Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next

Section 3-3
Distributed Systems BCP

Chapter 3-3-1
The Business Impact Assessment Process

Carl B. Jackson

Business continuity planning (BCP) is a business issue, not a technical one. While each component of the business participates to a greater or lesser degree during the evolution, testing, and maintenance of BCPs, it is in the business impact assessment (BIA) process where the initial widespread interaction with staff and management takes place. The successful outcome of the BCP process really begins with the BIA.

Why business impact assessment? The reason that the business impact assessment element of the BCP methodology takes on such significance is that it sets the stage for shaping a business-oriented judgment concerning the appropriation of resources for recovery planning efforts.

Our experiences in this area have shown that, all too often, recovery alternative decisions such as hot sites, duplicate facilities, materials stockpiling, etc. are based on emotional motivations, and not on the results of a thorough business impact assessment. The bottomline in performing BIAs is the requirement to obtain a firm and formal agreement from the management group as to precise maximum tolerable downtimes (MTD). The formalized MTDs must be communicated to each business unit and support service organization (i.e., IT, Network Management, Facilities, etc.) that support the business units, so that realistic recovery alternatives can be acquired and recovery measures developed.

The objective of the chapter is to examine the BIA process in detail, and to focus on the fundamentals of undertaking a positive and successful business impact assessment.


The BIA process is one phase of an overall approach to the evolution of BCPs. The following is a brief description of a five-phase BCP methodological approach. This approach is commonly used for development of the business unit (resumption) plans, technological platform, and communications network recovery plans.

  Phase I: BCP Project Scoping and Planning — This phase includes an examination of the organization’s distinct business operations and information system support services in order to form a project plan to direct subsequent phases of the activity. Project planning activities involve defining the precise scope, organization, timing, staffing, and other issues so that the project status and requirements can be articulated throughout the organization, and chiefly to those departments and personnel who will be playing the most meaningful roles in the BCP’s development.
  Phase II: Business Impact Assessment — This phase involves developing a grasp of the proportion of impact individual business units would sustain subsequent to a significant interruption of computing and communication services. These impacts may be financial, in terms of dollar loss or impact, or operational in nature, such as the inability to deliver and monitor quality customer service, etc.
  Phase III: Develop Recovery Strategy — The information collected in Phase II is employed to approximate the recovery resources (i.e., business unit or departmental space and resource requirements, and technological platform services and communications networks requirements) necessary to support time-critical business functions. During this phase, an appraisal of recovery alternatives and alternative cost-estimates are prepared and presented to management.
  Phase IV: Recovery Plan Development — This phase includes the development of the actual business continuity or recovery plans themselves. Explicit documentation is required for execution of an effective recovery process and includes both administrative inventory information and detailed recovery team action plans, among other information.
  Phase V: Implementation, Testing, and Maintenance — The final phase involves establishing a rigorous testing and maintenance management program as well as addressing the initial and ongoing testing and maintenance activities.


As mentioned above, the intent of the BIA process is to assist the organization’s management in understanding the impacts associated with possible threats, and to employ that intelligence to calculate the maximum tolerable downtime for reliance upon time-critical support services and resources. For most organizations, time-critical support services and resources include:

  Technological platforms (all computer systems)
  Data networks and equipment
  Voice networks and equipment
  Vital records
  Data, etc.


The BIA process comes to a conclusion when the organization’s senior management group has considered the impacts to the business processes due to outages of vital support services and then makes a formalized decision on the MTD they are willing to live with. This includes a decision to communicate that MTD decision(s) to each business unit and support service manager involved. Why is it so important that a formalized decision be made? Because the failure to document and communicate precise MTD information leaves each manager with imprecise direction on (1) selection of an appropriate recovery alternative method; and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.

We have seen many a well-executed BIA with excellent results be wasted because the senior management group failed to articulate their acceptance of the results and to communicate to each affected manager that the time requirements for recovery processes had been defined.

Previous Table of Contents Next

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.