CISSP Domain 1 – Business Continuity vs Disaster Recovery

---

When most people hear “disaster recovery,” they immediately think about restoring servers and backups.

CISSP thinks differently.

In Domain 1 – Security & Risk Management, Business Continuity (BCP) and Disaster Recovery (DR) are not technical exercises. They are business survival decisions.

To understand this properly, let’s walk through a real-world healthcare scenario.

The Scenario: A Hospital at 2:30 AM

It’s 2:30 in the morning.

A hospital is hit by ransomware.

• Electronic Medical Records (EMR) are inaccessible
• Radiology systems are down
• Pharmacy systems are locked
• Billing systems are offline

Doctors cannot see patient history. Nurses cannot verify allergies. Critical care decisions are delayed.

At that moment, leadership is not asking:

• “Which backup software did we use?”
• “How do we rebuild the server?”

They are asking:

• Can we continue treating patients safely?
• How long can we operate like this?
• What must be restored first?

That is where the difference between Business Continuity and Disaster Recovery becomes clear.

What Is Business Continuity (BCP)?

Business Continuity focuses on keeping the organisation operational during disruption.

In a hospital, BCP may include:

• Switching to paper-based patient records
• Activating emergency medical workflows
• Redirecting non-critical patients
• Communicating with emergency services and regulators

The goal of BCP is not technology recovery.

The goal is:

• Protect human life
• Maintain essential services
• Preserve operational stability

In CISSP terms:

BCP is about business survival.

It is business-driven and owned by management.

What Is Disaster Recovery (DR)?

Disaster Recovery focuses on restoring IT systems and data after disruption.

In the hospital scenario, DR includes:

• Restoring clean backups
• Rebuilding compromised servers
• Validating data integrity
• Bringing systems back online securely

DR is technical. It is necessary. But it supports continuity — it does not replace it.

In CISSP thinking:

DR enables BCP. It does not define it.

Why CISSP Places BCP and DR in Domain 1

In the CISSP exam, BCP and DR begin as risk management decisions.

Leadership must decide:

• What level of downtime is acceptable?
• What level of data loss is tolerable?
• Which services are most critical?

These are not IT decisions. They are governance and risk ownership decisions.

That is why BCP and DR appear first in Security & Risk Management.

RTO and RPO in a Healthcare Context

Two critical terms connect business impact to technical recovery:

Recovery Time Objective (RTO)

How long can a system be unavailable?

In healthcare, RTO for patient records may be minutes — not hours.

Recovery Point Objective (RPO)

How much data loss is acceptable?

In healthcare, losing even a few hours of patient data may be unacceptable.

CISSP principle:

The business defines RTO and RPO.
IT designs recovery solutions to meet them.

When IT defines acceptable downtime without business input, that is guesswork — not strategy.

Governance and Ownership

In the hospital crisis:

• IT restores systems
• Security contains the attack
• Legal manages reporting

But executive leadership decides:

• Whether to declare a disaster
• Whether to activate BCP
• What risk is acceptable
• How to prioritise recovery

In CISSP:

Risk ownership always belongs to management.

How This Appears in the CISSP Exam

CISSP will not ask:

“How do you configure hospital backups?”

Instead, it will ask:

• What should management define first?
• Who determines acceptable downtime?
• What drives recovery priority?

Correct thinking order:

1. Define business impact
2. Determine acceptable disruption
3. Establish recovery objectives
4. Implement technical recovery plans

If you jump straight to technical restoration, you are thinking like an engineer — not like CISSP.

The Core Takeaway

Business Continuity and Disaster Recovery are related, but they are not the same.

• BCP protects people and operations during disruption.
• DR restores technology after disruption.
• Business survival always comes before system recovery.

That is the Domain 1 mindset.

🎧 Listen to the Podcast

This blog is part of the CISSP Blog & Podcast Series on PK’s Chronicles.

The companion podcast episode explains this healthcare scenario in a structured 10-minute format, focusing on the governance and risk decisions behind continuity planning.

Search for:
“PK’s Chronicles” on Spotify