to discuss. Our term is business continuity, or BC. Another term is disaster recovery, or DR. One term often used by the government is continuity of operations planning, or COOP, C-O-O-P. Whichever term you use, whether business continuity or disaster recovery, what you are depicting is two complimentary pieces of the spectrum of activities to preserve a business against various levels and types of adverse events.

The business continuity works throughout normal to abnormal and back to normal operations. Thus, the BC portion of the spectrum will function during all types and levels of operation. Similarly, the DR portion operates only after an adverse event has caused an outage. Taken together, these two are complimentary, to face normal operations and to recover quickly from adverse impacts to restore normal operations.

The BC portion of the plan therefore focuses on the business or operational element in order to keep it running during all of these differing situations and conditions. In complementary fashion, the DR portion focuses on the event and attempts to minimize the effects of the adverse event on the business and recover to normal operations.

We have already discussed the ALE calculation and what it contributes to the BC/DR composition effort. The business impact analysis, or BIA, is the process by which we derive the vast majority of these metrics and values. The primary function then of the BIA is to calculate various scenarios of impact and outage and determine what the actual business effect, whether operationally or financially, will be and to place a value on this.

\By focusing on the business, it helps us understand what the actual operational and monetary impact will be should any form of adverse event occur and take the business out of normal operations for some period of time. It is important to realize that a BIA is not a replacement for a risk assessment. These two assessment processes are, in fact, complimentary.

Risk assessment looks at potential impacts, probabilities of occurrence, and likely values of impact, while the BIA looks at these kinds of scenarios and assesses what the value is going to be of these adverse impacts on the business itself and attempts to calculate those effects and their losses.

From these two different assessment processes, we should derive values, times frames, and criticalities of operational components. Once completed, these timeframes and criticalities will help us determine the priority order in which the operational components will be recovered.

Now, as we described before, the risk analysis process will, without question, be a combination of qualitative and quantitative methods. Qualitative being the way that we construct a scenario, and quantitative being the set of calculations we do to determine financial and other types of impacts.

The BIA is similarly constructed on a qualitative dash quantitative combined form. One of the most important aspects is helping us to understand not only what events are likely to occur, these calculations speak of probable, not possible, events, but what sorts of impacts they will cause in relation to the effects it will have on our business. It is from these then that we will determine what sorts of controls and countermeasures will be employed to effectively mitigate or reduce the amount of adverse impact our business may suffer should any of these events occur.

So our primary goals are to determine and then prioritize component criticality, estimate downtimes as both RTO and MTD, and then identify resource requirements in terms of quantities, qualities, and types of resources that we will required to achieve these goals. From these, we will create the business continuity plan and its companion volume, the disaster recovery plan.

As you see in the graphic, the business continuity plan is organized as a good project. We initiate and manage it as such, performing risk analyses and business impact analyses as necessary, development of a continuity strategy, and produce a final plan. The strategy and the BCP documentation produced in this project phase will then be used as primary inputs to the development of the recovery strategy.

Once again, we organize it as a good project. Our deliverable, in this case, will be a disaster recovery plan, training requirements and methods, training and documentation requirements, at a testing strategy to ensure that the plan is routinely tested and updated whenever needed.

As we have said before, the BCP is considered to be protective in that it is more proactive than reactive, bearing in mind that the BCP portion functions throughout all normal and non-normal operations, focusing on the business to keep it running. In like manner, the DRP portion is considered to be responsive, that is more focused on reaction than proaction.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.