There is often discussion and confusion over the definition of the term BCP and DR. My view is, that BCP is to ensure, that adequate temporary measures are brought into play as fast as required, so that ongoing customer activity is maintained. The DR should focus on getting the original facilities back into full working order as quickly and cost-effectively as possible, so that the organisation can transition back from its temporary arrangements (the BCP) to more permanent ones.
Coming back to my starting point: “There is no such thing as 100% information security”, most people agrees with this and the logic is then, that things will go wrong at some point no matter, how many preventive measures you put in place. It is then of specific interest, that very few organisations actually have a BCP and DR in place, and if they do, it is often not tested, trained or regularly reviewed and updated.
Using my earlier example of a cloud service business I think, trust is a key word in the relationship between the service provider and the customer. What better way to create trust than to build and implement solid BCP and DRP (and here I mean not just paper plans that anyone can do, but actually plans you are regularly testing so you know they work and are appropriate). As a service company the key measure from a customer perspective is not only how you keep a great service running 99.9% of the time, but rather how you handle the situation where things have gone wrong. If I know you can perform in both scenarios I will reward you with loyalty, repeat business and referral.
What is your view…is BCP/DRP not worth doing or definitely worth doing?