Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security+ BCP/DRP - Hyper-Practical Study Guide
Source: https://www.fatskills.com/comptia-security-/chapter/tech-comptia-security-bcpdrp-hyper-practical-study-guide

CompTIA Security+ BCP/DRP - Hyper-Practical Study Guide

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~7 min read

CompTIA Security+ BCP/DRP Hyper-Practical Study Guide

1. What This Is & Why It Matters

BCP (Business Continuity Planning) and DRP (Disaster Recovery Planning) are your insurance policies for when things go wrong—whether it’s a ransomware attack, a data center flood, or a misconfigured rm -rf / command. In CompTIA Security+, this is Domain 2.5 ("Explain the importance of policies, procedures, and controls").

Why it matters in production: - If you ignore BCP/DRP, a single disaster can wipe out your company (e.g., Code Spaces was permanently destroyed by a DDoS attack in 2014 because they had no off-site backups). - If you do it right, you can recover from a catastrophic failure in minutes (e.g., Netflix’s "Chaos Monkey" intentionally breaks things to test DRP).

Real-world scenario: You’re a cloud engineer at a fintech startup. Your CEO just asked: "If AWS us-east-1 goes down, how long until our app is back online?" If you can’t answer in minutes, you’re failing at BCP/DRP.

2. Core Concepts & Components

  • RTO (Recovery Time Objective) How long until the system is back online? Production insight: If your RTO is 4 hours but your database takes 6 hours to restore, you’re screwed.

  • RPO (Recovery Point Objective) How much data can you afford to lose? Production insight: If your RPO is 15 minutes but your backups run hourly, you’re violating your SLA.

  • MTD (Maximum Tolerable Downtime) The absolute longest your business can survive without the system. Production insight: If your MTD is 24 hours but your RTO is 36 hours, you need a better plan.

  • Failover vs. Failback Failover = Switch to a backup system. Failback = Switch back to the primary system. Production insight: If you don’t test failback, you’ll be stuck on the backup system forever.

  • Hot Site vs. Cold Site vs. Warm Site

  • Hot Site: Fully operational backup (e.g., AWS multi-region deployment).
  • Warm Site: Partially operational (e.g., a server with backups but no live data).

  • Cold Site: Just a room with power (e.g., a rented data center with no equipment). Production insight: Hot sites cost $$$, but cold sites take days to recover.

  • Backup Types

  • Full Backup: Everything, every time.
  • Incremental Backup: Only changes since the last backup.

  • Differential Backup: Only changes since the last full backup. Production insight: Incremental backups are fast but slow to restore (you need the full backup + every incremental since then).

  • Redundancy (N+1, 2N, 2N+1)

  • N+1: One extra component (e.g., 2 servers for 1 workload).
  • 2N: Double the components (e.g., 2 servers for 1 workload, each capable of handling the full load).

  • 2N+1: Double + one extra (e.g., 3 servers for 1 workload). Production insight: 2N is expensive but ensures no single point of failure.

  • Tabletop Exercise A simulated disaster to test your BCP/DRP. Production insight: If you don’t run these, your plan will fail when it matters.

3. Step-by-Step ‘Hands-On’ Section

Task: Deploy a Multi-Region AWS Backup Plan with RTO < 15 Minutes

Prerequisites: - AWS account with admin IAM permissions. - A running EC2 instance (or RDS database) to back up.

Step 1: Create a Backup Vault

aws backup create-backup-vault --backup-vault-name "DRP-Vault" --region us-east-1

Verify:

aws backup list-backup-vaults --region us-east-1

Step 2: Define a Backup Plan

Create a file backup-plan.json:

{
  "BackupPlanName": "DRP-Plan",
  "BackupPlanRule": [
    {
      "RuleName": "Daily-Backup",
      "TargetBackupVault": "DRP-Vault",
      "ScheduleExpression": "cron(0 5 * *-*)",  # Daily at 5 AM UTC
      "StartWindowMinutes": 60,
      "CompletionWindowMinutes": 180,
      "Lifecycle": {
        "DeleteAfterDays": 30  # Keep backups for 30 days
      }
    }
  ]
}

Apply the plan:

aws backup create-backup-plan --backup-plan file://backup-plan.json --region us-east-1

Step 3: Assign Resources to the Backup Plan

Get the backup plan ARN:

aws backup list-backup-plans --region us-east-1

Assign an EC2 instance (replace instance-id and backup-plan-arn):

aws backup create-backup-selection \
  --backup-selection file://selection.json \
  --region us-east-1

Where selection.json is:

{
  "BackupSelection": {
    "SelectionName": "EC2-Backup",
    "IamRoleArn": "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole",
    "Resources": ["arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0"],
    "BackupPlanId": "backup-plan-arn"
  }
}

Step 4: Enable Cross-Region Replication

aws backup put-backup-vault-access-policy \
  --backup-vault-name "DRP-Vault" \
  --policy file://replication-policy.json \
  --region us-east-1

Where replication-policy.json is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "backup.amazonaws.com"
      },
      "Action": "backup:CopyIntoBackupVault",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-west-2"
        }
      }
    }
  ]
}

Step 5: Test Failover to Another Region

  1. Simulate a disaster (e.g., terminate the EC2 instance in us-east-1).
  2. Restore from backup in us-west-2: bash aws backup start-restore-job \ --recovery-point-arn "arn:aws:backup:us-west-2:123456789012:recovery-point:rp-1234567890abcdef0" \ --metadata '{"InstanceType":"t3.micro"}' \ --iam-role-arn "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole" \ --region us-west-2
  3. Verify the restored instance is running: bash aws ec2 describe-instances --filters "Name=tag:aws:backup:restore-point,Values=rp-1234567890abcdef0" --region us-west-2

Expected output: A new EC2 instance in us-west-2 with the same data as the original.

4.-Production-Ready Best Practices

Security

  • Encrypt backups (AWS KMS or customer-managed keys).
  • Least privilege for backup roles (e.g., don’t use AdministratorAccess for backups).
  • Enable MFA delete for S3 backups (if using S3 for backups).

Cost Optimization

  • Use S3 Intelligent-Tiering for backups (automatically moves data to cheaper storage).
  • Set lifecycle policies (e.g., move backups to Glacier after 30 days).
  • Avoid over-provisioning (e.g., don’t use 2N redundancy if N+1 is enough).

Reliability & Maintainability

  • Tag all backup resources (e.g., Environment=Production, BackupPlan=DRP).
  • Test backups monthly (automate with AWS Backup’s "Backup Audit Manager").
  • Document failover procedures (e.g., "Run aws ec2 start-instances --instance-ids i-12345678 in us-west-2").

Observability

  • Set CloudWatch alarms for failed backups: bash aws cloudwatch put-metric-alarm \ --alarm-name "Backup-Failed" \ --metric-name "NumberOfBackupJobsFailed" \ --namespace "AWS/Backup" \ --statistic "Sum" \ --period 300 \ --threshold 1 \ --comparison-operator "GreaterThanOrEqualToThreshold" \ --evaluation-periods 1 \ --alarm-actions "arn:aws:sns:us-east-1:123456789012:Backup-Alerts"
  • Monitor RTO/RPO (e.g., "Last backup was 2 hours ago, RPO is 1 hour").

5. Common Mistakes & Traps

Mistake Symptom Fix/Prevention
No off-site backups AWS region outage = permanent data loss. Use cross-region replication or 3rd-party backup (e.g., Veeam).
Untested backups Backup restores corrupted data. Test backups monthly (automate with AWS Backup).
No RTO/RPO defined Recovery takes 24 hours, but business needs 4 hours. Define RTO/RPO in SLAs and design backups accordingly.
Over-reliance on snapshots Snapshots are not backups (they’re tied to the same region). Use AWS Backup or S3 for backups.
No failback plan Stuck on backup system forever. Document and test failback procedures.

6.-Exam/Certification Focus

Typical Question Patterns

  1. "Which backup type is fastest to create but slowest to restore?"

  2. Answer: Incremental backup (you need the full backup + every incremental since then).

  3. "You need a cost-effective, highly available storage for infrequently accessed backups. Which S3 class?"

  4. Answer: S3 Glacier Deep Archive (cheapest, but retrieval takes 12+ hours).

  5. "What’s the difference between a hot site and a cold site?"

  6. Answer:
    • Hot site: Fully operational (e.g., AWS multi-region).
    • Cold site: Just a room with power (e.g., rented data center).

Key Trap Distinctions

  • RTO vs. RPO:
  • RTO: Time to recover (e.g., "System back online in 1 hour").
  • RPO: Data loss tolerance (e.g., "Lose no more than 15 minutes of data").
  • Failover vs. Failback:
  • Failover: Switch to backup.
  • Failback: Switch back to primary.

Common Scenario-Based Question

"Your company’s database is corrupted. You have a full backup from 24 hours ago and incremental backups every 6 hours. What’s the fastest way to restore?" - Answer: Restore the full backup + the latest incremental backup (not all incrementals).

7.-Hands-On Challenge

Challenge:

You’re a cloud engineer at a startup. Your CEO just asked: "If our primary AWS region (us-east-1) goes down, how long until our app is back online?" Your current setup: - A single EC2 instance in us-east-1. - No backups or multi-region setup.

Task: Design a cost-effective BCP/DRP plan with: - RTO < 30 minutes. - RPO < 1 hour.

Solution:
1. Enable AWS Backup for the EC2 instance (daily full backups + hourly incrementals).
2. Replicate backups to us-west-2 (cross-region).
3. Create an AMI of the EC2 instance and copy it to us-west-2.
4. Set up a CloudFormation template to launch the AMI in us-west-2 if us-east-1 fails.
5. Test failover by terminating the us-east-1 instance and launching the AMI in us-west-2.

Why it works: - RTO < 30 minutes: AMI launch + data restore from backup. - RPO < 1 hour: Hourly incremental backups.

8.-Rapid-Reference Crib Sheet

Term Definition Exam Trap
RTO Recovery Time Objective (time to recover). Not the same as RPO!
RPO Recovery Point Objective (data loss tolerance). Not the same as RTO!
Hot Site Fully operational backup. Expensive, but fastest recovery.
Cold Site Just a room with power. Cheap, but slowest recovery.
Incremental Backup Only changes since last backup. Fast to create, slow to restore.
Full Backup Everything, every time. Slow to create, fast to restore.
Failover Switch to backup system. Don’t forget failback!
Failback Switch back to primary system. Often overlooked in DRP plans.

9.-Where to Go Next


⚡ Recently practiced quizzes in this class
SY0-501 CompTIA Security+ Certification Exam SY0-501 CompTIA Security+ Certification Exam - Practice Test 2 SY0-401 Exam: CompTIA Security+ CS0-001 Exam: CompTIA Cybersecurity Analyst (CySA+)

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.