Expert Advice Community

BIA ISO 22301:2019 department based allowed?

  Quote
Created:   Oct 09, 2020 Last commented:   Oct 13, 2020

BIA ISO 22301:2019 department based allowed?

Hi, is it still allowed to perform a BIA for whole departments with the new 22301?

Our departments are:

Production

IT

Administration

Customer Support

...

22301:2019 says an activity is a set of tasks. 22301:2012 was an activity is a set of processes as far as i know.

The problem is for example our IT does a lot of things like User Support with Ticket System, running servers, VMs, server applications usw., Performing Backups 

But they are only 2 system adminstrators. So when i perform a BIA for

User Support

Running Servers

Running Applications

Backups

...

the main ressources are the same like IT-Administrators, Physical Servers...

Makes no sense for me when i write a plan. 2 System administrators with x plans. 

I also have the problem in other departments. They do a lot of things, but not all the time. Like 5-10 "Tasks/activitys" or how i should call it in each department. Same employees with partially the same applications. Ressources are desk, thin client, monitor, building and so on.

So when i make a bia the department boss has to define how much employees he needs after a disaster and when. But that's impossible to define, when the employees that perform these task are the same. Furthermore as the ressources are the same we have x plans and after 1 plan is implemented the whole department can nearly perform all these 5-10 tasks/activitys.

 

Best regars!

Mario

 

 

 

 

 

 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Oct 13, 2020

Yes, it is still allowed to perform Business Impact Analysis (but also to develop the Business Continuity Strategy and Business Continuity Plans) based on departments. This is because related activities or tasks are normally performed within the same departments.

The following article was written with ISO 22301:2012 in mind, but is equally applicable to 2019 revision: How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 09, 2020

Oct 13, 2020

Suggested Topics