(ISC)2 Certified in Cybersecurity Practice Exam

When should a business continuity plan (BCP) be activated?

• A. As soon as possible
• B. At the very beginning of a disaster
• C. When senior management decides
• D. When instructed to do so by regulators

The correct answer is: When senior management decides

A business continuity plan (BCP) is a strategic guide that outlines how a business will continue to operate during and after a disaster or unplanned disruption. The correct choice reflects the need for a structured and deliberate approach in activating a BCP. Senior management plays a critical role in this process because they understand the broader implications of a disaster and the organization's capabilities, resources, and risks. Their decision to activate the BCP ensures that the response is aligned with the organization's priorities and that all necessary resources and personnel are mobilized appropriately. The BCP being activated whenever senior management decides allows for a thorough assessment of the situation, ensuring that the organization is ready to respond effectively without rushing into action without proper information or strategy. This helps prevent further chaos and ensures a cohesive and well-coordinated response to the incident. Timeliness is essential, but merely acting as soon as a disaster is perceived could lead to panic and ineffective responses. Acknowledging that activation must come from a controlled decision process helps to limit confusion. The involvement of management ensures that there’s a clear communication strategy and operational plan in place. Regulator instruction or acting at the very beginning of a disaster can limit the effectiveness of a response if the plan is not well understood or fully prepared