BCM template content

1. MSS being a critical service chosen for BCP. However MSS will have multiple inter dependency process like infra, service mgmt, endpoint.
a. So do we have to conduct BIA individually for every inter dependent process too or BIA will be done only for MSS but it takes inputs from inter dependent process”.?

Answer: In fact both approaches are acceptable (a BIA for each supporting process or a single BIA for MSS), and both have their own advantages and disadvantages, and you have to consider them to chose the best approach to your organization:
- Performing a BIA for each supporting process is less complex and will require less people involved in each process (only the people directly involved in the process), but you have to evaluate the results of each BIA all together later, to have a picture for the MSS, and the independent BIAs may hide issues that only can be identified when analyzed together, and you may have to perfor m some BIAs again.

- Performing a single BIA for MSS will provide you a systemic picture of all situations that may cause disruption of MSS (e.g., failures on independent process that together can disrupt MSS), and probably will need to be performed only once, but it is a more complex process and you may have a problem to schedule meetings with all people involved.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you perform BIA, including examples with real data.

For further information, please see: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2. Regarding “Business_Impact_Analysis_Methodology_EN”,
a. how do we complete the section 4 “Managing records kept on the basis of this document”?
i. Is the record linked to the specific document? E.g. business impact questionnaire analysis is the record for Business_Impact_Analysis_Methodology_EN”,

Answer: You assumption is correct. The business impact questionnaire analysis is a record for Business Impact Analysis Methodology, and you only have to define who is responsible for this record, where it is stored, controls used to protect this record and for how long you have to keep this record. Detailed information and examples can be found in comments included in the Business Impact Analysis Methodology template.

For further information please read: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

b. For 3.8 Maximum data loss (RPO), are we able to customize the timing or it is not advisable to do so?

Answer:The template is fully customizable, so you can change the values related to RPO to values that best fit your organization.

For further information please read: What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/