This chapter covers Business Continuity (BC) and Disaster Recovery (DR) — critical components of organizational resilience that ensure operations continue during and after disruptive events. For the SY0-701 exam, this maps to Objective 5.3: Explain the importance of resilience and recovery in security architecture. You must understand the differences between BCP and DRP, recovery metrics (RTO, RPO, MTTR), site types, backup strategies, and continuity concepts like high availability and fault tolerance. This is a high-yield topic with many scenario-based questions.
Jump to a section
Imagine a large hospital that must remain operational 24/7 to save lives. The hospital has a detailed disaster recovery plan: backup generators for power, redundant surgical suites, off-site medical records storage, and a sister hospital agreement for patient overflow. In a fire, the hospital's Business Continuity Plan (BCP) kicks in — it's about keeping the emergency room open, even if in a tent outside. The Disaster Recovery Plan (DRP) focuses on restoring the burned wing to full functionality. The Recovery Time Objective (RTO) is the maximum time the ER can be in a tent before patients die. The Recovery Point Objective (RPO) is how much patient data loss is tolerable — if the last backup was 24 hours ago, they lose a day of records. Backup power (generators) is like a hot site — ready instantly. The sister hospital is a warm site — needs some setup. A cold site is an empty warehouse that takes days to equip. Failover happens automatically via transfer agreements; failback occurs when the original wing is rebuilt. This mirrors IT: BCP keeps the business running, DRP restores IT systems, RTO/RPO define acceptable downtime and data loss, and site types dictate recovery speed.
What is Business Continuity and Disaster Recovery?
Business Continuity (BC) and Disaster Recovery (DR) are complementary disciplines. Business Continuity Planning (BCP) focuses on maintaining critical business functions during and after a disaster — it's about keeping the organization alive. Disaster Recovery Planning (DRP) is a subset of BCP that specifically addresses restoring IT systems and infrastructure after an incident. Together, they form the backbone of organizational resilience.
Recovery Time Objective (RTO): The maximum acceptable downtime for a system or process. If RTO is 4 hours, the system must be recoverable within 4 hours of failure.
Recovery Point Objective (RPO): The maximum acceptable data loss measured in time. An RPO of 1 hour means you can lose at most 1 hour of data — backups must be taken at least hourly.
Mean Time to Repair (MTTR): The average time required to repair a failed component. Lower MTTR improves availability.
Mean Time Between Failures (MTBF): The average time between failures of a system. Higher MTBF indicates greater reliability.
Site Types for Recovery
Organizations choose recovery sites based on cost and speed:
Hot Site: Fully equipped, real-time data synchronization, ready within minutes. Most expensive.
Warm Site: Partially equipped, some hardware and software, but not live data. Recovery takes hours to days.
Cold Site: Empty facility with power, cooling, and cabling. Everything must be installed. Recovery takes days to weeks.
Mobile Site: Portable unit (e.g., trailer) that can be deployed to a location.
Mirrored Site: Real-time replication of data and systems, essentially a hot site with automatic failover.
Backup Strategies
Backups are the foundation of data recovery. Key concepts:
Full Backup: Copies all data. Slowest to perform, fastest to restore.
Incremental Backup: Copies only data changed since the last backup (full or incremental). Fastest backup, slowest restore (must restore full + all incrementals in order).
Differential Backup: Copies data changed since the last full backup. Faster restore than incremental (only need full + last differential).
Synthetic Full Backup: A full backup created by combining a previous full backup with subsequent incremental backups, without impacting production.
Backup locations: - On-site: Fast access but vulnerable to same disaster. - Off-site: Geographically separate, protects against site-wide disasters. - Cloud-based: Scalable, accessible from anywhere, but dependent on internet. - 3-2-1 Rule: Three copies of data, on two different media types, with one copy off-site.
High Availability and Fault Tolerance
High Availability (HA): Systems designed to operate continuously without failure for a long time. Achieved through redundancy, failover clusters, load balancing. Typical target is 99.999% uptime ("five nines").
Fault Tolerance: Ability of a system to continue operating in the event of a component failure. Examples: RAID (Redundant Array of Independent Disks), redundant power supplies, NIC teaming.
Redundancy: Duplication of critical components to increase reliability. Can be N+1 (one extra), N+2 (two extra), or 2N (double capacity).
Failover: Automatic switching to a redundant system upon failure.
Failback: Returning operations to the primary system after it is repaired.
Continuity of Operations Planning (COOP)
COOP is a federal government concept for ensuring essential functions continue during a wide range of emergencies. Key elements:
Delegation of authority
Orders of succession
Continuity of communications
Vital records management
Alternate facilities
Capacity Planning and Testing
Capacity Planning: Ensuring resources (compute, storage, network) are sufficient to meet future demand. Prevents overload that could cause outages.
Tabletop Exercise: Discussion-based walkthrough of a scenario. No actual systems are tested.
Walkthrough: Similar to tabletop but may include simulated actions.
Simulation: A more realistic test that may involve actual systems but not full production.
Parallel Testing: Running the recovery site alongside production to verify functionality without impacting live operations.
Full Interruption Test: Shutting down production and failing over to the recovery site. Most accurate but highest risk.
Power and Environmental Controls
UPS (Uninterruptible Power Supply): Provides short-term battery power to allow graceful shutdown or generator startup.
Generator: Long-term backup power, often diesel or natural gas.
PDU (Power Distribution Unit): Distributes power to racks, often with monitoring.
HVAC: Cooling is critical; without it, equipment overheats.
Fire Suppression: Clean agent systems (FM-200, Novec) that don't harm electronics.
Real-World Tools and Commands
While SY0-701 does not require specific commands, understanding backup and recovery tools is helpful. For example, in Windows you might use wbadmin for backups:
wbadmin start backup -backupTarget:E: -include:C: -allCritical -quietIn Linux, rsync is common for off-site replication:
rsync -avz /data/ user@offsite:/backup/Disaster Recovery Plan Components
A DR plan should include:
Contact information for key personnel
Detailed recovery procedures
System dependencies and recovery order
Backup locations and restoration processes
Communication plan (internal and external)
Testing schedule
Budget and resource allocation
Business Impact Analysis (BIA)
BIA identifies critical systems and their recovery requirements. It determines:
Maximum Tolerable Downtime (MTD) — the total time a process can be unavailable before causing irreparable harm.
RTO and RPO for each system.
Dependencies between systems.
Regulatory and contractual obligations.
Common Attack Vectors Affecting BC/DR
Ransomware: Encrypts data, making backups essential. Attackers sometimes target backups themselves.
DDoS: Overwhelms resources, requiring failover to scrubbing centers or alternate sites.
Physical Attacks: Sabotage, theft, or natural disasters.
Supply Chain Attacks: Compromise of third-party services (e.g., cloud provider outage).
Standards and Frameworks
ISO 22301: International standard for Business Continuity Management Systems.
NIST SP 800-34: Contingency Planning Guide for Federal Information Systems.
NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.
Exam Tip: RTO vs. RPO vs. MTD
RTO: How quickly you need to recover the system (time).
RPO: How much data you can afford to lose (time).
MTD: The total acceptable downtime, which includes RTO plus any additional time to fully resume operations. MTD is always greater than or equal to RTO.
Scenario Example
A company's e-commerce site has an RTO of 1 hour and an RPO of 15 minutes. A database failure occurs at 2:00 PM. The last backup was at 1:50 PM. The recovery team restores the database from backup, taking 45 minutes. The system is back online at 2:45 PM. RTO was met (45 min < 60 min). Data loss: 10 minutes (from 1:50 to 2:00), which is within the 15-minute RPO.
Identify Critical Business Functions
Conduct a Business Impact Analysis (BIA) to identify which systems and processes are essential for survival. This involves interviewing department heads, reviewing regulatory requirements, and analyzing financial impact. For each function, determine the Maximum Tolerable Downtime (MTD) — the total time the function can be unavailable before causing significant harm. Also identify dependencies: for example, an e-commerce site depends on web servers, which depend on databases. Document these in a BIA report. The output includes a prioritized list of systems with their recovery requirements (RTO, RPO). This step is foundational; without it, recovery efforts may focus on non-critical systems.
Develop Recovery Strategies
Based on the BIA, select appropriate recovery strategies for each critical system. For data, choose backup methods (full, incremental, differential) and storage locations (on-site, off-site, cloud). For infrastructure, decide on site type (hot, warm, cold) and redundancy levels (N+1, 2N). For applications, consider failover clustering or load balancing. Document the strategies in the BCP/DRP. For example, a database with RTO of 1 hour might require a hot standby with synchronous replication. Ensure strategies align with budget constraints. This step bridges the gap between requirements and implementation.
Create the Plan Documentation
Write the formal Business Continuity Plan and Disaster Recovery Plan. The BCP includes emergency response procedures, communication plans, and continuity of operations. The DRP details technical recovery steps: system restore order, backup restoration procedures, network reconfiguration, and testing schedules. Include contact lists, vendor agreements, and escalation procedures. Use clear, step-by-step instructions that can be followed under stress. Store copies both on-site and off-site (e.g., in a safe and in the cloud). The plan must be reviewed and approved by senior management. Version control is essential — mark each revision with a date and change log.
Implement and Test the Plan
Deploy the required infrastructure: backup systems, redundant hardware, failover clusters, and recovery sites. Validate that backups are running and data is restorable. Conduct tests to verify the plan works. Start with tabletop exercises to walk through scenarios. Progress to simulations and parallel testing. Finally, perform a full interruption test (if safe). Document test results, including any failures or delays. For example, during a simulation, if restoring a database from tape takes 4 hours but RTO is 2 hours, the strategy must be revised. Testing also trains staff and reveals gaps. After each test, update the plan accordingly.
Maintain and Continually Improve
BCP/DRP is not static. As systems change, the plan must be updated. Review the plan at least annually or after major changes (new applications, mergers, regulatory changes). Monitor industry threats and adjust strategies (e.g., increased ransomware risk may require more frequent backups). Conduct periodic training and awareness for all employees. Track metrics like backup success rates, recovery times, and test results. Use lessons learned from actual incidents to improve. For instance, if a power outage revealed that generators run out of fuel too quickly, increase fuel storage. Continuous improvement ensures the plan remains effective.
Scenario 1: Ransomware Attack on a Hospital
A hospital's electronic health records (EHR) system is hit by ransomware. The attackers encrypt files and demand payment. The IT team notices the attack when users report unable to open patient records. The team immediately isolates affected systems and activates the DR plan. They have daily full backups stored off-site and hourly incremental backups. The RTO for EHR is 4 hours; RPO is 1 hour. They restore from the last full backup and then apply the incremental backups taken before the attack. The restore takes 3 hours, meeting RTO. Data loss is 45 minutes (time between last incremental and attack). The correct response was to not pay the ransom and rely on backups. A common mistake is to start restoring without verifying backup integrity or to restore to the same network, allowing reinfection. The team should also scan restored data for malware before bringing systems online.
Scenario 2: Cloud Provider Outage
A financial services company uses AWS for its trading platform. A regional AWS outage occurs due to a power failure. The company has a multi-region architecture with active-active failover. The primary region fails, and DNS automatically routes traffic to the secondary region. The failover is seamless, with no downtime. However, the secondary region is running at lower capacity, causing performance degradation. The company's RTO is 5 minutes; RPO is 0 (no data loss due to synchronous replication). The correct response is to monitor the failover and communicate with stakeholders. A common mistake is to assume the cloud provider handles everything — the company must still test failover regularly and have a plan for prolonged outages. The team should also consider a cold site as a fallback if both regions fail.
Scenario 3: Fire in Data Center
A manufacturing company's on-premises data center experiences a fire. The fire suppression system activates, but the facility is damaged. The company has a warm site at another location. Their DR plan calls for restoring systems from tape backups stored at a third-party vault. The team transports the tapes to the warm site and begins restoration. The RTO for the ERP system is 24 hours; RPO is 12 hours. However, the tapes are damaged due to heat exposure. The correct response was to have off-site backups that are regularly tested for readability. A common mistake is to only store backups in the same facility. The company should also consider cloud backups or a hot site for critical systems. After this incident, they implement daily cloud backups and quarterly restore tests.
What SY0-701 Tests
Objective 5.3 covers: Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Recovery Time Objective (RTO), Recovery Point Objective (RPO), Mean Time to Repair (MTTR), Mean Time Between Failures (MTBF), site types (hot, warm, cold), backup types (full, incremental, differential), high availability, fault tolerance, redundancy, and continuity of operations planning (COOP). Expect scenario questions where you must choose the correct metric or site type based on requirements.
Common Wrong Answers
Confusing RTO and RPO: Many candidates choose RTO when the question asks about data loss, or vice versa. Remember: RTO is about time to recover; RPO is about data loss tolerance.
Choosing cold site when RTO is short: Cold sites take days to set up, so they are only appropriate for long RTOs (e.g., 72+ hours). Candidates often pick cold site because it's cheap, but the scenario requires fast recovery.
Selecting incremental backup for fastest restore: Incremental backups are fastest to perform but slowest to restore because you need the full and all incrementals. The fastest restore is from a full backup or differential.
Mistaking MTBF for MTTR: MTBF is about reliability (time between failures); MTTR is about repair speed. A high MTBF is good; a low MTTR is good.
Key Terms and Acronyms
RTO, RPO, MTTR, MTBF, MTD
BCP, DRP, COOP, BIA
Hot, warm, cold, mobile, mirrored sites
Full, incremental, differential, synthetic full backups
3-2-1 rule, N+1, 2N redundancy
UPS, generator, PDU
Trick Questions
A question may describe a "disaster" that only affects IT (e.g., server crash). The correct answer is DRP, not BCP, because BCP covers broader business continuity.
A scenario with a very short RTO (e.g., 5 minutes) requires a hot site, but candidates may choose warm site because it's cheaper.
Questions about backup frequency are tied to RPO: if RPO is 1 hour, backups must be taken at least hourly.
Decision Rule
When solving scenario questions: (1) Identify if the question is about keeping the business running (BCP) or restoring IT (DRP). (2) Determine the recovery metric needed: if it asks about time to recover, it's RTO; if data loss, it's RPO. (3) For site selection, match the recovery time to site capabilities: minutes → hot, hours → warm, days → cold. (4) For backup strategy, consider restore speed vs. backup speed: full backup restores fastest; incremental backs up fastest.
RTO = maximum acceptable downtime; RPO = maximum acceptable data loss (in time).
Hot site = minutes recovery; warm site = hours; cold site = days.
Full backup = fastest restore; incremental backup = fastest backup.
3-2-1 backup rule: 3 copies, 2 media types, 1 off-site.
MTTR measures repair speed; MTBF measures reliability.
BCP keeps business running; DRP restores IT systems.
Fault tolerance ensures no interruption; high availability minimizes downtime.
BIA identifies critical functions and their recovery requirements.
These come up on the exam all the time. Here's how to tell them apart.
Hot Site
Fully equipped with hardware, software, and data.
Real-time data synchronization or near-real-time replication.
Recovery time: minutes to hours.
High cost due to constant readiness.
Suitable for critical systems with low RTO.
Warm Site
Partially equipped; may lack some hardware or software.
Data is not current; requires restoration from backups.
Recovery time: hours to days.
Moderate cost.
Suitable for important systems with moderate RTO.
Full Backup
Copies all data every time.
Slowest backup process.
Fastest restore process (single backup set).
Requires most storage space.
Backup time increases with data volume.
Incremental Backup
Copies only data changed since last backup (full or incremental).
Fastest backup process.
Slowest restore process (must restore full + all incrementals).
Requires least storage space.
Backup time is short regardless of total data volume.
Mistake
BCP and DRP are the same thing.
Correct
BCP is broader, covering all aspects of keeping the business operational during a disaster (including non-IT functions like alternative workspaces). DRP is a subset focused on restoring IT systems and data.
Mistake
A cold site is sufficient for most organizations because it's cheap.
Correct
Cold sites require days to weeks to become operational, so they are only suitable for systems with very long RTOs (e.g., 72+ hours). Most critical systems require warm or hot sites.
Mistake
Incremental backups are best because they are fastest to restore.
Correct
Incremental backups are fastest to create but slowest to restore because you must restore the full backup and then every incremental in order. Differential or full backups restore faster.
Mistake
High availability and fault tolerance mean the same thing.
Correct
High availability aims to maximize uptime through redundancy and failover, but may involve some downtime during switchover. Fault tolerance ensures no interruption even if a component fails, e.g., RAID 1 (mirroring) provides fault tolerance.
Mistake
Once a DR plan is written, it's done.
Correct
DR plans must be tested, reviewed, and updated regularly. Changes in infrastructure, personnel, or business processes require plan updates. Annual testing is a minimum, but quarterly is recommended.
RTO (Recovery Time Objective) is the maximum time a system can be down after a failure — how quickly you need to recover. RPO (Recovery Point Objective) is the maximum age of data you can afford to lose — how much data loss is acceptable. For example, an RTO of 4 hours means the system must be back within 4 hours; an RPO of 1 hour means you can lose at most 1 hour of data. On the exam, remember: RTO = time to recover; RPO = point in time to which data is recovered.
A hot site. Hot sites are fully operational and can take over within minutes. Warm sites take hours, and cold sites take days, so they would not meet a 30-minute RTO. On the exam, match the RTO to site capabilities: minutes → hot; hours → warm; days → cold.
The 3-2-1 rule states: keep three copies of your data (one primary and two backups), on two different media types (e.g., disk and tape, or local and cloud), with one copy stored off-site. This ensures data survives a site disaster or media failure. The exam may ask you to identify the best backup strategy based on this rule.
A tabletop exercise is a discussion-based walkthrough of a disaster scenario where participants talk through their roles and decisions without actually testing systems. A full interruption test involves shutting down production systems and failing over to the recovery site, which is the most realistic but also the riskiest. The exam may ask which test is most thorough or which is safest.
A BIA identifies critical business functions, their dependencies, and the impact of disruptions. It determines recovery priorities, RTOs, RPOs, and resource requirements. Without a BIA, a BCP/DRP may not focus on the right systems. On the exam, a BIA is the first step in developing a continuity plan.
High availability (HA) aims to maximize uptime through redundancy and automated failover, but there may be a brief interruption during failover (e.g., load balancer redirects traffic). Fault tolerance ensures no interruption at all — the system continues operating despite a component failure (e.g., RAID 1 mirroring, dual power supplies). The exam might ask which provides continuous operation without any downtime.
Both backup only changed data, but incremental backups copy data changed since the last backup (full or incremental), while differential backups copy data changed since the last full backup. The key difference is in restore: incremental restore requires the full plus all incrementals in sequence; differential restore requires only the full plus the latest differential. On the exam, know that incremental is faster to back up but slower to restore, while differential is the opposite.
You've just covered Business Continuity and Disaster Recovery — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?