CISSP Insights - Business Impact Analysis

Posted by Abhi G

Feb 16, 2017 12:00:00 PM

Business Impact Analysis (BIA) is an important step within the Risk Management process. In order to complete a BIA exercise, a Risk Manager should engage stakeholders via a series of meetings so that he/she has a thorough understanding of the impact to the business, and its consequences, should a risk materliase.

A Business Impact Analysis exercise helps by understanding:

  • What can go wrong.
  • What the impact could be to information and other business assets.

The primary purpose of a BIA is to establish the stakeholder's perception to risk(s) in their respect of their departments and the business processes they are involved with.  It is important to note that discussions are held at managerial level and above and the objective is to understand;

  • What are the key assets?
  • Do any of the key assets hold personal information records?
  • What are the legal and regulatory obligations?  
  • Are there any risks in not complying with these obligations?
  • Are there are any economical, political, social or environmental risks involved?

The expectation of a BIA exercise is to understand the worst case scenarios should any existing controls to fail. For example, should there be a data breach it would be plain that current strategies and controls have failed.  Therefore, it is recommended that the processes and controls currently in practice should be removed from the discussions in order to fully assess the possible impact of a data breach on the business should an event occur.

cyber tabletop scenarios

In addition, it is recommended to use a consistent scale to measure the impact and likelohood associated with a threat and asset. Risk managers can share these scales with stakeholders (business managers) during the Business Impact Analysis meetings.  An example of Impact and Likelihood scales is as follow:

Impact scales

Low Impact


Loss of confidentiality, availability or integrity does not affect the organization's cash flow, legal or contractual obligations, or its reputation.

Moderate Impact


Loss of confidentiality, availability or integrity incurs costs and has a low or moderate impact on legal or contractual obligations, or the organization's reputation.

High Impact


Loss of confidentiality, availability or integrity has considerable and/or immediate impact on the organization's cash flow, operations, legal or contractual obligations, or its reputation.


Likelihood scales

Low likelihood


Existing security controls are strong and have so far provided an adequate level of protection. No new incidents are expected in the future.

Moderate likelihood


Existing security controls are moderate and have mostly provided an adequate level of protection. New incidents are possible, but not highly likely.

High likelihood


Existing security controls are low or ineffective. Such incidents have a high likelihood of occurring in the future.


New call-to-action

The risk managers need to understand the retrospective risks (risks arising from events that have occurred in the past) as well as the prospective risks (risks that may occur in the future).

From a BIA exercise, a list of assets and their associated business risks will be highlighted and the risk manager will then be able to add them to the business's existing risk register.  

Write to us for a free copy of the Risk Register Template (with a sample risk record). 

Get our Domain -1 Review notes 

Get more details on our CISSP Mentorship Programme
  New call-to-action

Recent Posts

Free CISSP Training

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • callOr call us on:
  • +44 (0) 203 189 1422