The three phases of business impact assessment include:
Phase 1 establishes a program to conduct assessments by developing impact tables, identifying systems, and ensuring reliable results.
Phase 2 performs assessments by profiling systems, planning meetings, introducing assessments, having participants evaluate impacts of lost confidentiality, integrity and availability, determining requirements, and reviewing results.
Phase 3 provides tools like the BIA Assistant and forms like system profiles, impact tables, and rating summaries to structure the assessment process.
2. Phase1: Business Impact Assessment
The main objectives of this phase are to determine the business security
requirements for a system and identify the appropriate next steps that need to be
taken to adequately protect information in that system.
Three objectives are achieved by assessing the possible business impact that could
arise as a result of the compromise of the confidentiality, integrity and availability of
information.
The business impact assessment process is shown as follow:
I.
Establishing a business impact assessment programme
Prior to conducting a business impact assessment there are a number of important
programme-related elements of work that should be undertaken. These activities
are generic and can be conducted at any time leading up to ensure business impact
assessments are run in an effective and professional manner that reliable and
3. trustworthy results are produced.
The key elements of work to be undertaken prior to performing a business impact
assessment are:
1. Developing a Business Impact Reference Table
• Determine the business impact types to be used
• Determine business impact measures and values
• Gain senior management sign off
2. Identifying system to be assessed
II.
Performing a business impact assessment
1. Preparing for a business impact assessment
A: Determining the system profile
The main objective of this step is to gather key background information about the
system to be assessed.
B: Planning the assessment
To plan and prepare the meeting information for the business impact assessment.
2. Conducting a business impact assessment
A: Introducing the assessment
The main objective of this step is to ensure participants are adequately prepared to
take part in the assessment.
The key activities to be undertaken during this step of the process are:
A1. Set the scene for the assessment
A2. Provide overview of the system
A3. Familiarize participants with the tools and forms
B: Assessing business impact
The purpose of this step is to ensure participants assess business impact in an
objective and considered manner.
The key activities to be undertaken during this step of the process are:
B1: Assess possible business impact for a loss of confidentiality
B2: Assess possible business impact for a loss of integrity
B3: Assess possible business impact for a loss of availability
C: Determining overall results
The main objectives of this step are to determine the business security requirements
and security classification for the system.
The key activities to be undertaken during this step of the process are:
C1: Transfer results to summary form
C2: Determine business security requirements and overall security
classification
The following is an example of the business impact rating summary form:
4. D: Reviewing results
The main objectives of this step are to:
• Identify clearly the next steps to be taken after the assessment
• Document all post-business impact assessment actions to be undertaken
The key activities to be undertaken during this step of the process are:
D1: Review results of assessment
D2: Agree next steps
III.
Tools, Forms to use in a business impact assessment
1. Tools:
a) BIA Assistant(Microsoft PowerPoint, Microsoft Excel)
2. Forms:
a) Preparatory documents(e.g. invitation letter, System Profile form)
b) Business Impact Reference Table
c) Business Impact forms
• Business Impact Rating forms(confidentiality, integrity,
availability)
• Business Impact Assessment Summary form