BIA & RA Review Period
Assign topic to the user
Neither ISO 27001 nor ISO 22301 do not prescribe how often the risk assessment and business impact analysis must be reviewed.
However, once a year really is the best practice because of the following:
1) If you are ISO 27001 or ISO 22301 certified, the certification auditor will want to see those reviews at each surveillance visit (which happen once a year - see this article: https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/)
2) If you perform reviews less often, then you are in a danger that your RA / BIA will become too outdated because the pace of change (especially in IT) is really quick.
Comment as guest or Sign in
Jan 12, 2016