Back to Blog
CISA Tips

Business Continuity vs Disaster Recovery: What CISA and CISM Candidates Must Know

TKMarch 6, 2026exam-prep, certification

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are heavily tested on both the CISA and CISM exams. Yet many candidates confuse the two. Let's clarify once and for all.

BCP vs DRP: The Core Difference

Simple way to remember: BCP is the umbrella — DRP is one component under it.

Key Metrics You Must Know

Recovery Time Objective (RTO)

The maximum acceptable time to restore a system after a disruption.

Example: "Our email system must be back within 4 hours"
Determines your recovery strategy and technology investment

Recovery Point Objective (RPO)

The maximum acceptable data loss measured in time.

Example: "We can afford to lose at most 1 hour of transactions"
Determines your backup frequency

Maximum Tolerable Period of Disruption (MTPD)

The absolute maximum time a business process can be unavailable before the organization faces unacceptable consequences.

MTPD is always greater than or equal to RTO
Also called Maximum Tolerable Downtime (MTD)

Mean Time to Repair (MTTR)

The average time to restore a failed component.

Mean Time Between Failures (MTBF)

The average time between system failures — measures reliability.

The Business Impact Analysis (BIA)

The BIA is the foundation of both BCP and DRP. It identifies:

Critical business processes and their dependencies
Impact of disruption (financial, operational, legal, reputational)
Recovery priorities — which processes to restore first
RTO and RPO for each critical process
Resource requirements for recovery

Exam tip: The BIA always comes FIRST before developing BCP/DRP strategies. If a question asks about the first step in BCP development, the answer is usually "conduct a BIA."

Recovery Strategies (By Cost and Speed)

How This Appears on CISA vs CISM

CISA Exam Focus

Testing BCP/DRP controls and procedures
Auditing recovery plan adequacy and testing
Evaluating BIA methodology and completeness
Assessing whether RTO/RPO are being met

CISM Exam Focus

Managing the BCP/DRP program
Strategic decisions about recovery investments
Incident management integration with BCP
Reporting to senior management on preparedness

Common Exam Questions

Q: What is the FIRST step in BCP development?

A: Conduct a Business Impact Analysis (BIA)

Q: An organization's RPO is 4 hours. How often should backups run?

A: At least every 4 hours (or more frequently to provide margin)

Q: Which recovery site is BEST for critical real-time applications?

A: Hot site (provides near-zero RTO)

Q: What is the PRIMARY purpose of testing a DRP?

A: To verify that recovery procedures work as intended and meet RTO/RPO objectives

Test Types

Know these DRP test types for the exam:

Checklist Review — Distribute plans for review (least effective)
Tabletop/Walkthrough — Discuss scenarios with stakeholders
Simulation — Practice response to a simulated event
Parallel Test — Activate recovery site while primary continues
Full Interruption — Shut down primary, switch to recovery (most effective, highest risk)

Master BCP/DRP concepts with our CISA and CISM prep courses, complete with scenario-based practice questions.

Share this article:

Comments

Sign in to join the discussion

Sign In to Comment

No comments yet. Be the first to share your thoughts!

Ready to start your certification journey?

Explore our courses and take the first step toward passing your exam.

Browse Courses