ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

Risk assessment vs. business impact analysis

Author: Dejan Kosutic

If you are implementing ISO 27001, or especially ISO 22301 for the first time, you are probably puzzled with risk assessment and business impact analysis. What is their purpose? How are they different? Can they be performed at the same time?

In short, risk assessment will show you which kinds of incidents you might face, while business impact analysis will show you how quickly you need to recover your activities from incidents to avoid larger damage.

The purpose of risk assessment (RA)

The purpose of this assessment is to systematically find out which incidents can happen to your organization, and then through the process of risk treatment to prepare in order to minimize the damage of such incidents.

It is very important to understand that risk assessment and treatment (mitigation) need to be performed sequentially – you cannot implement the safeguards/controls unless you know which of them are the most appropriate; you cannot know which safeguards are appropriate before you find out where the potential problems are. See also ISO 27001 risk assessment & treatment – 6 basic steps.

In my experience, the employees (and the organization as a whole) are usually aware of only 25 to 40% of risks – therefore, it is not possible to try to remember all the risks by heart, and this identification needs to be done in a systematic way.

Risk assessment is mandatory for both ISO 27001 and ISO 22301, and in most cases it can be done for both standards at the same time: Can ISO 27001 risk assessment be used for ISO 22301?

The purpose of business impact analysis (BIA)

The purpose of this analysis is primarily to give you an idea (1) about the timing of your recovery, and (2) the timing of your backup, since the timing is crucial – the difference of only a couple of hours could mean life or death for certain companies if hit by a major incident. For example, if you are a financial institution, recovery time of four hours could mean you will probably survive a disruption, whereas recovery time of 12 hours is unacceptable for certain systems/activities in a bank, and disruption of a full day would probably mean such a bank would never be able to open its doors again. And there is no magic standard which would give you the timing for your organization – not only because the timing for every industry is different, but also because the timing for each of your activities could be different. Therefore, you need to perform the business impact analysis to make correct conclusions.

More precisely, business impact analysis will help you determine the Maximum Acceptable Outage/Recovery Time Objective, Maximum Data Loss/Recovery Point Objective, required resources and other important information that will help you develop the business continuity strategy for each of your activities. Learn more here: How to implement business impact analysis (BIA) according to ISO 22301.

As you might have guessed, business impact analysis is mandatory for ISO 22301 implementation, but not for ISO 27001.

The difference between the two

As already concluded, BIA is usually used only in business continuity / ISO 22301 implementation; it could be done for information security, but it wouldn’t make much sense. Risk assessment is mandatory for both.

Secondly, the outputs from RA are a bit different from those of BIA – RA gives you a list of risks together with their values, whereas BIA gives you timing within which you need to recover (RTO) and how much information you can afford to lose (RPO).

So, although these two are related because they have to focus on the organization’s assets and processes, they are used in different contexts.

Which comes first – risk assessment or business impact analysis?

Actually, ISO 22301 allows both approaches, and you might hear many theories on which is better. However, I prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents); further, if you choose the asset-based approach for risk assessment, you will have an easier time identifying all the resources later on in the business impact analysis. What you definitely shouldn’t do is perform risk assessment and business impact analysis at the same time, because each of them separately is already complex enough – combining them normally means trouble.

To learn more about risk assessment, register for this free webinar  The basics of risk assessment and treatment according to ISO 27001.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

5 responses to “Risk assessment vs. business impact analysis”

  1. Tom says:

    I disagree here. You should list your assets first then rate them in terms of impact then perform the BIA. What is the point in knowing which assets are critical to the business if this doesn’t feed into the RA and then ultimately into the RTP? It becomes a pointless exercise.

    • Tom says:

      Then perform the RA after the BIA I meant*

      • Amargit Singh says:

        Yes. an organization need to analyze the risk of disruption of critical or prioritise activities that have been determined in BIA. Please note it is “risk of disruption”. To conduct this, you can use ISO 31000. In ISO/IEC 27001, it is about identifying risks associated with confidentiality, integrity and availability of information.

    • The purpose of the BIA is not primarily to define the risk treatment (controls to be implemented) – according to ISO 22301, the primary purpose of BIA is to calculate the RTO, to define the recovery priorities, define interdependencies, etc.

      Therefore, the feedback from BIA towards the Risk treatment plan is not so important from the ISO 22301 point of view.

  2. YES. ISO is an international Organization for Standardization which sets up the standards after analyzing the requirements, it has toll date published more than twenty thousand standards out of which some are implementable and some are just guidelines, one such standard is ISO 27001:2013 which totally focuses on the Information Security Management System which can be implemented in each and every organization without their area or work or size in consideration as each and every company will have their own critical information.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.