BCP vs DRP

As I started to put together my thoughts for my second post in this Disaster Recovery Planning series (read the first here: “Is My Organization Big Enough to Need a Disaster Recovery Plan?”), I found myself continuously overlapping the requirements of a BCP and DRP. So where IS the line differentiating between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

The fact is, there is a lot of overlap between the two terms; however, there are significant differences as well.

According to NIST SP 800-34, “The BCP focuses on sustaining an organization’s mission/business processes during and after a disruption.” A DRP on the other hand “is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternative site after an emergency.” Now, in NIST’s definition of a DRP, they limit the scope to only those disruptions that require relocation, addressing other information system disruptions with separate plans such as a Cyber Incident Response Plan and Information System Contingency Plan; however, most businesses roll all three of these into one DRP, so that’s how I’ll approach the DRP as well.

To summarize:

Business Continuity Plan (BCP) – Disaster planning for the business as a whole
Disaster Recovery Plan (DRP) – Disaster planning specific to information technology

Which comes first?

If you can get your organization started on a Business Continuity Plan first, do that; it will make creating the Disaster Recovery Plan exponentially simpler. The BCP establishes objectives and guidelines for the whole organization to ensure that it will continue to operate before, throughout, and after a disastrous event occurs. The BCP will define many of the things you’ll need to know in order to complete an effective DRP, for example:

  • How will personnel be contacted?
  • Who will invoke the DRP?
  • What is the tolerance for downtime? For data loss?
  • Which risks are most probable, and which would have the greatest impact?
  • Which alternative facilities are available?
  • What are the financial and legal obligations of the organization in the event of a disaster?

Additionally, since a BCP is developed by high-level executives, it signals priorities for the organization and will make proposing costs associated with developing your DRP and building the systems to support it easier as well.

Comparing BCP and DRP

Let’s take a closer look at what should be in your BCP and DRP plans. Below I’ve listed the main elements of FRSecure’s BCP and DRP plans.

Basic Elements of a Business Continuity Plan (BCP)

  • Scope, Policy, and Objectives
  • Risk Assessments
  • Business Impact Analysis Summary
  • Business Continuity Strategy
  • Emergency Operations Center (EOC) Locations/Contacts
  • Alternate Site Locations/Contacts
  • Organization Chart
  • BCP Team Descriptions and Organization Chart
  • Emergency Response Plan Summary
  • Critical Business Information
  • Plan Administration and Maintenance
  • Exercise Plans and After Action Reports

Basic Elements of a Disaster Recovery Plan (DRP)

  • Purpose, Scope, and Objectives
  • Emergency Contacts
  • Team Member Responsibilities
  • Revision and Updating Schedule
  • Invoking the Plan
  • Instructions for Using the Plan
  • Emergency Management Procedures
  • Alternate Site Locations
  • Backups and Offsite Storage
  • Equipment
  • External Communications
  • Insurance, Financial, and Legal Issues
  • Plan Testing

As you can see, there is a lot of overlap here; what may be a little harder to tell without going deeper into these documents, is that a lot of what is in the DRP relies on elements of the BCP. Here’s an example:Business Continuity vs. Disaster Recovery

Emergency Management Procedures in the DRP is a list of step-by-step procedures for each Disaster Event (tornado, black-out, ransomware, etc.) that you’ve decided to address. To build these procedures, you will first need to know the following:

  • What disasters will you address?
  • What is the potential impact of the disaster?
  • What systems will be impacted?
  • How much data loss is tolerable for impacted systems?
  • How much downtime is tolerable for impacted systems?
  • Who do you need to alert in the event of the disaster?
  • Which teams are responsible for responding to the disaster?
  • Are there any financial or legal matters that need to be considered during response and resolution?

All the questions above should be answered, at least in part, by the Business Management Procedures, Business Continuity Strategy, and Risk Assessments completed during the development of the BCP. The goal of the BCP is to outline objectives and expectations of the business executives for the sustainability of the organization. The goal of the DRP is to define and break-down these expectations into actionable procedures and information needed for response and remediation during a disaster. As such there will be overlap; where the BCP sets the expectation and high-level procedures, the DRP goes further by establishing step-by-step procedures that can easily be followed amid the chaos and stress of a disaster. Information from the BCP will be repeated in the DRP to keep the essential information in a single document distributed to the team members of the Disaster Recovery Team.

Challenges of developing a DRP without a BCP

If you are an IT Director/Manager responsible for developing a Disaster Recovery Plan without a Business Continuity Plan you have a big challenge ahead of you. In my experience, if organization executives are asking you to create a DRP without already having at least some business continuity expectations in place, they are unaware of the time and expense involved in creating a complete DRP. So, here’s what I’d recommend:

  • Get clarification from management on what they expect from the DRP
    • If you’re the one initiating the creation of a DRP, set realistic goals for yourself and break down the steps where input from executives will be required.
  • Start with what you have in place already
    • Develop complete procedures with what you already have in place for incident response and remediation
    • List the limitations of what you currently have and what you need (direction/funds) to address these
  • Present to management
    • Make management aware of what you can and cannot do without further input or funding – detail and explain the weaknesses and risks associated with existing gaps
    • Bring attention to regulatory and contractual obligations, estimate loss if possible
  • Reach out to external resources
    • If you’re having difficulty defending the need for additional information or resources, reach out to organizations such as FRSecure for assistance. We help organizations of all sizes understand the value of having a BCP/DRP in place. We can offer experience and insight as to why having these plans in place is critical, and the most efficient way to implement them for your particular organization.
  • Be persistent
    • When issues arise, point it out and remind management of the accepted risk and potential damages
    • Regularly remind management of the accepted risk and what is needed to remediate
  • Accept your limitations
    • Once you’ve made executives at your organization aware of the gaps in the organization’s disaster/continuity capabilities, if they remain complicit, accept that business continuity is ultimately their responsibility. Document your continued attempts to make them aware of the risks they’ve continued to accept, and they will be unable to make you responsible when an incident does eventually occur.

Take Aways

The ultimate goal of both a Business Continuity Plan and Disaster Recovery Plan is survival of the organization. You need to define clear processes and expectations in the event of a disaster in order to respond in a timely and effective manner. When you do an assessment beforehand you’re better able to identify all your critical assets and ensure that nothing will be forgotten under the pressure of incident response. There is a lot of work involved and ultimately this is not a task that can be completed by any one person; you’ll need to assemble a team of people to accurately assess the needs and priorities of the organization.

If you desire additional guidance or find that you are lacking the time, experience, or resources to put together your plan, reach out to our policy experts at FRSecure. We can help you with all aspects of your BCP/DRP plan development; from providing plan development guidance and planning, to explaining to C-levels why a plan is needed in the first place.


Megan Larkins on Linkedin
Megan Larkins
Security Analyst at FRSecure LLC
Megan Larkins is a member of our Information Security team who's driven to help organizations of all sizes recognize the urgent and critical nature of taking an active role in information security. Having previously served as the lone-IT person and IT Director for a mid-sized business, Megan thoroughly understands the challenges of addressing the wide range of responsibilities that frequently fall into the bucket of an Information Technology department. In her free time, Megan enjoys taking her kids on outdoor excursions exploring the beauty of Minnesota, playing video games, and studying to take the CISSP exam.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *