Hi, is it still allowed to perform a BIA for whole departments with the new 22301?
Our departments are:
Production
IT
Administration
Customer Support
...
22301:2019 says an activity is a set of tasks. 22301:2012 was an activity is a set of processes as far as i know.
The problem is for example our IT does a lot of things like User Support with Ticket System, running servers, VMs, server applications usw., Performing Backups
But they are only 2 system adminstrators. So when i perform a BIA for
User Support
Running Servers
Running Applications
Backups
...
the main ressources are the same like IT-Administrators, Physical Servers...
Makes no sense for me when i write a plan. 2 System administrators with x plans.
I also have the problem in other departments. They do a lot of things, but not all the time. Like 5-10 "Tasks/activitys" or how i should call it in each department. Same employees with partially the same applications. Ressources are desk, thin client, monitor, building and so on.
So when i make a bia the department boss has to define how much employees he needs after a disaster and when. But that's impossible to define, when the employees that perform these task are the same. Furthermore as the ressources are the same we have x plans and after 1 plan is implemented the whole department can nearly perform all these 5-10 tasks/activitys.
Best regars!
Mario
Assign topic to the user
Yes, it is still allowed to perform Business Impact Analysis (but also to develop the Business Continuity Strategy and Business Continuity Plans) based on departments. This is because related activities or tasks are normally performed within the same departments.
The following article was written with ISO 22301:2012 in mind, but is equally applicable to 2019 revision: How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/
Comment as guest or Sign in
Oct 13, 2020