CISSP: Domain 7 - Security Operations - Module 4
Participating in Business Continuity Planning

This course is the final module of Domain 7 of the CISSP, covering Security Operations.

Learning Objectives

The objectives of this course are to provide you with the ability to:

  • Participate in business continuity planning
  • Implement and manage physical security
  • Participate in personnel safety

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back to the Cloud Academy presentation of the CISSP examination preparation review seminar. We're going to finish up Domain 7 - Security Operations, beginning at section 14 on slide 134. Participation in the business continuity planning. In this section we're going to examine the business continuity planning process and we're going to talk about participation in the various exercises.

Now business continuity and disaster recovery do differ rather dramatically. Business continuity focuses on the business. How can we keep the business running, not just under normal circumstances but in the face of potential hazardous, dangerous or all-encompassing outage causing events? Disaster recovery focuses on the event itself and tries its best to put the business back on its feet so that it can get back to normal operations. Now in business continuity planning, all of these were originally designed to build the program needed to be repeated on a regular basis to ensure that the plan stays current so that we can keep the business resilient and resistant to outages in the first place.

We're going to manage this like any good project and in doing so, we're going to use a tool like this. The project status report shows the various areas and what elements they're going to deal with in the plan's efforts. So we see in this grid we have data center operations, help desk, facilities, finance, operations, and process support. And then we have the various functions that they're going to have to perform in those particular areas. Like any project progress report, the gray areas show areas that need yet to be addressed and the green areas show that these areas are finished and finalized and have been committed to the final plan. And at a glance, we can tell our progress and areas that need our attention.

The organizational contingency planning program provides for the continuity of the business's critical organizational functions in the event of an interruption, which means we're putting together plans that are going to, by their very nature, be alternatives to normal processes. Whatever the outage is, we no longer are able to work as we would under normal circumstances doing the things we would normally do. That much should seem obvious, but we're going to have to plan for how we're going to do these things and there's usually alternative ways for doing almost anything. But we can't take anything for granted in this process and we must lay this out in advance of the adverse events occurring because at the time that the event occurs it's far too late.

Part of that process will be, we have to decide on the roles and who will be filling them. This contingency planning group develops, implements and maintains an enterprise contingency planning program for the company, the product of which is the plan itself. In this, we will have to define roles and tasks and areas of responsibility for managers. There will have to be various coordinator type functions and each department will have to have its piece of the total plan that is integrated with the pieces spread out to all the other departments in the location.

Now, in the process of laying out the building of the plan, it needs to be led by someone with experience, a business continuity planner, who must also have adequate information, knowledge, experience with the organization, the actual business that it's in and how things typically run. This person will act as a focal point for the company and any situation that involves the planning or the emergency response. In their role, they will be the primary point of contact. Under all circumstances, they will act as a resource even though they're acting as the leader of the plan preparation project. We need to have a secure appointment to that role so that that person knows what they're doing, they know that they're in that role with a clear assignment to those duties. There will have to be training and for this person there will have to be a back-up, an alternate, who will be following them, shadowing them throughout this entire process. They will have to assist in the design and maintenance of the alternate sites, which is information they will need that will have to be included in the plan itself. And they will be responsible for maintaining currency of all the documentation associated with this project. It should be noted that this is not the person who will lead the response effort in the face of an actual outage. That needs to be a member of management assigned that responsibility as early as possible in the process of preparing this plan.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.