LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

How to define criticality?

  Quote
Guest
Guest post Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

How to define criticality?

Based on the results of BIA questionnaire, how i can define the criticality of my business process?
0 0

Assign topic to the user

ISO 27001/ISO 22301 BUSINESS CONTINUITY PLAN

Define the steps for recovering your business from disruption.

ISO 27001/ISO 22301 BUSINESS CONTINUITY PLAN

Define the steps for recovering your business from disruption.

Guest
DejanK Jan 12, 2016
Juliano,

Your BIA questionnaire should be set to assess the impact for disruption for e.g. 4 hours - 8 hours - 24 hours - 48 hours - 1 week. If the impacts of disruption are acceptable for e.g. 4 hours and 8 hours, but for 24 hours and after they are not acceptable, this means your MAO (Maximum Acceptable Outage) is somewhere between 8 and 24 hours. 

To determine MAO more precisely (where it is between 8 and 24 hours), you will have to consult with the owner of the process.
Quote
0 0
Guest
Guest post Jan 12, 2016
Dejan,

 

Actually, i want identify the criteria that i can use to define the criticality of my business process, eg: mission critical, important, minor.

 

I understood how to identify the MAO/MTPD, but i think that are different things right?

 

So, the BIA results will show:

 

Process A - Mission Critical - MAO 4hours

Process B - Important - MAO 5hs
Quote
0 0
Guest
DejanK Jan 12, 2016
Juliano,

Actually ISO 22301 does not require you to grade the criticality of your processes - it is either critical or not. If it is critical, the only thing that matters is how quickly it needs to recover - this is defined by MAO/RTO.
Quote
0 0
Guest
Guest post Jan 12, 2016
Dejan,

How you define the priority of business process recovery? Do you use only de RTO or quantitative impacts too?
Quote
0 0
Guest
DejanK Jan 12, 2016
Juliano,

Priority of recovery is determined on the basis of RTO - the activity with the shortest RTO will be recovered first. Quantitative impacts are an input for determining the RTO - for instance if the impact of disruption that lasts 24 hours is US$ 100,000, you can determine that this is not acceptable, so that your RTO needs to be less than 24 hours.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016