Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

This post is the justification of the Business Continuity Practice Question. The recommended answer is A, “Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.”

This question is designed based on the Topic 1.7 Identity, analyze, and prioritize Business Continuity (BC) requirements in Domain 1 of the CISSP exam outline.

Enterprises are doing business to deliver value, or business is all about delivering value. Common factors affecting value delivery are people, process, technology, and so forth. A process delivering value is commonly called business process. The basic idea behind the concept of business continuity is to recover critical business processes subject to the limited enterprise resources available in case of a disruptive incident or disaster.

Based on the statements above, we can conclude some key points as follows:

1. Information technology (IT) is “one” of the most critical factors of business continuity.
2. The scope of business continuity planning includes critical business processes and the underlying information systems.
3. Business people identify or determine critical business processes first, then the underlying information systems by IT people. The criticality of a business process is evaluated by the maximum tolerable downtime (MTD); a process with 2-hour MTD is apparently much more critical than the one with 2-day MTD.
4. Information systems should be recovered by IT people based on the business requirements specified by the business people and negotiated with IT people; specifically, recovery time objective (RTO) and recovery point objective (RPO).
5. Business and IT people work together to achieve the goal of business continuity. A business continuity plan (BCP) as a master plan is the output of business continuity planning that usually includes a disaster recovery plan (DRP) as a sub-plan prepared by IT people.

It’s ineffective for IT people to conduct any disaster recovery planning before the critical business processes are determined, not to mention making decisions on alternative sites, e.g., mirror site, hot site, warm site, or code site, you name it.

The essence of business impact analysis (BIA) is to identify critical business processes and the impact in case of a disaster. MTDs of business processes are the most important output of BIA. RTO and RPO are objectives guiding the DRP; both of them are derived from MTD and negotiated between the business and IT people. In other words, RTO and RPO are commitments of IT to the business to fulfill the MTD requirement.

So, what about the business continuity planning process and the role of CISO? They vary from business to business. It’s not uncommon for a CISO as a coordinator or facilitator to facilitate the BIA process. This reemphasizes the importance of the R&R of CISO.

I won’t recommend Answer B, C, and D as the correct answers mainly because the decision about the hot site or cold site are made before the critical business processes are identified and not justified with any cost/benefit analysis.