Business Impact Analysis (BIA) is a systematic process used to identify and evaluate the potential consequences of disruptions to critical business processes and information systems. The goal is to determine what would happen if a key process or system became unavailable and to set recovery priorities. It answers the question: “What are the impacts if this goes down?”
Core Components & Examples
A BIA goes beyond a simple risk assessment by focusing on the impact rather than the likelihood of an event. It helps an organisation identify:
- Critical Business Processes: Which activities are essential for the organisation’s survival?
- Example: For an e-commerce company, the online payment processing system is a critical process.
- Maximum Tolerable Downtime (MTD): How long can a critical process be unavailable before the impact becomes unacceptable?
- Example: A financial institution may have an MTD of 4 hours for its trading platform to avoid significant financial losses.
- Recovery Time Objective (RTO): The target time for restoring a critical process to a minimum acceptable level after a disruption.
- Example: If the RTO for an online database is 12 hours, the IT team must have a plan to restore it within that timeframe.
- Dependencies: What resources (people, systems, suppliers) does a critical process rely on?
- Example: The payroll process depends on the accounting software, electricity, and the finance department staff.
ISO 27001 Context
The BIA is a foundational element for both risk assessment and business continuity in the ISO 27001 framework. It provides the crucial data needed to properly prioritise risks, justify the cost of security controls, and create effective disaster recovery and business continuity plans. It’s a key part of the The Ultimate Guide to ISO 27001 Clause 4.1: Understanding the Context of the Organisation requirement and is directly linked to the controls in Annex A related to business continuity management (ISO 27001 Annex A 5.30 ICT Readiness For Business Continuity).
