| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
Business Continuity Plan (Part 1 of 2)
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series introduces the business continuity plan — its purpose, ownership, and the foundational concepts that IS auditors must understand. The session covers at a topic level how organizations structure their continuity efforts, the types of disruptions they must prepare for, and how incidents are classified as situations evolve.
What this episode covers
- Purpose and ownership of the BCP — why senior management is responsible and what the plan must deliver, including its companion disaster recovery and restoration plans.
- Technology continuity alignment — how technology continuity fits inside the broader corporate plan and why application criticality flows from business value.
- Reducing the chance of disruption — site selection principles, resilient network design, and how countermeasures such as redundant facilities and data replication feed the plan.
- Impact analysis and continuity strategy — how the impact analysis quantifies disruption costs and guides investment in technology and facilities.
- Types of disasters to plan for — natural, service-related, people-caused, and creeping disasters, with special attention to pandemics, reputation damage, and black swan events.
- The planning life cycle — the three-stage sequence from impact analysis through strategy development to execution.
- Continuity policy and incident classification — what a strong policy must contain and how incidents are sorted into negligible, minor, major, and crisis levels.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
Who owns the business continuity plan and what is its purpose?
Senior managers carry responsibility for the business continuity plan because their job is to protect whether the organization survives at all. The plan delivers a reduced but workable level of operation after a disruption and must cover every function needed to keep the organization viable. It also includes two companion plans: a disaster recovery plan to recover an unusable facility and a restoration plan to return operations to normal.
What are the three stages of the continuity planning life cycle?
The three connected stages are the business impact analysis, continuity strategy development, and strategy execution where countermeasures are put in place. Each stage feeds the next in a continuous loop. The impact analysis quantifies what a disruption costs, showing maximum downtime and possible data loss, which then guides which technology and facilities to invest in.
What types of disasters must a business continuity plan address?
Disasters make critical resources unusable and can come from nature such as earthquakes, floods, and fire; from lost services such as power or telecommunications; or from people through terrorist attacks, hacking, and human error. Plans must also account for creeping disasters, where a slowly degrading system draws only minor complaints until it halts entirely, and the help desk often serves as an early warning system for these.
How are incidents classified as they unfold during a continuity event?
Incidents are classified by the damage they could cause into four levels: negligible, minor, major, and crisis. Classification can change as events evolve, with a major incident potentially shrinking or growing into a crisis. A cautious approach assigns any real incident a provisional middle severity and has a response team reevaluate it regularly while the security officer is notified as soon as a triggering event occurs.
What special planning considerations apply to pandemics and black swan events?
A pandemic spreads disease rapidly across wide areas, and its scale and duration are far harder to predict than a normal disaster, so organizations should evaluate readiness separately from their standard continuity planning. Black swan events are rare surprises with major effect that cannot truly be planned for, but critical operations should still consider contingencies such as barring senior executives from traveling together.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Business Continuity Plan (Part 1 of 2).