MAO

Maximum Acceptable Outage) classificationsWe've received the following question: Question: "I would like more information on MAO classifications. Does 22301 require the use of "MAO by Activity" including, Marginal Impact, Acceptable Impact, High Impact and Catastrophic Impact?" Answer: Yes, ISO 22301 requires the use of MAO (Maximum Acceptable Outage) for each activity when conducting the Business Impact Analysis. The classifications: Marginal Impact, Acceptable Impact, High Impact and Catastrophic Impact are suggestions, not mandatory, others classifications and different levels can be used. Classifications should be used in conjunction with the duration of the Outage. A possible approach should be: You define a table with time duration eg. (2 hours; 4 hours; 8 hours, 24 hours, 48 hours and 1 week) in columns and lines with some questions than could reflect the impact of the outage for each time duration. Then fill the answers in each intersection with impact classification bellow time duration. Example of questions: How will your clients react to a disruption? Wh at will be the impact to other activities? How difficult will it be to catch up on the backlog of work? etc. So with this approach you can address the MAO requirement in each activity. You can also have a look in the following link: Benefit of perfoming BIA for a single department https://community.epps.eu/forum/iso-27001-iso-22301-suppor********************************************************* Hope it helps. Thanks