Cyber Security Blog

CISSP Insights - Business Impact Analysis

Written by Abhi G | 16 February 2017

Business Impact Analysis (BIA) is an important step within the Risk Management process. In order to complete a BIA exercise, a Risk Manager should engage stakeholders via a series of meetings so that he/she has a thorough understanding of the impact to the business, and its consequences, should a risk materliase.

A Business Impact Analysis exercise helps by understanding:

  • What can go wrong.
  • What the impact could be to information and other business assets.

The primary purpose of a BIA is to establish the stakeholder's perception to risk(s) in their respect of their departments and the business processes they are involved with.  It is important to note that discussions are held at managerial level and above and the objective is to understand;

  • What are the key assets?
  • Do any of the key assets hold personal information records?
  • What are the legal and regulatory obligations?  
  • Are there any risks in not complying with these obligations?
  • Are there are any economical, political, social or environmental risks involved?

The expectation of a BIA exercise is to understand the worst case scenarios should any existing controls to fail. For example, should there be a data breach it would be plain that current strategies and controls have failed.  Therefore, it is recommended that the processes and controls currently in practice should be removed from the discussions in order to fully assess the possible impact of a data breach on the business should an event occur.

In addition, it is recommended to use a consistent scale to measure the impact and likelohood associated with a threat and asset. Risk managers can share these scales with stakeholders (business managers) during the Business Impact Analysis meetings.  An example of Impact and Likelihood scales is as follow:

Impact scales

Low Impact

0

Loss of confidentiality, availability or integrity does not affect the organization's cash flow, legal or contractual obligations, or its reputation.

Moderate Impact

1

Loss of confidentiality, availability or integrity incurs costs and has a low or moderate impact on legal or contractual obligations, or the organization's reputation.

High Impact

2

Loss of confidentiality, availability or integrity has considerable and/or immediate impact on the organization's cash flow, operations, legal or contractual obligations, or its reputation.

 

Likelihood scales

Low likelihood

0

Existing security controls are strong and have so far provided an adequate level of protection. No new incidents are expected in the future.

Moderate likelihood

1

Existing security controls are moderate and have mostly provided an adequate level of protection. New incidents are possible, but not highly likely.

High likelihood

2

Existing security controls are low or ineffective. Such incidents have a high likelihood of occurring in the future.

 

The risk managers need to understand the retrospective risks (risks arising from events that have occurred in the past) as well as the prospective risks (risks that may occur in the future).

From a BIA exercise, a list of assets and their associated business risks will be highlighted and the risk manager will then be able to add them to the business's existing risk register.  

Write to us for a free copy of the Risk Register Template (with a sample risk record). 

Get our Domain -1 Review notes 

Get more details on our CISSP Mentorship Programme