Business continuity and disaster recovery (BCP and DR)
When a system goes down, the question is not whether but how fast you get back to work. Here is what a business continuity plan and a disaster recovery plan are, and how to build them.
Written by
R
Raptoric Security Program & Risk
Share
LinkedInX / TwitterCopy link
Sooner or later a system goes down: through an attack, a fault, a fire, or human error. The question is not whether it happens, but how fast the company gets back to work and how much data it loses in the process. Two related plans answer that. A business continuity plan (BCP) keeps the company running through a disruption, and a disaster recovery plan (DR) focuses on restoring IT systems and data. This post explains the difference, the key terms, and how to build them.
A business continuity plan looks at the whole company: how to keep working even when key systems are unavailable, including people, processes, and alternative ways of operating. A disaster recovery plan is narrower and technical: how to restore IT systems and data after an outage. DR is part of a BCP, not a replacement for it. A company needs both.
Key terms: RTO and RPO
Two terms set how ambitious a plan is and how much it costs.
Term
What it measures
Question it answers
RTO
Time to get back to work.
How long can the system stay unavailable?
RPO
The amount of data you can afford to lose.
How far back in time must we be able to recover?
RTO and RPO explained.
The shorter the RTO and RPO, the more expensive the solution. That is why they are set by system importance: critical systems demand fast recovery, while less important ones can wait longer. These targets come out of a risk assessment and a business impact analysis.
How to build the plan
A good plan is concrete, assigned, and rehearsed.
01
Identify critical processes
Determine which processes and systems are essential for the company to operate.
02
Set RTO and RPO
For each critical system, decide how fast and to what point it must recover.
03
Define the procedures
Describe who does what, how systems are restored, and how people communicate.
04
Secure the backups
Keep backups and store them separately, out of reach of the same attack.
05
Test the plan
Regularly verify that systems and backups actually restore.
The link to compliance
Business continuity is not just good practice. NIS2 requires continuity management as part of its measures, and DORA sets strict resilience and recovery requirements for the financial sector. A good plan therefore covers both the obligation and real security.
A business continuity plan (BCP) looks at the whole company and how to keep working through a disruption. A disaster recovery plan (DR) is narrower and technical, focused on restoring IT systems and data. DR is part of a BCP, and a company needs both.
What do RTO and RPO mean?+
RTO is the time to get back to work, that is, how long the system can stay unavailable. RPO is the amount of data you can afford to lose, that is, how far back in time you must be able to recover. The shorter they are, the more expensive the solution.
Are backups enough on their own?+
On their own, no. Backups nobody has tried to restore are false security, and if they are reachable from the same network, ransomware can encrypt them along with everything else. Backups must be separated and verified regularly.
Do regulations require a continuity plan?+
Yes. NIS2 requires business continuity management as part of its measures, and DORA sets strict resilience and recovery requirements for the financial sector. The plan covers both the obligation and real security.
Sources
1ISO. ISO 22301: Business continuity management systems. International Organization for Standardization, 2019. Link
2NIST. Cybersecurity Framework (CSF) 2.0 — Recover. National Institute of Standards and Technology, 2024. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
