Business Continuity Plan (BCP)
A business continuity plan outlines how an organization continues operations during and after a disruption, commonly evaluated in vendor security reviews.
Definition
A Business Continuity Plan (BCP) is a documented strategy that outlines how an organization will continue critical business operations during and after a significant disruption such as a natural disaster, cyberattack, or infrastructure failure. It includes disaster recovery, crisis communication, and operational resilience procedures.
Context
Business continuity questions are standard in security questionnaires, particularly for vendors providing critical business services. Buyers ask about RTO (Recovery Time Objective), RPO (Recovery Point Objective), geographic redundancy, failover procedures, backup strategies, and testing frequency. SIG questionnaires dedicate an entire domain to business continuity management. Vendors should be prepared to cite specific RTOs, RPOs, and backup frequencies in their questionnaire responses.
Why it matters
Business continuity planning encompasses the strategies and procedures that ensure critical operations can continue during and after a disruptive event — whether a natural disaster, cyberattack, or infrastructure failure. A business continuity plan defines recovery time objectives and recovery point objectives for each critical system, documents failover procedures, and identifies the minimum viable team needed to maintain operations. Disaster recovery is the technical subset focused specifically on restoring IT infrastructure and data.
A common gap is building continuity plans around infrastructure redundancy while ignoring process and personnel dependencies. If the only person who knows how to execute a database failover is unavailable during a regional disaster, technical redundancy is insufficient. Effective BCP programs document runbooks with step-by-step procedures, cross-train multiple team members, and maintain out-of-band communication channels that do not depend on the same infrastructure being recovered. Vendor dependencies must also be mapped and contingency plans established.
Security questionnaires routinely ask for RTO and RPO commitments, DR site locations, backup frequency, and evidence of plan testing. Annual BCP testing is the minimum expectation; mature organizations test quarterly with different failure scenarios. Buyers in regulated industries — financial services, healthcare, government — often require geographic separation between primary and DR sites and contractual uptime SLAs. Maintaining current BCP documentation with test results and lessons-learned summaries streamlines both questionnaire responses and audit evidence requests.