Expert Advice Community

Guest

BIA: IT processes and how to start

  Quote
Guest
Guest user Created:   Sep 18, 2020 Last commented:   Mar 19, 2021

BIA: IT processes and how to start

In reference to Dejan Kosutic webinar "Developing business continuity strategy according to ISO 22301" i want to ask 2 questions.

When searching information about Business Impact Analisys I found the video material from PECB where tutor said that IT processes are not implement during BIA. Are you agree with this statement or we should analyse IT operational processes too?

Second thing. How to start BIA if we have about 200 processes in organisation? Is it necessery to go trough BIA template for everyone or there is a smart hint how to filter these processes before we get started?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 18, 2020

1 - When searching information about Business Impact Analisys I found the video material from PECB where tutor said that IT processes are not implement during BIA. Are you agree with this statement or we should analyse IT operational processes too?

Answer: Please note that during BIA you indeed do not work on implementing processes, so we agree with this statement, but you still can perform business impact analysis of IT operational processes, because this does not involve implementing or changing processes.

For further information, see:- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/01academy/emy/ademy/my/blog/10/06/10/five-tips-for-successful-business-impact-analysis/

2 - Second thing. How to start BIA if we have about 200 processes in organisation? Is it necessery to go trough BIA template for everyone or there is a smart hint how to filter these processes before we get started?

Answer: To optimize your BIA, you should consider grouping your processes in departments, and then you can do only one BIA for a department with several processes on it.

 For further information, see:- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

Quote
0 1
Kamil Mar 14, 2021

1 - When searching information about Business Impact Analisys I found the video material from PECB where tutor said that IT processes are not implement during BIA. Are you agree with this statement or we should analyse IT operational processes too?
Answer: Please note that during BIA you indeed do not work on implementing processes, so we agree with this statement, but you still can perform business impact analysis of IT operational processes, because this does not involve implementing or changing processes.

Dear Rhand,

It wasn't about implementing new processes during BIA. Perhaps it would be better to say: include IT processes in BIA analysis. According to the teacher, IT processes should not be analyzed in the BIA sheet, because it is a process supporting the main processes.

https://www.youtube.c********************** - from 16:30 to 20:00. "We're not interested in supporting functions." How should I understand that? Of course, IT processes do not generate direct financial losses for the main business, but they are very important for their implementation. How do you feel about these statements by the lecturer according to your experience?

For example, I have a core process for a company (eg, Patient Medical Care), management processes (eg, Financial Controlling), and supporting processes (eg, IT, vendor supervision). So should I not analyze IT processes using the BIA sheet? My core processes can't run without software or networking. The owners of the main process will indicate running the software as necessary to complete the process. So I think the process that maintains this software and network should also have a BCP Plan, e.g. in the event of a fire in a building where an IT team is working, even if as per the lecture I did not analyze this IT process with a BIA template. Do I understand correctly?

 

Greetings,

Kamil

Quote
0 0
Expert
Rhand Leal Mar 19, 2021

Our understanding is that nowadays it is difficult to find a company that does not rely on IT, so companies need to perform BIA on IT processes if they want to implement BCMS properly because they need:

  • to understand how quickly internal users need IT resources to recover
  • to understand which resources are needed for IT processes to be recovered.

Additionally, according to ISO 22301, the ISO standard for business continuity, all processes, not only business processes, need to be analyzed.

The point to be considered is that when IT processes are not part of the core business, you need first analyze core processes and consider their outputs for the IT BIA.

For example, in a manufacturing business, the processes directly related to manufacturing should be analyzed first (e.g., logistic, production line, etc.), and their outputs should be used as part of IT process BIA, but in the end, the IT process should always be part of the BIA.

For further information, see:

These materials will also help you regarding BIA:

Quote
0 0
Expert
Rhand Leal Mar 19, 2021

Our understanding is that nowadays it is difficult to find a company that does not rely on IT, so companies need to perform BIA on IT processes if they want to implement BCMS properly because they need:

  • to understand how quickly internal users need IT resources to recover
  • to understand which resources are needed for IT processes to be recovered.

Additionally, according to ISO 22301, the ISO standard for business continuity, all processes, not only business processes, need to be analyzed.

The point to be considered is that when IT processes are not part of the core business, you need first analyze core processes and consider their outputs for the IT BIA.

For example, in a manufacturing business, the processes directly related to manufacturing should be analyzed first (e.g., logistic, production line, etc.), and their outputs should be used as part of IT process BIA, but in the end, the IT process should always be part of the BIA.

For further information, see:

These materials will also help you regarding BIA:

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Sep 18, 2020

Mar 19, 2021