ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Five Tips for Successful Business Impact Analysis

'By 'Dejan Kosutic on June 10, 2010

You have probably wondered why you have to perform business impact analysis (BIA) once you already did the risk assessment. You identified all the risks, didn’t you? Spent quite a lot of time analyzing your company, why then yet another analysis?

Well, the purpose of BIA is different. In business continuity everything is about time – it doesn’t matter if you can recover your business activities if it isn’t achieved in reasonable time. “Reasonable” is what the BIA has to determine – its main purpose is to find out what the recovery time objective is for each critical activity within an organization.

This kind of analysis is often taken lightly – first, the company is usually not aware that wrong results could incur unnecessary expenses or create an inadequate business continuity strategy, but also the effort needed to perform BIA is underestimated.

Therefore, here are some tips that will make your business impact analysis more effective:

Treat it as a (mini) project. Define the person responsible for its implementation and his or her authority; define the scope, objectives, and time frame.

Do your homework, prepare a good questionnaire. A well structured questionnaire will save you quite a lot of time, and will make the results more accurate. BS 25999-1 and BS 25999-2 standards will give you a fairly good idea about what it must contain – among other things, you have to identify impacts resulting from disruptions and determine how these vary over time, identify the resources needed for recovery etc. It is a good practice to use both qualitative and quantitative questions to identify impacts.

Define clear criteria. If your interviewees have to answer questions by assigning values for instance from 1 to 5, be sure to explain exactly what each of these five marks means. It is not uncommon that the same event is evaluated as catastrophic by the lower-level employees, while top management assesses its impact as moderate.

Collect data through human interaction. The best results are achieved when someone skilled in business continuity performs an interview with the person responsible for a critical activity. That way a lot of unresolved questions are cleared, and well-balanced answers are achieved. If interviews are not feasible, do at least one workshop with all the participants so they can ask everything that is troubling them. In other words, don’t just send them the questionnaires and scold them if they didn’t send them back in time.

Determine the recovery time objectives only after you have identified all the interdependences. For instance, through the questionnaire you might conclude that for critical activity “A” the maximum tolerable period of disruption is 2 days; however, the maximum tolerable period of disruption for critical activity “B” is 1 day and it cannot recover without the help of critical activity A. This means that the recovery time objective for “A” will be 1 day instead of 2 days.

In my experience, the results of BIA are often unexpected – usually the recovery time objective is longer than it was initially thought, and BIA reveals dependencies on some resources that are actually a single point of failure. But the best thing of all, business impact analysis is the most effective way to get people thinking about the unexpected – by creating such awareness, you increase the chances of your company’s survival.

You can also check out our webinar BS 25999-2 Foundations Part 1: Business Impact Analysis (commercially sold training).

  • Vusi Lesetedi

    While doing a BIA on one of our business incubators, a team member asked a question on “the worst case scenario.” Initially we had agreed that the worst case scenario would be UNAVAILABILITY OF FACILITIES, e.g. the building is not available due to a fire or earthquate etc. This would mean that the incubatees would not have a place to operate in. In terms of recovery priorities, what do you do first- Naturally you want to set up the incubatees in a temporary place so they can perform their very critical activities while the main building is being repaired. The business activity/ objective of recruitment/ enrolment of incubatees becomes insignificant in this scenario as the RTO may be as long as it takes for the building to be fully restored and operational. BUT there was another “the worst case scenario” being the death of/ resignation of and/or contract termination by ALL the incubatees. The business activity/ objective of recruitment/ enrolment of incubatees becomes a priority with a much shorter RTO than in the initial scenario. How you best advise us to continue with these two worse case scenarios. What is the ultimate the worst case scenario and what does best practice suggest?


  • Dejan Kosutic

    Hi Vusi,

    If I understood well the situation you have described, it seems to me that the worst case scenario for you is the unavailability of your facilities – in that case you would have to provide alternative location for your incubatees in rather short time.

    It might seem funny, but I think that unavailability of your incubatees is not worst case scenario in perspective of business continuity – I guess that you are searching for new incubatees all the time, regardless of a disaster. This is your regular job, for which you do not need business continuity plans. Such scenario is of course the worst case scenario for your incubatees, but not to you because I understood that you are providing services to them.