KabeenKabeenIT Playbook
Découvrir Kabeen
Glossaire
BGlossaire

BCP (Business Continuity Plan)

Business Continuity Plan: the organizational and technical measures that let a company keep its essential activities running through a major disruption.

A BCP (Business Continuity Plan, French PCA — Plan de Continuité d'Activité) is the set of organizational, technical, and human arrangements that let a company keep its essential activities running, even partially, through a major disruption: IT outage, cyberattack, fire, flood, pandemic, civil unrest. It is a governance topic at IT and company-wide levels.

With DORA (Digital Operational Resilience Act) in force since January 2025 in finance and NIS2 across 18 critical sectors, a BCP is no longer optional: it is a regulatory obligation with sanctions attached. Per Gartner 2024, 65 % of companies that suffer a major incident without a tested BCP take more than six months to return to baseline — a quarter never fully recover.

BCP vs [DRP](/en/glossary/pra): the critical distinction

A common confusion:

  • The BCP is broad: it covers the whole company — IT, HR, premises, communication, logistics, suppliers. Its purpose: keep the business running.
  • The DRP (Disaster Recovery Plan, French PRA) is a technical subset of the BCP, focused on restoring the IT estate after a disruption.

In other words: without a DRP, the BCP has no technical foundation; without a BCP, the DRP is a pure IT drill missing business context.

Building a BCP

The ISO 22301 process has five steps:

  1. Business Impact Analysis (BIA): identify critical processes, their tolerance for downtime (RTO), their tolerance for data loss (RPO), and their technical dependencies.
  2. Risk assessment: catalog threats (cyber, natural, human, vendors).
  3. Continuity strategies: alternative sites, fully remote work, degraded modes, vendor partnerships, target RTO.
  4. Documentation: procedures, crisis org charts, communication scripts, contact lists.
  5. Testing and continuous improvement: regular exercises (tabletop, simulation, real failover), lessons learned, at least annual updates.

Typical BCP content

A documented BCP includes:

  • The crisis team: composition, roles, deputies, physical and virtual war rooms.
  • Critical processes: prioritized list with RTO and RPO.
  • Degraded modes: how to operate without IT, paper-based, forced remote.
  • Alternative sites: geographic and IT (active-active, active-passive, cloud).
  • Communication plan: internal (staff), external (customers, vendors, press, regulators).
  • Call trees: who calls whom, in what order, by what means.
  • Technical annexes: failover procedures, scripts, configurations.

Testing the BCP

An untested BCP is paper. Test levels:

  • Tabletop exercise: review of procedures in a room, no real switchover.
  • Walkthrough: step-by-step with the actual responders.
  • Simulation: simulated crisis under realistic conditions, no production impact.
  • Partial test: real failover of one system or one site.
  • Full failover: complete switchover to the secondary site. At least annually for critical organizations.

DORA mandates at least an annual test for financial institutions and a full resilience test every three years.

Standards and frameworks

  • ISO 22301: international business continuity management standard.
  • ISO 22313: implementation guide for ISO 22301.
  • ITIL 4: Service Continuity Management practice.
  • NIST SP 800-34: US contingency planning guide.

BCP and application visibility

A credible BCP requires knowing precisely which applications support which critical business processes. Without an up-to-date application map, the BIA is speculative. Kabeen automatically connects applications, business usage, and cost to ground the BIA in live data.

Questions fréquentes

What is a BCP?

A BCP (Business Continuity Plan) is the set of organizational, technical, and human measures that let a company keep its essential activities running through a major disruption: IT outage, cyberattack, fire, pandemic. It covers the whole business — IT, HR, premises, communication, suppliers — not just IT recovery.

What is the difference between a BCP and a DRP?

The BCP covers the whole company (IT, business, logistics, communications) to keep activities running. The DRP (Disaster Recovery Plan) is a technical subset focused on restoring the IT estate after a disruption. The BCP is broader and strategic; the DRP is technical and operational. The two are inseparable.

Is a BCP mandatory?

Yes in many regulated sectors. DORA (Digital Operational Resilience Act) came into force in January 2025, mandating a tested BCP for European financial institutions. NIS2 extends this to 18 critical sectors (energy, healthcare, transport, water, public administration). In other sectors a BCP remains strongly recommended by insurers and regulators.

How often should you test a BCP?

It depends on sector and criticality. DORA mandates at least an annual test for financial institutions and a full resilience test every three years. Otherwise ISO 22301 recommends at least an annual tabletop exercise and a partial test every 12 to 24 months. An untested BCP is useless: tests are where the gap between the documented plan and reality surfaces.