Expert Advice Community

Guest

ISO 22301 Toolkit - BIA questionnaire questions

  Quote
Guest
Guest user Created:   Apr 30, 2021 Last commented:   May 10, 2021

ISO 22301 Toolkit - BIA questionnaire questions

Currently, I have several questions regarding the business impact analysis questionnaire. Let me ask you below.

1. Should each process (activity) fill part 2 of the worksheet? Or maybe only those that were rated on a scale of 3 and higher in the course of the analysis and also those activities indicated as necessary for their functioning?

2. With reference to qualitative estimation. In your opinion, is it good practice to define the scale of financial losses as described below for general estimation (point no. 3 of the questionnaire)? Do you often use such a solution?

1 - less than 1% of monthly revenues
2 - 1-10% of monthly revenues
3 - 10-30% of monthly revenues
4 - over 30% of monthly revenues

3. If I add revenue ranges in point no. 3 of the questionnaire, should I do this also in point no. 10?

4. If I have 2 locations in my company that perform the same processes, but separately - independently - should I analyze them separately or collectively? How about averaging the data in one questionnaire?

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 30, 2021

1. Should each process (activity) fill part 2 of the worksheet? Or maybe only those that were rated on a scale of 3 and higher in the course of the analysis and also those activities indicated as necessary for their functioning?

Please note that when performing a Business Impact Analysis (BIA), or developing strategies and plans, you should do them on the basis of departments, not processes - because this is much less complex.

Considering that, you should fill part 2 of the worksheet in all applied questionnaires, because even if a department is not rated as critical enough by itself to require the development of a business continuity plan, its required resources, as saw in a systemic context, can justify a business plan. For example, if many low-rated departments depend on applications that are kept in the same environment (e.g., data center or server), you need to develop a business continuity plan related to the environment, because if the environment operation is disrupted, all department operations will stop at the same time.

For further information, see:

2. With reference to qualitative estimation. In your opinion, is it good practice to define the scale of financial losses as described below for general estimation (point no. 3 of the questionnaire)? Do you often use such a solution?

1 - less than 1% of monthly revenues
2 - 1-10% of monthly revenues
3 - 10-30% of monthly revenues
4 - over 30% of monthly revenues

Please note that section 4 already uses a quantitative assessment for financial losses, so you do not need to define this scale in section 3 (this would only make the process unnecessarily more complex).

3. If I add revenue ranges in point no. 3 of the questionnaire, should I do this also in point no. 10?

Considering the previous answer, you should keep section 10 the way it is provided in the template.

4. If I have 2 locations in my company that perform the same processes, but separately - independently - should I analyze them separately or collectively? How about averaging the data in one questionnaire?

In case they share the same characteristics, then you can use a single analysis, identifying in the questionnaire that it is applicable to 2 locations. In terms of resources, you need to specify the resources used by each location (using averaged data can lead to errors in resources estimation in the definition of business continuity plans).

Quote
0 1
Guest
Kamil May 05, 2021

Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

Quote
0 0
Guest
Kamil May 06, 2021

*I mean critical activities. ;)

Quote
0 0
Guest
Kamil May 06, 2021

One more question. Please tell what is extactly difference between process and avtivity. According to standard:

1. process - a set of related or interacting activities that transform input data into output data

2. activity - a process or set of processes undertaken by an organization as a result of which a product / products or a service / services are provided.

 

What term is bigger? Can you give me an examples of activity and process in ISO22301 standard meanings?

Quote
0 0
Expert
Rhand Leal May 07, 2021

One more question. Please tell what is extactly difference between process and avtivity. According to standard:

1. process - a set of related or interacting activities that transform input data into output data

2. activity - a process or set of processes undertaken by an organization as a result of which a product / products or a service / services are provided.

What term is bigger? Can you give me an examples of activity and process in ISO22301 standard meanings?

In the current version of ISO 22301 (2019) we can find these definitions (by the time this answer was provided, ISO 22301 was available for free in read-only format at this link: https://www.iso.org/obp/ui/#iso:std:iso:22301:ed-2:v1:en

Process: a set of activities that transforms inputs into outputsActivity: a set of tasks with a defined output

Considering these definitions, process definition contains activity definition, so the process is the bigger term.

An example of the process in ISO 22301 is Business impact analysis, which consists of the following activities:

  • impact type definition
  • supporting activities identification
  • impact assessment
  • maximum tolerable period of disruption identification
  • definition of timeframes for resuming activities
  • prioritization of activities to be resumed
  • identification of required resources
  • determination of dependencies and interdependencies

This article will provide you a further explanation about business impact analysis:

These materials will also help you regarding business impact analysis:

Quote
0 1
Expert
Rhand Leal May 10, 2021

Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

In situations like these, to comply with ISO 22301 you should fill out your BIA questionnaires only stating on which third parties you depend upon and for which activities.

You do not need to know the details on how to ensure they can properly support your processes, because with the information you identify in the BIA you can define business continuity capabilities as continuity clauses in the contracts or service agreements you have with them.

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the BIA. 

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Apr 30, 2021

May 10, 2021

Suggested Topics

Guest user Created:   Jul 09, 2020 ISO 27001 & 22301
Replies: 1
0 0

BIA questionnaire

Guest user Created:   Mar 31, 2017 ISO 27001 & 22301
Replies: 1
0 0

BIA and risk assessment

Guest user Created:   Jan 13, 2016 ISO 27001 & 22301
Replies: 1
0 0

Interested party and BIA