Thank you Dejan for addressing my question during this webinar.
My confusion is which one comes first BIA or RA. Also, how can the results of the RA be used in the BIA?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Actually, there is no definitive order to perform Risk Assessment (RA) and Business Impact Analysis (BIA), and the choice for one or another will depend on your expectations:
- By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
- By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e., the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.
Particularly, we prefer to do a risk assessment first, because this way you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents).
For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical.
These articles will provide you a further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding risk assessment and BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
May 18, 2021