Expert Advice Community

Guest

Risk assessment and BIA

  Quote
Guest
Guest user Created:   Apr 17, 2019 Last commented:   Apr 17, 2019

Risk assessment and BIA

I need some assistance with the Risk assessment and the BIA. Here are my concerns/questions:
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 17, 2019

1. Which one would I do first and why?

Answer: Actually, there is no definitive order to perform risk assessment and business impact analysis, and the choice for one or another will depend on your expectations:
- By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
- By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e. the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.

Particularly, we prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the busine ss impact analysis (which focuses on consequences of those incidents).

This article will provide you further explanation about BIA and risk assessment:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis//

2. Do I include the BIA risks in my risk register and if yes then do I reference the BC plans for the treatment plan?

As an example, would a fire be raised as a risk in the risk register as well as in the the BC plans?

Answer: If the risks used to support the BIA process are related to information you want to protect with your ISMS (i.e., risks that impacts information), then you need to include them in the risk register for ISO 27001.

These article will provide you further explanation about risk treatment and SoA:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/knowledgebase/risk-treatment-plan-and-risk-treatment-process-whats-the-difference/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 17, 2019

Apr 17, 2019

Suggested Topics

Guest user Created:   Jan 10, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment and BIA

Guest user Created:   Apr 04, 2017 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment and BIA

Guest user Created:   May 18, 2021 ISO 27001 & 22301
Replies: 1
0 0

BIA or RA