crisc-d4-it-security-business-continuity-management

Business Continuity Management

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Business Continuity Management

Business Continuity Management (BCM) is an organization-wide discipline that ensures critical business functions can continue—or rapidly resume—during and after any significant disruption. BCM spans the full lifecycle: risk-informed strategy, Business Impact Analysis (BIA), continuity planning, control implementation, testing and exercises, and ongoing maintenance. IT Disaster Recovery (DR) is a technical subset of BCM focused on restoring technology systems; BCM is the strategic umbrella governing DR alongside all operational, financial, communications, and supply-chain continuity requirements. Within the CRISC framework, BCM resides in the Information Technology and Security domain and requires the risk practitioner to anchor IT risk decisions to business-process criticality, not technical parameters alone.

Where it stops · what it isn't

—BCM IS: A governance framework covering strategy, planning, and assurance for all critical business functions across the entire organization.
—BCM IS: The business-centric discipline that defines what must survive a disruption (processes, people, facilities, suppliers) and at what recovery thresholds (RTO/RPO by process criticality tier).
—BCM IS NOT: IT Disaster Recovery — DR is a technical execution plan for restoring systems and is one input to BCM, not synonymous with it.
—BCM IS NOT: Crisis communications or public-relations management, though those activities are coordinated under a mature BCM program.
—BCM IS NOT: A one-time project — it is an ongoing program requiring regular testing, review, and update cycles aligned to organizational change.
—BCM IS NOT: Equivalent to insurance or risk transfer — BCM is an operational capability, not a financial mitigation instrument.
—BCM does NOT replace incident response or security operations procedures; it integrates with them and activates when incidents escalate to continuity-threatening events.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

ENABLES

Disaster Recovery ManagementRegulatory Compliance (NIST CSF 2.0, ISO 22301, SEC Climate Disclosure)

REQUIRES

Business Impact Analysis (BIA)IT Risk Assessment

PART OF

Enterprise Risk Management (ERM)

RELATED TO

Cybersecurity Incident ResponseThird-Party / Vendor Risk Management

CONSTRAINS

RTO and RPO target-setting

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.