Guest user Created: Mar 13, 2019 Last commented: Mar 13, 2019

BIA and risk analysis

In the BCP Phases we found, Phase 2: Perform Risk Analysis and Phase 3 : Perform BIA . Is it mandatory to start with risk analysis or can we start with BIA then go to risk analysis. What is the best way ?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 13, 2019

Answer:

Actually, ISO 22301 allows both approaches, and the choice for one or another will depend on your expectations:
- By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
- By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e. the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.
Particularly, we prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for d oing the business impact analysis (which focuses on consequences of those incidents).

This article will provide you further explanation about BIA and risk assessment:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

Quote

0 0

Guest

boukaiou Mar 13, 2019

Thank you so much for your response it was really helpfull

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 13, 2019

Expert Advice Community