Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Business Impact Analysis with ISO22301

 

Business impact analysis is a key part of the ISO22301 standard as much of what comes after it (Risk assessment, strategies, plans etc.) is based on its conclusions so its worth spending some time to get it right. You’ll need to get the most appropriate people fully involved in the process so that they not only contribute their understanding of how your business activities work, but they also feel some ownership of the conclusions which will help later when you’re asking them to write some plans.

iso23001small

What does your business actually do?

The Toolkit provides a business impact analysis workbook which prompts for the main items of information to be identified and recorded. The first is to list the main business activities of the organization together with their purpose, resources dedicated and legal constraints (workbook tab Key business activities). For a large organization there may be very many activities and the BIA may need to be split into more manageable parts in order to cover the whole company. There may already be a centralized list of business activities in existence within the organization in which case it makes sense to use that (as long as it is reasonably current). Focus on those activities that are generally regarded as the most important ones first as this will give you a head start. There may be some less well known activities that turn out to be important but this is relatively rare, so concentrate your efforts on the areas of greatest reward at least initially.

What happens if it can't work normally?

After listing the key business activities, you then need to assess the impact of each one not happening (workbook tab Impact of Disruption). Impact can be in different areas such as finance (loss of revenue, cashflow etc.), customers (they may be unable to run their businesses if you don’t provide this activity, or end users may be affected sometimes significantly depending on the products and services you provide) or reputation (will customers or clients come back after you have rectified the problem?). The other factor is how quickly these impacts are felt; some activities might have a gradual impact if they are not delivered whereas for others the effect could be immediate. Use the workbook to set out, for each activity in turn, how the impact builds in each area over time to give an overall impact rating (total score).

RTOs and MTPDs...

On the next workbook tab, Key Targets, this analysis will then give you an indication of two important factors used in business continuity:

  • Maximum Tolerable Period of Disruption (MTPD) – how long before the impact becomes unacceptable to the organization
  • Recovery Time Objective (RTO) – the target time to recover the activity to at least partial operation

The RTO may be the same as the MTPD but often it makes sense to make it a shorter time to allow for delays in recovery. On this worksheet we also need to assess how much of the activity you need to provide as a minimum e.g. the level of degraded service. This is referred to by the ISO22301 standard as the Minimum Business Continuity Objective, or MBCO. The last key target, the Recovery Point Objective (RPO), is particularly relevant to IT systems where data needs to be recovered to a specific time before the failure occurred (e.g. no more than one hour before). All of these factors are important when we start to consider business continuity strategies and plans to meet them and the cost of achieving that.

And finally resources...

We also need to assess and document what resources are needed across the board to recover each activity over time. Otherwise we may find we don’t have enough desks or computers or space etc. to recover everything according to the plan. The recovery process may need to happen gradually and so resources may be added at key points. The idea is to work out how much of each resource will you need and when in order to meet your minimum business continuity objective (MBCO) for each activity. The total of these will tell you your overall requirement for planning purposes.

At the end of the BIA we should have a clear understanding of what is needed for recovery purposes and when, based on a solid understanding of the organization.


More ISO22301 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO22301:2019 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO22301 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The toolkit is well laid out, clearly written and easy to adapt. I like the fact that it is compliant to the standard as a start point. This is difficult to achieve considering the diversity of organisations it is covering.

SSTL
UK

View all Testimonials