Business Continuity Plan (BCP)
Domain 4 — Information Systems Operations and Business Resilience
Definition
A Business Continuity Plan (BCP) is a documented set of procedures and information that enables an organisation to continue critical operations during and after a disruptive event. It covers recovery objectives (RTO/RPO), alternate processing sites, communication plans, and resource requirements. IS auditors review BCPs for completeness, test results, and alignment with business impact analysis findings.
Real-World Audit Scenario
I audited a logistics company whose BCP was a 200-page binder that had not been reviewed in three years. The contact list still had employees who had left the company, the alternate site was now a coffee shop, and the RTO of 4 hours was impossible because nobody had ever tested it. When I asked for the last test report, the BCP coordinator said "we did a tabletop exercise two years ago" but could not produce any documentation. We rated it as a critical finding.
Common Exam Trap
An untested BCP is not a BCP — it is a collection of assumptions. The exam tests whether you know that testing is more important than documentation. A BCP that has been successfully tested and updated is far more valuable than a beautifully written one that has never been exercised.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →