Expert Advice Community

Home / ISO 27001 & 22301 / Is the risk assessment done before the BIA?

Guest

Is the risk assessment done before the BIA?

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jan 03, 2017 Last commented:   Jan 03, 2017

Is the risk assessment done before the BIA?

ISO 27001 & 22301
In your experience is the risk assessment done before the BIA or after? Is it important which is done first?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.
Expert
Dejan Kosutic Jan 03, 2017

Answer: ISO 22301 (and most of other business continuity methodologies) allow you to do it either way, and the truth is - I don't think there is a huge difference. My personal preference is to do the risk assessment first, because then you'll have a better impression of which incidents can happen while doing your business impact analysis.

You'll learn more here: Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 02, 2017

Jan 02, 2017

Suggested Topics
Anna Browne Created:   Feb 13, 2025 ISO 27001 & 22301
Replies: 0
0 0

Edit Risk register
Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 1
0 0

Risk treatment plan
Atheer AlMartan Created:   Feb 11, 2024 ISO 27001 & 22301
Replies: 1
0 0

Statement of Acceptance of Residual Risks