ISC 2 Certified in Cybersecurity CC – Domain 2: Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts

ISC 2 Certified in Cybersecurity CC: Real-Life Domain 2:

The real test of an organization is not how well it functions in normal circumstances, but rather how it handles disasters and system failures. This resilience is specifically covered in Domain 2 of the ISC 2 Certified in Cybersecurity CC exam. It teaches how companies use Business Continuity Planning (BCP) to keep things running smoothly, Disaster Recovery Planning (DRP) to restore vital systems, and Incident Management to deal with emergencies. When these disciplines work together, the company is able to identify problems early, respond quickly, recover effectively, and learn to become stronger for the next challenge, even in the face of cyberattacks, outages, or natural catastrophes.

👉 “When things go wrong, how do we keep working?”

• BCP: Business Continuity Plan—How the organization keeps running (whole org survival).
• DRP: Disaster Recovery Plan—How IT systems come back to life (IT recovery and failover).
• Incident Management—How we detect, respond to, fix, and learn (handle attacks, outages, and issues).

Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts constitute 10% of isc 2 certified in cybersecurity cc exam.

Let’s walk through each and explain the key terms.

1: Business Continuity Plan (BCP)

What is BCP?
The Business Continuity Plan (BCP) is a documented strategy that outlines how the organization will continue operations during and after a disruption, such as a cyberattack, fire, or ISP failure. For preparing to pass isc 2 certified in cybersecurity cc  exam you need to understand these concepts.

Think of BCP as
🛡️ “Even if our main office or data center is gone, how do we keep serving customers?”

Why BCP matters in IT:

• If the data center fails, do we have another?
• If the VPN dies, how do remote staff work?
• If a cloud region is down, what’s Plan B?
• If staff can’t show up (pandemic, strike), who steps in?

Who owns BCP:

Senior Management:

• Approves the plan
• Sets priorities
• Demonstrates due care and diligence

Due Care: “We understand the risks and care enough to act.”
Due Diligence: “We continuously verify our controls and plans work.”

👉In isc 2 certified in cybersecurity cc exam due care and due diligence related questions will appear.

1.1: Sub-Plans That Support BCP

• COOP: Continuity of Operations Plan
  Keep essential functions running, possibly at reduced capacity or from alternate locations.
• OEP: Occupant Emergency Plan
  Focus on physical safety: evacuation, drills, assembly points, active shooter procedures.
• BRP: Business Recovery Plan
  Guide for moving back to normal once temporary systems are no longer needed.
• IT Contingency Plan / Continuity of Support
  Keep critical IT services like email or payment systems alive or restore them fast.
• CMP: Crisis Management Plan
  Leadership structure during crisis: decision-making, priorities, escalation paths.
• Crisis Communications Plan
  Who talks to employees, media, customers, regulators—and what they say.
• EOC: Emergency Operations Center
  A secure physical/virtual command post for managing crisis response.

1.2: Where to Keep These Plans

• Store securely in multiple locations: paper, cloud, offsite.
• Must be accessible even if the office or primary network is down.
• Remove outdated versions to avoid confusion.

2: Disaster Recovery Plan (DRP)

If BCP is the movie script, DRP is the IT team’s runbook.

What is DRP?
A technical, detailed plan for restoring IT systems, data, and infrastructure after disruption.
💡 DRP is a subset of BCP.

DRP Lifecycle:

Mitigation → Preparation → Response → Recovery

• Mitigation: Build resilience in advance (RAID, WAF, redundant servers).
• Preparation: Create backups, runbooks, and contact lists.
• Response: Detect the issue, activate DRP, failover systems.
• Recovery: Restore and verify normal operations.

Example: An organization may utilize AWS to host its website and databases. If a data center in one region goes down, AWS immediately switches over to another region, keeping the service functioning. This operation is part of aws disaster recovery and business continuity.

3: Business Impact Analysis (BIA)

BCP/DRP without BIA = guessing.

What is BIA?
A structured process to identify:

• Which systems are critical
• Acceptable downtime for each
• Data loss tolerance
• Business/legal/reputational impact

Key Metrics:

MTD ≥ RTO + WRT

• RPO: Recovery Point Objective – Max acceptable data loss (in time)
• RTO: Recovery Time Objective – Time to restore system availability
• WRT: Work Recovery Time – Time to finish restoration/config/testing
• MTD: Maximum Tolerable Downtime – Total time a system can be down
• MTBF: Mean Time Between Failures – Average time between failures
• MTTR: Mean Time To Repair – Average time to fix
• MOR: Minimum Operating Requirements – Bare minimum needed to function

Example:

For an online banking system:

• RPO = 5 minutes
• RTO = 30 minutes
• WRT = 30 minutes
• MTD = 2 hours
  ✅ RTO + WRT ≤ MTD → 30 + 30 ≤ 120

👉 Understanding of the above-mentioned simple calculations are essential to attempt isc 2 certified in cybersecurity cc exam questions.

4: Recovery Sites (Where to Run if DC Fails)

Fast but costly → Slower but cheaper:

• Redundant Site: Fully mirrored, auto-failover. 💸 Extremely expensive.
• Hot Site: Prebuilt with synchronized data; ready in minutes to an hour.
• Warm Site: Has hardware; requires some setup and data restore.
• Cold Site: Just space/power. You bring everything. Cheap, but slow.
• Reciprocal Agreement: Two orgs back each other up. Risky if both are hit.
• Cloud / DRaaS: Pay to spin up environments on demand.
• Mobile Site: Truck-mounted data center. Portable, flexible.

👉This concept will definitely be tested in isc 2 certified in cybersecurity cc exam.

5: Incident Management

This section of isc 2 certified in cybersecurity cc exam covers outages, breaches, and anything suspicious—before it becomes a disaster.

Key Progression:

Event → Alert → Incident → Problem / Disaster / Catastrophe

• Event: Any system activity (logins, reboots, etc.)
• Alert: A tool flags a potential issue.
• Incident: An event impacting confidentiality, integrity, or availability.
• Problem: The root issue behind recurring or major incidents.
• Emergency/Crisis: Threat to life or major assets.
• Disaster: Serious disruption (≥ 24 hours of outage).
• Catastrophe: Massive destruction (e.g., building loss).

CIRT: Cyber Incident Response Team

A cross-functional team activated for serious security incidents. This part is extremely important to understand for correct attempting questions in isc 2 certified in cybersecurity cc exam.

Includes:

• Senior Management
• Incident Coordinator
• Security / IT / App owners
• Legal, HR, PR
• Auditors if needed

5.1: Incident Response Lifecycle (8 Steps)

1. Preparation – Tools, training, playbooks, policies
2. Detection – Logs, SIEM, IDS/IPS
3. Response (Containment) – Isolate systems, preserve evidence
4. Mitigation (Eradication) – Remove root cause
5. Reporting – Internal and external comms
6. Recovery – Clean backups, validation
7. Remediation – Hardening, MFA, monitoring
8. Lessons Learned – Root cause, control updates, training

👉 The students are required to remember this order or sequence to correctly attempt questions in isc 2 certified in cybersecurity cc

6: Threats and Risks in IT Environments

Categories:

• Natural: Earthquakes, floods
• Human:
  • Unintentional: Misconfigurations
  • Intentional: Hacking, fraud, sabotage
• Environmental: Power or HVAC failure, fire

Examples:

• Misconfigured S3 bucket → Data leak. AWS enables cloud DR through services such as
  Amazon S3. An Amazon Simple Storage Service (S3) bucket that has improper permissions or settings and accidentally exposes data is known as a misconfigured S3 bucket.
  🛠️ Fix: Least privilege, reviews, scanners
• Ransomware attack
  🛠️ Fix: Offline backups, EDR, segmentation
• Power Outage
  🛠️ Fix: UPS, generators, DR failover
• Overheating Server Room
  🛠️ Fix: HVAC, monitoring, airflow controls
• Key Staff Unavailable
  🛠️ Fix: Cross-train, document, enable remote work

7: Common Pitfalls 

• Plan exists but isn’t approved
• BCP only covers IT—ignores people, vendors, and facilities
• No testing: First test is during a real event
• No offsite backup of plans
• RPO/RTO/MTD values don’t match actual capabilities

8: Quick Reference Glossary for  Domain 2 of ISC 2 Certified in cybersecurity CC

• BCP: Business Continuity Plan
• DRP: Disaster Recovery Plan
• BIA: Business Impact Analysis
• RPO: Max acceptable data loss
• RTO: Target time to restore system
• WRT: Time for full recovery post-restore
• MTD: Max Tolerable Downtime
• MTBF: Time between failures
• MTTR: Time to repair
• MOR: Minimum Operating Requirements
• COOP, OEP, BRP, CMP: Specialized sub-plans
• CIRT: Cyber Incident Response Team
• EOC: Emergency Ops Center
• Event, Alert, Incident, Problem: Incident stages
• Hot/Warm/Cold Site: Different backup levels
• Redundant Site: Fully mirrored live site
• Reciprocal Agreement: DR support between orgs
• Cloud Site: On-demand failover via cloud

👉 Attempting domain 2 of isc 2 certified in cybersecurity cc require thorough understanding of the above-mentioned concepts.

For more studyfor isc cc please follow following links

https://thecyberskills.com/isc2-certified-in-cybersecurity-domain1/

https://www.isc2.org/certifications/cc/cc-certification-exam-outline