• (0)

    ISO 27001 & ISO 22301 Knowledge base

    Risk assessment vs. business impact analysis

    If you are implementing ISO 27001, or especially ISO 22301 for the first time, you are probably puzzled with risk assessment and business impact analysis. What is their purpose? How are they different? Can they be performed at the same time?

    In short, risk assessment will show you which kinds of incidents you might face, while business impact analysis will show you how quickly you need to recover your activities from incidents to avoid larger damage.

    The purpose of risk assessment (RA)

    The purpose of this assessment is to systematically find out which incidents can happen to your organization, and then through the process of risk treatment to prepare in order to minimize the damage of such incidents.

    It is very important to understand that risk assessment and treatment (mitigation) need to be performed sequentially – you cannot implement the safeguards/controls unless you know which of them are the most appropriate; you cannot know which safeguards are appropriate before you find out where the potential problems are. See also ISO 27001 risk assessment & treatment – 6 basic steps.

    In my experience, the employees (and the organization as a whole) are usually aware of only 25 to 40% of risks – therefore, it is not possible to try to remember all the risks by heart, and this identification needs to be done in a systematic way.

    Risk assessment is mandatory for both ISO 27001 and ISO 22301, and in most cases it can be done for both standards at the same time: Can ISO 27001 risk assessment be used for ISO 22301?

    The purpose of business impact analysis (BIA)

    The purpose of this analysis is primarily to give you an idea (1) about the timing of your recovery, and (2) the timing of your backup, since the timing is crucial – the difference of only a couple of hours could mean life or death for certain companies if hit by a major incident. For example, if you are a financial institution, recovery time of four hours could mean you will probably survive a disruption, whereas recovery time of 12 hours is unacceptable for certain systems/activities in a bank, and disruption of a full day would probably mean such a bank would never be able to open its doors again. And there is no magic standard which would give you the timing for your organization – not only because the timing for every industry is different, but also because the timing for each of your activities could be different. Therefore, you need to perform the business impact analysis to make correct conclusions.

    More precisely, business impact analysis will help you determine the Maximum Acceptable Outage/Recovery Time Objective, Maximum Data Loss/Recovery Point Objective, required resources and other important information that will help you develop the business continuity strategy for each of your activities. Learn more here: How to implement business impact analysis (BIA) according to ISO 22301.

    As you might have guessed, business impact analysis is mandatory for ISO 22301 implementation, but not for ISO 27001.

    The difference between the two

    As already concluded, BIA is usually used only in business continuity / ISO 22301 implementation; it could be done for information security, but it wouldn’t make much sense. Risk assessment is mandatory for both.

    Secondly, the outputs from RA are a bit different from those of BIA – RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (RTO) and how much information you can afford to lose (RPO).

    So, although these two are related because they have to focus on the organization’s assets and processes, they are used in different contexts.

    Which comes first – risk assessment or business impact analysis?

    Actually, ISO 22301 allows both approaches, and you might hear many theories on which is better. However, I prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents); further, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis. What you definitely shouldn’t do is perform risk assessment and business impact analysis at the same time, because each of them separately is already complex enough – combining them normally means trouble.

    To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.