What is Business Continuity?

In Depth

Business continuity is distinct from disaster recovery in that it focuses on maintaining overall business operations rather than just IT systems. A comprehensive BCP identifies critical business processes, determines maximum tolerable downtime for each, and establishes alternative operating procedures when primary systems or locations are unavailable. This includes succession planning for key personnel, alternate work arrangements, communication plans for stakeholders, and supply chain contingencies. Under SOC 2, business continuity supports the Availability criterion. ISO 27001 addresses it through Annex A controls related to information security aspects of business continuity management. Organizations are expected to conduct a Business Impact Analysis (BIA) to prioritize recovery efforts and to test their BCP at least annually through structured exercises ranging from tabletop walkthroughs to full-scale simulations that validate assumptions about recovery capabilities.

Related Frameworks

SOC 2

ISO 27001

Related Terms

Disaster Recovery

Disaster recovery (DR) encompasses the policies, tools, and procedures for recovering IT infrastructure, systems, and data after a catastrophic event. It defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.

Incident Response

Incident response is a structured approach to detecting, containing, eradicating, and recovering from security incidents. A well-defined incident response plan outlines roles, communication procedures, escalation paths, and post-incident review processes.

Risk Assessment

Risk assessment is the systematic process of identifying, analyzing, and evaluating information security risks to an organization. It involves determining the likelihood and impact of threats exploiting vulnerabilities, then prioritizing risks for treatment through mitigation, transfer, avoidance, or acceptance.

Compare Frameworks Solutions by Industry

Definition