cisa-d4-operations-resilience-business-continuity-plan

Business Continuity Plan

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Business Continuity Plan

A Business Continuity Plan (BCP) is a documented, proactive organizational strategy that defines how critical business functions — including people, processes, assets, and supporting technology — will continue operating during and after a significant disruption. Unlike a Disaster Recovery Plan (DRP), which focuses narrowly on restoring IT systems and data, a BCP addresses the full operational continuity of the organization: customer service, regulatory reporting, supply chain, communications, and workforce availability. A BCP answers: 'How does the business keep running?' A DRP answers: 'How do we restore our systems?' A BCP activates on any event threatening business operations — not just IT failures — including pandemics, facility loss, key-person unavailability, ransomware, or supply chain collapse.

Where it stops · what it isn't

—IS a BCP: An organizational-level plan covering all critical business functions, personnel, processes, and enabling infrastructure across the enterprise
—IS a BCP: A living document requiring periodic testing (tabletop, functional, full-scale), structured update cycles, and executive governance
—IS a BCP: Inclusive of Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and Maximum Tolerable Downtime (MTD) definitions for each critical business function
—IS NOT a BCP: A Disaster Recovery Plan — the DRP is a technical IT-focused recovery plan that is a component of the BCP, not a synonym
—IS NOT a BCP: An incident response plan — incident response manages the immediate detection and containment of a security event; BCP manages sustained operational continuity
—IS NOT a BCP: A one-time document — an untested, outdated BCP becomes a liability rather than a safeguard
—IS NOT a BCP: Solely focused on natural disasters — a complete BCP addresses cyber incidents, ransomware, supply chain failure, and workforce disruptions with equal rigor