This document discusses business impact analysis and risk assessment for IT disaster recovery and business continuity planning for small to medium enterprises in the service industry. It defines key terms, outlines the BIA and risk assessment processes, and provides examples of assessing the impact of disrupted business functions and prioritizing critical IT services. Recovery strategy options like cloud vs. colocation are considered, with a recommendation for colocation based on trends in the UAE. The overall goal is to determine thresholds for acceptable outages and have recovery mechanisms in place if downtime exceeds those thresholds.

1. BUSINESS IMPACT
ANALYSIS (BIA)
based on ISO 22301:2012
For SME (small to medium
enterprise) in Service Industry

2. 1. BC/DR Policy: Provide guidance on the
prevention & recovery of any disaster
related to Information Technology system.
2. Business Impact Analysis: Here we
get the information of time-sensitivity of IT-
services to business
3. Risk Assessment: We will find out to
which kind of risk are we exposed &
treatment options
4. BC/DR Strategy: BIA& RA are key
inputs, here we decide how to recover,
choosing options.
5. BC/DR Plan:A documented set of
procedures to recover & protect a
business IT infrastructure in the event of a
disaster.
Approach for IT Disaster Recovery/Business Continuity

3. 8.2.2 Business Impact Analysis
 Identify activities that support the provision of products and services
 Assessing the impacts over time of not performing these activities
 Setting prioritized timeframes for resuming these activities
 Identifying dependencies and supporting resources
8.2.3 Risk Assessment
• Identify risks of disruption to the organization’s prioritized activities
• Systematically analyze risk
• Evaluate which disruption related risks requirement treatment
• Identify treatments commensurate with business continuity objectives and in
accordance with the organization’s risk appetite.
8.2: Business Impact Analysis & Risk assessment

4. Terminology Used….
BC- Business Continuity
DR- Disaster Recovery

5. • Identify main business functions
- for exp. Sales & Marketing, Customer Support, Accounts & Finance, HR, IT, et.al.
• Identify major activities of each function
• Identify dependencies for all major activities
- Must include all prerequisites or facilitators
- For example, ICT infrastructure and ERP applications, Data Centre and Customer
Contact Centre, vendor/partner/suppliers etc.
• Quantify consequences from the loss of prerequisites
• Define with business RTO & RPO for critical IT services
The BIA Process

6. Prioritization of IT Services
The prioritization of IT Services is determined by the dependence of business
process/services on information system. This provides the IT Services criticality rating.
The criticality rating is assigned after meetings with department heads and inputs from
business. High & Moderate criticality rating will be prioritize for redundancy and
recovery in case of disruption.

7. Business Impact Analysis per department

8. Business Impact Analysis Summary
So our Threshold or maximum
acceptable outage(MAO) for all IT
services are 2 hours for time
loss(RTO) and 1 hour for data
loss (RPO).
If downtime > Threshold (RTO,RPO)
IT Disaster is declared and
recovery mechanism activated.

9. Recovery Strategy Option:- Cloud Vs Colocation
UAE Trends:-All the leading Banks, government entities (Abu Dhabi
& Dubai) either have their own Disaster recovery Site or Colocation
with Etisalat, or DU, or Emaar as they are leading provider.
Based on UAE trends along with pros and cons my
recommendation is Colocation for SME business.

10. Disaster Recovery Recommendation

11. Thank You
Abhijeet Upadeo is an Information Risk Enthusiast, who has 17+ years of industry experience.
+97150-9768198
abhijeet.au@gmail.com
www.linkedin.com/in/abhijeet-upadeo
https://twitter.com/abhijeet_au