BIA and risk assessment

1 - The BIA includes a risk assessment?

Answer: The risk assessment process is independent of the BIA process, but BIA can make use of the results of risk assessment to help improve the reliability of its results (by identifying the risks you’re most exposed you can focus on consequences of those incidents). You should note that ISO 22301 documentation toolkit does not include the risk assessment documents, but they can be purchased separately

2 - Should The BIA questionnaire be different for every business unit into the company?

Answer: The general framework of the questionnaire is the same (what are the critical processes, how long you can support an disruption of the process, in how much time you have to resume minimal and normal operations, etc.), but some questions may be adjusted accordingly each business unit (for example, a production unit may have specific questions about equipment, while research and development should add more questions related to information protection). You also should note that answers will be different from one department to another.

This article will provide you further explanation about BIA and risk assessment:

- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

These materials will also help you regarding BIA and risk assessment:

- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/