Skip to content

Explain BCP versus DRP, and define RTO and RPO.

Short answer

Business continuity (BCP) is the broad strategy to keep critical business functions operating during and after a disruption; disaster recovery (DRP) is the IT-focused subset that restores systems and data. RTO is the maximum tolerable time to restore a function; RPO is the maximum tolerable data loss measured in time.

Continuity and recovery planning is a heavily tested CISSP area because it forces you to think about the business, not just the technology. Interviewers want to hear the scope difference and the two key metrics defined precisely.

BCP versus DRP

Business Continuity Planning (BCP) is the umbrella discipline: it ensures the organization's critical business functions continue during and after a disruption — people, processes, facilities, communications, and supply chain, not only computers. Disaster Recovery Planning (DRP) is a subset of BCP focused specifically on restoring IT systems, data, and infrastructure after an incident. Put simply, DRP gets the servers back; BCP keeps the company operating.

Driven by the BIA

Both plans flow from the Business Impact Analysis (BIA), which identifies critical functions and the cost of losing them over time. The BIA produces the targets that everything else is engineered against.

RTO and RPO

  • RTO (Recovery Time Objective) — the maximum acceptable time a function can be down before unacceptable harm. It drives recovery speed: a short RTO pushes you toward hot sites and automated failover.
  • RPO (Recovery Point Objective) — the maximum acceptable amount of data loss measured in time. A 15-minute RPO means backups or replication every 15 minutes.
  • MTD (Maximum Tolerable Downtime) — the absolute ceiling; RTO must be shorter than MTD.

A common trap is swapping RTO and RPO. Anchor it: RTO is about time to recover, RPO is about how much data.

What interviewers look for

That you frame DRP as a technical subset of the broader BCP, define RTO and RPO without confusing them, and connect both metrics back to the BIA and to concrete choices like backup cadence and recovery-site tiers.

Likely follow-ups

  • What is a Business Impact Analysis and why does it precede both plans?
  • How do RTO and RPO influence backup frequency and site strategy (hot/warm/cold)?
  • What is the MTD and how does it relate to RTO?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.