Contingency Planning: What’s the Difference between Incident Response, Disaster Recovery, and Business Continuity?
Contingency planning is the process of determining how to respond to disruptive events. Most organizations are so dependent on IT resources, and most IT resources are so complex, interdependent, and attack prone, that contingency planning is essential to enable organizations to mitigate the likelihood, impact, and duration of disruptions to IT systems. In cybersecurity, there are three main types of contingency plans: Incident Response Plans (IRP), Disaster Recovery Plans (DRP), and Business Continuity Plans (BCP). However, the purposes of these plans are often confused. This article explains when to use each of the three plans and why organizations should develop all three to strengthen their cybersecurity resilience.
IRP vs DRP vs BCP
The general purposes of the three main contingency plans are:
| Plan | Purpose | Threat Example | Primary Audience |
| Incident Response | Respond to cyber attacks | Malware, phishing, ransomware | IT (and the Incident Response Team) |
| Disaster Recovery | Respond to long-term or widespread IT outages | Destruction of data center, hardware failure, widespread ransomware | IT (and the Disaster Recovery Team) |
| Business Continuity | Continue business operations even if IT services go down | Any threat that could cause the IRP or DRP to activate | Department leaders |
With these differences in mind, there’s still often two points of confusion. First, although every cyberattack warrants the use of an Incident Response Plan, some cyberattacks may warrant the use of a Disaster Recovery Plan as well. For example, if ransomware takes down an organization’s IT resources, and the organization chooses to respond to the ransomware by wiping and restoring all systems, then the Incident Response Plan would help detail how to contain and eradicate the ransomware threat while the Disaster Recovery Plan would help detail how to rebuild the IT systems.
An organization’s IRP typically has some details on how to recover IT systems, but the DRP is likely to have more in-depth information, especially for something as complex as restoring all IT systems. So, in general, the IRP is focused on containing and eradicating cyber threats while the DRP is focused on rebuilding and restoring IT systems. They are often invoked separately, but sometimes together.
The second point of confusion is the intended audience of the Business Continuity Plan. If an IT resource is disrupted by a threat, then other departments will likely be impacted as well, not just IT. Department leaders should then invoke their Business Continuity Plan, which describes how the department can continue to operate even if an IT resource goes down. For example, it might explain how the instructional department can continue to teach even if the internet is down, how the business department can continue to run payroll even if the finance software is down, or how a medical provider can provide continuity of care even if the electronic health record system is down. While IT is busy following its Incident Response or Disaster Recovery Plan, the rest of the organization would follow its Business Continuity Plan.
IRP Best Practices
Consider the following when creating an Incident Response Plan:
- Identify a lifecycle—or high-level steps to follow—for responding to incidents. A commonly used incident handling lifecycle is based on NIST’s SP 800-61r, which is:
- Preparation
- Detection & Analysis
- Containment, Eradication, & Recovery
- Lessons Learned
- Create incident response playbooks for responding to different cyberattacks. Playbooks are often included as appendices in an IRP and should be detailed enough to inform incident response team members what steps they should take to actually respond to various threats, such as malware, phishing, data exfiltration, or ransomware
DRP Best Practices
Consider the following when creating a Disaster Recovery Plan:
- Identify a lifecycle for responding to disasters, such as:
- Detect
- Analyze
- Contain
- Relocate (if necessary)
- Rebuild
- Restore
- Recover
- Lessons Learned
- Identify steps to relocate IT systems to another location, if necessary. For example, if a fire destroys an on-premises data center, the IT systems and potentially other business resources may have to be rebuilt in another location.
- Create playbooks for rebuilding, restoring, and recovering different IT systems. In SP 800-34, NIST refers to these playbooks as Information System Contingency Plans (ISCP). They are often included as appendices in the DRP and should be detailed enough to inform disaster recovery team members what steps they should actually take to recover an IT system, such as how to configure network, authentication, and system settings or where to restore data from backups
BCP Best Practices
Consider the following when creating a Business Continuity Plan:
- Write continuity plans from the perspective of how to continue critical business operations. For example, instead of focusing on “what should the business department do if the internet goes down”, focus on “what IT resources does the business department need to run payroll, and what can the business department do to run payroll even if those IT resources go down”.
- For departments and critical business functions that are highly IT dependent, identify ways to improve operational resiliency, such as having offline backups or redundant technology solutions.
Test All Plans
Organizations should annually test all Incident Response, Disaster Recovery, and Business Continuity Plans. We commonly encounter organizations that may have a documented plan, but the stakeholders identified in the plan are unaware it exists. The most common way to test a contingency plan is through a Tabletop Exercise (TTX), where a facilitator runs the IRP, DRP, or BCP teams through an imagined scenario and prompts team members for how they’d respond. TTX’s are great at revealing procedural issues and for improving contingency preparedness.
Conclusion
Overall, all organizations should have documented and tested Incident Response, Disaster Recovery, and Business Continuity Plans for minimizing the likelihood, impact, and duration of inevitable disruptions to IT resources. Those three plans serve different purposes, and they may be invoked separately or in tandem depending on the threat.
We Can Help
Sedara’s Cybersecurity Development Program (CDP) and our virtual Chief Information Security Officers (vCISOs) can help you assess and implement improvements to your cybersecurity program. We have helped many organizations document and test their own contingency plans to improve their organizational resilience.
Contact us today to learn more and schedule a consultation.
Further Reading
- NIST SP 800-34 – Contingency Planning Guide for Federal Information Systems: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
- NIST SP 800-61 – Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf