cisspSecurity and Risk Management· 10 min read· 14 May 2026
Business Continuity Planning: BIA, RTO, RPO, and How CISSP Tests Them
Business continuity planning (BCP) is the discipline of ensuring that critical business functions can continue during and after a disruptive event. For the CISSP exam, BCP is tested heavily in Domain 1 (as a management and governance concern) and in Domain 7 (at the operational level). This article focuses on the Domain 1 perspective: the planning process, the metrics that drive recovery objectives, and the relationship between BCP and disaster recovery planning (DRP).
The exam rewards candidates who understand the correct sequence of BCP activities and the precise meanings of the key metrics. Confusing RTO and RPO, or attempting to design recovery solutions before completing the Business Impact Analysis, are the two most common errors.
What Is Business Continuity Planning?
BCP is a proactive process that identifies potential threats to an organisation and defines how those threats could affect operations, then establishes safeguards and procedures to minimise their impact. The BCP is broader than disaster recovery — it covers the entire organisation and all critical functions, not just IT systems.
The BCP process involves four major phases: scope and planning (initiating the BCP project, defining scope, obtaining executive support), Business Impact Analysis (identifying critical processes and quantifying the impact of their disruption), recovery strategy development (designing alternatives to maintain operations), and plan documentation and testing (writing the plan, training staff, and testing its effectiveness).
The exam frequently tests which activity comes first. The answer is always the Business Impact Analysis — you cannot design effective recovery strategies without first understanding which functions are critical and how much disruption the organisation can tolerate.
Business Impact Analysis (BIA)
The Business Impact Analysis is the cornerstone of the BCP process. Its purpose is to identify critical business processes, quantify the impact of their disruption, determine the maximum tolerable downtime for each, and establish recovery priorities.
A BIA has three key outputs: a list of critical business functions ranked by priority, time-based recovery objectives for each function, and financial estimates of the impact of disruption.
The BIA process involves interviewing business process owners (not just IT staff), analysing dependencies between processes and systems, and estimating the financial, operational, legal, and reputational impacts of disruption at various time intervals. The BIA should be conducted by security and business continuity professionals working together — it is a business exercise, not a technical one.
For the exam: if a question asks what should be done FIRST when developing a BCP, the answer is the BIA. If a question asks who provides input to the BIA, the answer is business process owners (not IT staff, not security staff — the people who operate the critical business functions).
The Three Recovery Metrics: RTO, RPO, and MTD
Three time-based metrics drive all BCP and DRP decisions. Confusing them is a guaranteed way to lose points on the exam.
Recovery Time Objective (RTO) is the maximum acceptable time that a system or process can be offline before the disruption causes unacceptable business harm. RTO is the answer to the question: how quickly must we restore operations? An RTO of four hours means the organisation can tolerate up to four hours of downtime — any longer causes significant damage.
Recovery Point Objective (RPO) is the maximum acceptable amount of data loss measured in time. RPO is the answer to the question: how much data can we afford to lose? An RPO of one hour means the organisation can tolerate losing up to one hour's worth of data — backup and replication systems must ensure that data from the past hour is always recoverable.
Maximum Tolerable Downtime (MTD), also called Maximum Tolerable Period of Disruption (MTPD) in some frameworks, is the absolute maximum amount of time a business function can be offline before the organisation faces existential harm — permanent loss of customers, regulatory penalties causing shutdown, or financial collapse. MTD is the outer boundary that defines the BCP's scope.
The relationship between these metrics: RTO must always be less than MTD. If recovery takes longer than the MTD, the business may not survive. RPO drives backup frequency and replication strategy. An RPO of zero means no data loss is acceptable, requiring real-time replication. An RPO of 24 hours means daily backups may suffice.
A critical exam distinction: RTO and RPO are objectives set by the business during the BIA. They are not capabilities — they define requirements that the technical recovery solutions must meet. The technical team designs solutions to meet the business-defined RTO and RPO, not the other way around.
External Dependencies and Single Points of Failure
The BIA must also identify external dependencies — third-party services, utilities, suppliers, and communication links whose failure could disrupt critical business processes.
Common external dependencies include: power utilities (addressed by UPS and generators), internet service providers (addressed by dual ISP connections), cloud service providers (addressed by multi-cloud or hybrid strategies), payment processors, and critical software vendors.
A single point of failure (SPOF) is any component whose failure alone can cause the entire system or process to fail. BCP planning must identify SPOFs and either eliminate them through redundancy or explicitly accept the risk and define contingency procedures.
For the exam: when a scenario describes a system where a single component failure causes total business process failure, the BCP vulnerability is a single point of failure. The correct remediation is redundancy (not just a better backup).
The Difference Between BCP and DRP
This distinction appears on almost every CISSP exam and is worth understanding precisely.
Business Continuity Planning (BCP) is the broader discipline. It covers the entire organisation and focuses on maintaining critical business functions during a disruption — even if IT systems are unavailable. A BCP might include plans for relocating staff to alternative worksites, using manual processes when systems are down, and communicating with customers and regulators during a crisis.
Disaster Recovery Planning (DRP) is a subset of BCP. It focuses specifically on the recovery of IT systems, data, and infrastructure following a disruptive event. A DRP defines how IT systems will be restored, in what order, at what location, and to what state.
The key distinction: BCP is about the business surviving; DRP is about IT recovering. A BCP can exist without detailed DRP, but a DRP without BCP support is incomplete because IT recovery must serve business continuity objectives (which are defined in the BIA).
For the exam: if a question asks about maintaining business operations during a disaster, that is a BCP question. If a question asks about restoring IT systems or recovering data, that is a DRP question.
BCP Documentation, Training, and Testing
A BCP that exists only as a document is not a functional plan. Plans must be tested to verify that they work as designed and that staff know their roles.
Testing types progress from least to most disruptive: read-through (tabletop review of the plan for completeness), structured walkthrough (team members walk through their roles), simulation exercise (simulated event, team responds without affecting operations), parallel test (recovery systems activated alongside production), and full interruption test (production systems shut down, recovery systems used for real operations).
For the CISSP exam: full interruption testing is the most thorough but carries the highest risk. Read-through is the safest. Most organisations test at the simulation or parallel level to balance thoroughness with operational risk.
The BCP must also be maintained — updated after significant changes to systems, processes, or the threat environment, and reviewed at least annually. A BCP that was valid three years ago may be completely irrelevant if the organisation has migrated to the cloud, changed business lines, or faced new regulatory requirements.
Scenario: Which Should Be Done FIRST When Developing a BCP?
This exact question appears in many forms on the exam. The options typically include: identify critical systems, develop recovery strategies, conduct a Business Impact Analysis, or obtain executive sponsorship.
The correct sequence is: obtain executive sponsorship first (to ensure the BCP has authority and resources), then conduct the BIA (to identify what needs protecting and to what level), then develop recovery strategies (informed by BIA outputs), then document and test the plan.
However, if the question presents only a subset of these options and asks what is MOST important or comes FIRST among them, and the BIA is an option, the BIA is almost always correct because it drives all subsequent decisions.
Exam Tip
BIA always comes before BCP design. If a question asks what's FIRST, it's almost always BIA. The sequence is non-negotiable in CISSP exam logic: you cannot design recovery strategies without knowing which functions are critical and what recovery objectives the business requires. Any answer that describes designing or implementing technical solutions before completing the BIA is wrong — even if the technical solution is sound.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security and Risk Management
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.