ISO 22301 Toolkit - BIA questionnaire questions

1. Should each process (activity) fill part 2 of the worksheet? Or maybe only those that were rated on a scale of 3 and higher in the course of the analysis and also those activities indicated as necessary for their functioning?

Please note that when performing a Business Impact Analysis (BIA), or developing strategies and plans, you should do them on the basis of departments, not processes - because this is much less complex.

Considering that, you should fill part 2 of the worksheet in all applied questionnaires, because even if a department is not rated as critical enough by itself to require the development of a business continuity plan, its required resources, as saw in a systemic context, can justify a business plan. For example, if many low-rated departments depend on applications that are kept in the same environment (e.g., data center or server), you need to develop a business continuity plan related to the environment, because if the environment operation is disrupted, all department operations will stop at the same time.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
• Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

2. With reference to qualitative estimation. In your opinion, is it good practice to define the scale of financial losses as described below for general estimation (point no. 3 of the questionnaire)? Do you often use such a solution?

1 - less than 1% of monthly revenues
2 - 1-10% of monthly revenues
3 - 10-30% of monthly revenues
4 - over 30% of monthly revenues

Please note that section 4 already uses a quantitative assessment for financial losses, so you do not need to define this scale in section 3 (this would only make the process unnecessarily more complex).

3. If I add revenue ranges in point no. 3 of the questionnaire, should I do this also in point no. 10?

Considering the previous answer, you should keep section 10 the way it is provided in the template.

4. If I have 2 locations in my company that perform the same processes, but separately - independently - should I analyze them separately or collectively? How about averaging the data in one questionnaire?

In case they share the same characteristics, then you can use a single analysis, identifying in the questionnaire that it is applicable to 2 locations. In terms of resources, you need to specify the resources used by each location (using averaged data can lead to errors in resources estimation in the definition of business continuity plans).

Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

*I mean critical activities. ;)

One more question. Please tell what is extactly difference between process and avtivity. According to standard:

1. process - a set of related or interacting activities that transform input data into output data

2. activity - a process or set of processes undertaken by an organization as a result of which a product / products or a service / services are provided.

What term is bigger? Can you give me an examples of activity and process in ISO22301 standard meanings?

One more question. Please tell what is extactly difference between process and avtivity. According to standard:

1. process - a set of related or interacting activities that transform input data into output data

2. activity - a process or set of processes undertaken by an organization as a result of which a product / products or a service / services are provided.

What term is bigger? Can you give me an examples of activity and process in ISO22301 standard meanings?

In the current version of ISO 22301 (2019) we can find these definitions (by the time this answer was provided, ISO 22301 was available for free in read-only format at this link: https://www.iso.org/obp/ui/#iso:std:iso:22301:ed-2:v1:en

Process: a set of activities that transforms inputs into outputsActivity: a set of tasks with a defined output

Considering these definitions, process definition contains activity definition, so the process is the bigger term.

An example of the process in ISO 22301 is Business impact analysis, which consists of the following activities:

• impact type definition
• supporting activities identification
• impact assessment
• maximum tolerable period of disruption identification
• definition of timeframes for resuming activities
• prioritization of activities to be resumed
• identification of required resources
• determination of dependencies and interdependencies

This article will provide you a further explanation about business impact analysis:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

These materials will also help you regarding business impact analysis:

• Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

In situations like these, to comply with ISO 22301 you should fill out your BIA questionnaires only stating on which third parties you depend upon and for which activities.

You do not need to know the details on how to ensure they can properly support your processes, because with the information you identify in the BIA you can define business continuity capabilities as continuity clauses in the contracts or service agreements you have with them.

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the BIA.