Risk assessment on BCP

1. Write the methodology (EBIOS: 2010 complying with ISO 27005)
2. Prepare Metrics (confidentiality, Integrity, Availability, Impact, Likelihood, risk apetite, maturity of controls...)
3. Risk management criterias
4. Essential Assets (Process)
5. Support Asset (Hardware, Software, network Links, persons, papers..)
6. Link between Essential assets and support assets
7. threat sources (humans, non humans ..)
8. Feared events (concerning the essential assets)
9. Threats scenarios (concerning the support assets)
10. Risk analysis (Impact, Likelihood, risk level, existing controls, Annex A, Prevention, protection, recovery, maturity, Action Plan , and recalcul Impact, Likelihood, Residual risk level, and acceptance of residual risk)

Is this methodology correct ? And what is next to do for continuing the implementation of BCP? I know I'm using the ISMS risk management methodology, is this right ?

Answer:

First it is important to note that risk a ssessment is mostly related to Business impact analysis (BIA), when you define which business processes and services are more critical, not Business Impact Plan (BCP), when you define actions to handle a disaster situation.

Considering that, ISO 22301 does not prescribe which risk methodology approach to use, only that risk assessment must be performed, so you can adopt any methodology you see fit for your organization, and the risk assessment and treatment methodology for an ISO 27001 ISMS can be adopted.

The single point of attention is that for business risk analysis you have to consider additional criteria than only confidentiality, integrity and availability (e.g., financial, environmental, etc.), so I'd suggest you to also consult ISO 31000 as reference, since it can provide additional criteria.

These articles will provide you further explanation about BIA, BCP and ISO 31000:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ (the concepts on this article can also be applied to ISO 22301).