How IR, BC, and DR Relate to Each Other
These three concepts are often confused but serve distinct purposes. Think of them as three sequential layers of organizational resilience:
- Incident Response (IR) kicks in first. Its job is to respond to abnormal operating conditions quickly enough that the business keeps running. IR is reactive.
- Business Continuity (BC) overlaps with and extends beyond IR. Its job is to keep critical business operations running during and through the crisis. BC is proactive and operational — it answers "how do we keep going?"
- Disaster Recovery (DR) is the last resort. If IR and BC both fail to prevent a significant disruption, DR activates to restore IT and communication systems and return the organization to normal operations.
Incident Response Terminology
The CC exam will test distinctions between these terms precisely — know each definition:
Incident Response Goals & Priority
The first and most important priority in any incident is life, health, and safety. Before anything else, always prioritize safety.
After safety, the primary goal is preparedness. An organization with a documented, tested IR plan before an incident occurs will respond far more effectively than one improvising in the moment.
The Four Phases of Incident Response
1. Preparation
This phase happens before any incident occurs:
- Developing and gaining management approval for an IR policy
- Identifying critical data and systems, including single points of failure
- Training staff on IR procedures and their specific roles
- Establishing the Incident Response Team (IRT)
- Planning communication strategies — including backup channels in case primary communications are disrupted
- Practicing incident identification and first-response procedures
Your primary communication method may be unavailable during a crisis. Phone trees, backup contact numbers, and out-of-band communication channels must be planned in advance — not improvised during the incident.
2. Detection and Analysis
- Monitor all possible attack vectors
- Analyze the incident using known data and threat intelligence
- Prioritize the response based on impact and urgency
- Standardize incident documentation so findings are communicated consistently
3. Containment, Eradication, and Recovery
- Contain the damage — isolate affected systems to prevent the incident from spreading
- Gather forensic evidence while preserving its integrity
- Identify the attacker and the attack vector if possible
- Eradicate the root cause — remove malware, close vulnerabilities, reset compromised credentials
- Recover — restore systems to normal operation from verified clean backups
4. Post-Incident Activity
- Document lessons learned — what worked, what didn't, what needs to change
- Preserve evidence that may be needed for legal or compliance purposes
- Update the IR plan based on what was learned
- Conduct a retrospective with the team
The Incident Response Team
A typical Incident Response Team (IRT) is a cross-functional group. Members typically include: representatives from senior management, information security professionals, legal representatives, public affairs/communications staff, and engineering representatives.
When an incident occurs, the team's four primary responsibilities are:
- Determine the scope and extent of damage
- Determine whether confidential information was compromised
- Implement recovery procedures to restore security and repair damage
- Supervise implementation of additional security measures to prevent recurrence
Dedicated incident response teams are often called CIRTs (Computer Incident Response Teams) or CSIRTs. Organizations may also establish a SOC (Security Operations Center) — a centralized function that continuously monitors, detects, and analyzes events on the network.
Business Continuity Planning
The intent of a BCP is to sustain business operations while recovering from a significant disruption. The focus is on continuity — keeping the business running, not just fixing the technical problem. Key components:
- Team list: All BCP team members with multiple contact methods and designated backup members
- Immediate response procedures: Checklists for security, safety, fire suppression, and notification of emergency agencies
- Communication plan: Notification systems and call trees for alerting personnel
- Management guidance: Clear designation of authority — who can make which decisions
- Activation criteria: Clear triggers defining when and how the plan is enacted
- Supply chain contacts: Critical vendors, customers, external emergency providers
- Backup communication: Accounts for the possibility that normal phone and internet services may be unavailable
Disaster Recovery Planning
DR focuses on restoring IT and communications services after they have been disrupted. While BC is about keeping the business operating, DR is about getting the technology infrastructure back to full operational status. Key components:
- Executive summary: A high-level overview for leadership
- Department-specific plans: Each department knows its particular responsibilities during recovery
- Technical guides: Detailed instructions for IT personnel
- Full plan copies: Critical DR team members receive complete copies
- Checklists: Different checklists for IT staff (system restoration), managers (communication), and public relations (external messaging)