Incident Response and Business Continuity Plan – What’s the Difference?


Ever since the COVID19 pandemic reached its peak last spring, many CISOs were left scrambling trying to deal with the new normal of a 99% Remote Workforce.  One of the lessons learned is the dire need for  Incident Response (IR) and Business Continuity (BC) plans.  But there is still confusion between the two, and we separate out these differences in this article

What Incident Response & Business Continuity Are

What An Incident Response Plan Is

Technically speaking, an Incident Response Plan can be defined as follows:

“It is a set of instructions to help IT staff detect, respond to, and recover from network security incidents. These types of plans address issues like cybercrime, data loss, and service outages that threaten daily work.” (source:CISCO)

So put in simpler terms, an Incident Response means that you are reacting in a very proactive way, any security impacts that are affecting your business.  Typically, many people think of this as a Cyberattack, which is most often the case.  But these could also involve natural disasters. IR Planning means that you are acting on a specific threat vector at one certain point in time.

As it relates to the situation that we have now, a good IR Plan will dictate how you should mobilize your resources in a quick and efficient manner so that your remote workforce can be deployed in just a matter of a few hours versus the total number of days that it took this time. 

Although this will be examined in much further detail in the next section, a good IR Plan will typically consist of the following, broad components:

  • How it supports the goals and objectives of your overall Security Policy;
  • What your approach to Incident Response will be;
  • The various activities that are needed in order to effectively mitigate the threat variant at hand;
  • Who the members of the Incident Response team will be, and what their specific roles are in a crisis situation;
  • The communication process that will take place;
  • The metrics that will be included in order to gauge the true effectiveness of your IR Plan.

It should be noted that it is bullet point #5 that is probably amongst one of the most important.  

For example, you may have a great IR Plan on paper, but if the lines of communications actually break down in the event of a real time security breach, then this will all fall to naught. 

Even before COVID19 hit, the CIOs and the CISOs were ill prepared for this kind of planning. For example, in a recent study that was conducted by the Ponemon Institute, the following was discovered:

  • 77% of the respondents claimed that they do not even have an Incident Response Plan in place;
  • Only 32% had any faith that their particular IR Plan would even work;
  • 57% of the respondents claimed that the total time it takes to actually respond to mitigate a security breach is lengthening to unfathomable levels.


Thus, as CIO or CISO, you need to fully understand how the correlation of Incident Response impacts limiting more damage that is going to happen, and it is as easy as this:  A timely Incident Response will greatly mitigate any more time that a Cyberattacker can reside from within your IT and Network Infrastructure and cause more damage.  And of course, a timely response will only come from a rock-solid IR Plan.

What A Business Continuity Plan Is

Once again in technical terms, a Business Continuity Plan can be defined as follows:

“It is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected.” (Source: IBM)

In other words, after you contain the threat variant with the IR Plan, the next step is determining how you will proceed to resume normal business operations ASAP.  The primary difference here with the Business Continuity (BC) Plan versus the Incident Response Plan is that the former will take a much longer time frame to achieve, depending upon the severity of the security breach that took place. 

As a CIO or CISO, it is also very important to keep in mind that the Business Continuity approach will be more of a phased-in type.

For example, your first priority is to get those mission critical applications up and running first.  This will be typically those applications that serve both your employees and customers.  Then gradually from that point, you then need to gradually, in steps, resume back up to what you deem “normal business operations” actually are. 

So as in the case with COVD19, the IR Plan will help you to mobilize your remote workforce quickly, and the BC Plan will then help you to keep your employees working from home (WFH) in a safe and productive manner for the long haul, if need be. 

Being the CIO or CISO, you need to fully understand just how impactful any business downtime can have without having the right BC Plan in place.  Consider these statistics:

  • An infrastructure failure can cost a typical business at least $100,000 per hour;
  • A critical application failure can cost in the upwards range of $500,000 to $1,000,000 per hour.


Now that the differences between the IR and BC plans have been reviewed, the next step is in actually crafting these document sets.  This can be a daunting task for any company.  There are many templates available on the Internet that you can use to create them, but it is highly cautioned that you do not take this kind of cookie cutter approach.

Rather, they need to be detailed towards the specific security needs and requirements for your business.  In future articles, we will examine and detail some of the major components that need to go in both of these plans.

For questions on Incident Response or Business Continuity Plan, please reach out to speak to one of our Cybersecurity experts in Maryland today.

Share this post: