Secure Controls Framework
Download The SCF

Business Continuity & Disaster Recovery (BCD)

Domain Principle

Maintain resilient capabilities to sustain business-critical functions and recover from disruptions through documented, tested and maintained continuity and recovery processes.

Domain Intent

Organizations establish, exercise and improve Business Continuity and Disaster Recovery (BC/DR) capabilities to minimize operational disruption from adverse events, meet recovery objectives and support business, legal, regulatory and stakeholder obligations.

Domain Guide

BCD exists because security and resilience are not the same thing. An organization can have strong access controls and still collapse operationally when a datacenter floods, a vendor goes offline, or ransomware takes down production systems. BC/DR planning answers a different question than security controls: not "how do we prevent disruption?" but "how do we keep operating when disruption happens anyway?"

 

The SCF's intent for BCD requires documented, tested and maintained BC/DR capabilities. Each of those three words matters. Documentation without testing produces plans that don't work. Testing without maintenance produces plans that were correct once but drift from reality as systems change. The intent covers meeting recovery objectives, specifically RTO and RPO commitments and fulfilling legal, regulatory and stakeholder obligations that may require continuity evidence.

 

BCD is separate from Incident Response because the two disciplines cover different failure modes and different time horizons. Incident response handles the detection and containment of security events. BC/DR handles what happens after those events, or during non-security disruptions, when the question is operational survival rather than threat elimination.