Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

BIA & RA Review Period

Pls let me know, if business impact analysis & risk analysis can be reviewed/updated every 2 years or when there is significant change in business. Most BCP experts recommend...these needs to be reviewed/updated least annually.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Neither ISO 27001 nor ISO 22301 do not prescribe how often the risk assessment and business impact analysis must be reviewed.

However, once a year really is the best practice because of the following:

1) If you are ISO 27001 or ISO 22301 certified, the certification auditor will want to see those reviews at each surveillance visit (which happen once a year - see this article: https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/)

2) If you perform reviews less often, then you are in a danger that your RA / BIA will become too outdated because the pace of change (especially in IT) is really quick.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community