TECHNIC AL ISO/TS

SPECIFIC ATION 2 2 3 17

First edition
2 01 5-09-1 5

Societal security — Business

continuity management systems
— Guidelines for business impact
analysis (BIA)
Sécurité sociétale — Systèmes de management de la continuité en
affaires — Lignes directrices pour l’analyse d’impact en affaires

Reference number
ISO/TS 2 2 3 1 7: 2 01 5 (E)

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n

© ISO 2 01 5
 ISO/TS 2 2 3 17: 2 015(E)

COPYRIGHT PROTECTED DOCUMENT

© ISO 2015, Published in Switzerland

All rights reserved. Unless otherwise speci fied, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
[email protected]
www.iso.org

ii
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2015 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

Contents Page

Foreword .......................................................................................................................................................................................................................................... v

Introduction ................................................................................................................................................................................................................................ vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Prerequisites ............................................................................................................................................................................................................ 1
4.1 General ........................................................................................................................................................................................................... 1
4.2 BC programme context and scope .......................................................................................................................................... 2
4.2 .1 BC programme context ............................................................................................................................................... 2
4.2 .2 Scope of the BC programme ................................................................................................................................... 2
4.3 BC programme roles ........................................................................................................................................................................... 2
4.3 .1 BC programme roles and responsibilities .................................................................................................. 2
4.3.2 BIA process-speci fic roles and competencies ......................................................................................... 2
4.4 BC programme commitment....................................................................................................................................................... 4
4.5 BC programme resources .............................................................................................................................................................. 4

5 Performing the business impact analysis ................................................................................................................................... 4

5 .1 General ........................................................................................................................................................................................................... 4
5 .2 Proj ect planning and management........................................................................................................................................ 5
5 .2 .1 General ...................................................................................................................................................................................... 5
5 .2 .2 Initial BIA considerations ......................................................................................................................................... 6
5 .3 Product and service prioritization ......................................................................................................................................... 6
5 .3 .1 Overview ................................................................................................................................................................................. 6
5 .3 .2 Inputs ......................................................................................................................................................................................... 8
5 .3 .3 Outcomes ................................................................................................................................................................................ 9
5 .4 Process prioritization ........................................................................................................................................................................ 9
5 .4.1 General ...................................................................................................................................................................................... 9
5 .4.2 Inputs ......................................................................................................................................................................................... 9
5 .4.3 Outcomes ................................................................................................................................................................................ 9
5.5 Activity prioritization ..................................................................................................................................................................... 1 0
5.5.1 Overview .............................................................................................................................................................................. 1 0
5.5.2 Inputs ...................................................................................................................................................................................... 1 0
5.5.3 Information collection .............................................................................................................................................. 1 1
5.5.4 Outcomes ............................................................................................................................................................................. 1 2
5.6 Analysis and consolidation ........................................................................................................................................................ 1 2
5.6.1 Overview .............................................................................................................................................................................. 1 2
5.6.2 Inputs ...................................................................................................................................................................................... 1 2
5.6.3 Methods ................................................................................................................................................................................ 1 2
5.6.4 Outcomes ............................................................................................................................................................................. 1 3
5 .7 Obtain top management endorsement of BIA results ........................................................................................ 1 3
5.7.1 General ................................................................................................................................................................................... 1 3
5.7.2 Inputs ...................................................................................................................................................................................... 1 3
5.7.3 Methods ................................................................................................................................................................................ 1 3
5.7.4 Outcomes ............................................................................................................................................................................. 1 4
5.8 After the BIA — Business continuity strategy selection .................................................................................. 1 4
6 BIA process monitoring and review .............................................................................................................................................. 14

Annex A (informative) Business impact analysis within an ISO 2 2 3 01 business continuity

management system ...................................................................................................................................................................................... 16

Annex B (informative) Business impact analysis terminology mapping ..................................................................... 17

Annex C (informative) Business impact analysis information collecting methods ........................................... 18

Annex D (informative) Other uses for the business impact analysis process ......................................................... 2 4

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
iii
 ISO/TS 2 2 3 17: 2 015(E)

Bibliography ............................................................................................................................................................................................................................. 27

iv © I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
 ISO/TS 2 2 3 17:2 015(E)

Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1 . In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives) .

Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identi fied during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents) .

Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.

For an explanation on the meaning of ISO speci fic terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 2 92 , Security and resilience .

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
v
 ISO/TS 2 2 3 17: 2 015(E)

Introduction

This Technical Speci fication provides detailed guidance for establishing, implementing, and maintaining
a business impact analysis (BIA) process consistent with the requirements in ISO 22301. This Technical
Speci fication is applicable to the performance of any BIA process, whether part of a business continuity
management system (BCMS) or business continuity programme (BC programme). Hereinafter, BC
p ro g ra m me me a n s e i the r B C M S o r B C p ro g r a m me .

F i g u re 1 no te s the re l ati o n s h ip o f the B I A p ro c e s s to the BC p ro g ra m me as a who le . T he o r ga n i z atio n

should complete a cycle of the BIA process before business continuity strategies are selected.

Figure 1 — Elements of business continuity management

(Source: ISO 22313)

The BIA process analyses the consequences of a disruptive incident on the organization. The outcome is
a statement and justi fication of business continuity requirements.
T he B I A p ro c e s s c o n s i s t s o f a nu mb e r o f i nd i vi du a l B I A s , e ach fo c u s i n g o f a s ub - s e t o f the B C p ro g ra m me

s co p e . T he B I A p ro ce s s p r io r i ti z e s p ro duc t s a n d s e r vi ce s , a nd c o nti nue s w i th p r io r i ti z i n g p ro c e s s e s a n d

ac ti v i ti e s th at to ge the r c o ve r the e n ti re s c o p e o f the B C p ro g ra m me . A fte r a p e r i o d o f ti me de te r m i ne d

by the organization, individual BIAs are repeated to ensure that the BC requirements remain current.
NOTE In this Technical Speci fication, business continuity requirements has the same meaning as continuity
and recovery priorities, objectives, and targets (ISO 22301:2012, 8.2.2).
The purposes of this Technical Speci fication are the following:
— p ro v ide a b asis fo r u nde r s ta nd i n g , de ve lo p i n g , i mp le me nti n g , re vi e w i n g , m a i nt a i n i n g , a nd

continually improving an effective BIA process within an organization;

— provide guidance for planning, conducting, and reporting on a BIA;
— assist the organization with conducting a BIA in a consistent manner that re flects good practices;
— e n ab le p ro p e r co o rd i n atio n b e t we e n the B I A p ro ce s s a n d the o ve ra rch i n g B C p ro g ra m me .

vi © I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
 ISO/TS 2 2 3 17:2 015(E)

T he o u tco me s o f the B I A p ro ce s s i nclude the fo l lo w i n g:

— endorsement or modi fication of the organization’s BC programme scope;

— identi fication of legal, regulatory, and contractual requirements (obligations) and their effect on
business continuity requirements;
— evaluation of impacts on the organization over time, which serves as the justi fication for business
continuity requirements (time and capability);
— identi fication and con firmation of product/service delivery requirements following a disruptive
incident, which then sets the prioritized timeframes for activities and resources;
— identi fication and establishment of the relationships between products/services, processes,
activities, and resources;
— determination of the resources needed to perform prioritized activities (e.g. facilities; people;
equipment; information, communication and technology assets; supplies; and financing);
— understanding of the dependencies on other activities, supply chains, partners, and other
interested parties;
— de te r m i n ati o n o f ho w up to d ate the i n fo r m ati o n ne e d s to b e .

NOTE For purposes of this Technical Speci fication, supply chains produce supplies of goods, works, and
s e r v i c e s , wh i c h a r e r e fe r r e d to a s ‘s u p p l i e s ‘ th r o u gh o u t th e r e m a i n de r o f th i s d o c u m e n t.

The following diagram displays the BIA process, together with prerequisites and its relationship
to strategy identi fication. The clauses referenced in the diagram are subsections of this Technical
Speci fication.

Figure 2 — Business impact analysis process

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d vi i
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
 TECHNICAL SPECIFICATION ISO/TS 2 2 3 17:2 015(E)

Societal security — Business continuity management

systems — Guidelines for business impact analysis (BIA)

1 Scope

This Technical Speci fication provides guidance for an organization to establish, implement, and
maintain a formal and documented business impact analysis (BIA) process. This Technical Speci fication
does not prescribe a uniform process for performing a BI A, but will assist an organization to design a
BI A process that is appropriate to its needs.

This Technical Speci fication is applicable to all organizations regardless of type, size, and nature,
whether in the private, public, or not-for-pro fit sectors. The guidance can be adapted to the needs,
obj ectives, resources, and constraints of the organization.

It is intended for use by those responsible for the BIA process.

2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Societal security — Terminology

3 Terms and definitions

For the purposes of this document, the terms and de finitions in ISO 22300 apply.
NOTE All terms and de finitions contained in ISO 22300 are available on the ISO Online Browsing Platform:
www.iso.org/obp.

4 Prerequisites

4.1 General

As noted in the Introduction, this Technical Speci fication is consistent with ISO 22301, but it could be
used to develop, implement, review, maintain, and continually improve a BIA process addressing other
standards or regulatory requirements. Whether part of a BCMS or a BC programme, the organization
should consider a number of prerequisites before starting the BI A process. C lause 4 summarizes these
prerequisites, many of which are from ISO 22301.
The organization should take a number of steps within the BC programme before beginning the BI A
process, which include the following:

— de fine the context and scope (4. 2 );

— de fine and communicate roles and responsibilities (4. 3 );
— obtain leadership commitment (4.4 );
— allocate adequate resources (4. 5 ) .

NOTE For additional information, see Annex A for a mapping of each step to ISO 2 23 01 .

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
1
 ISO/TS 2 2 3 17: 2 015(E)

4.2 BC programme context and scope

4.2 .1 BC programme context

Successful BI A process outcomes are dependent on the organization understanding the following:

— the external environment in which it operates so that it can achieve its purpose by delivering its
products and services to customers;
— the internal operating environment, inclusive of processes, activities, and resources, as well as the
potential impact caused by disrupting the delivery of products and services; and
— laws and regulations mandating the BI A process and how it is performed.

NOTE In organizations operating within a non-commercial environment, the ‘customer’ can be the public or
an overseeing authority, such as government.

4.2 .2 Scope of the BC programme

Before determining the BIA process scope, the organization should de fine and document the scope of
the BC programme in terms of its products and services.

The BIA process may assist the organization to review the scope of the BC programme.
Following the de finition of the BC programme scope, the organization can determine the BIA process
scope which may be conducted as a single BIA to cover the whole scope of the BC programme; or
undertaken in a number of phases that, over time, covers the whole scope of the BC programme.

NOTE If the organization chooses to undertake the BIA process in phases, it should first determine the
prioritization of all products and services (see 5 . 2) and then continue with the remaining individual BI As.

4.3 BC programme roles

4.3 .1 BC programme roles and responsibilities

Prior to performing the BI A process, top management should ensure that the responsibilities and
authorities for relevant roles are assigned and communicated within the organization.

4.3.2 BIA process-specific roles and competencies

Following the assignment of BC programme roles, top management should provide resources necessary
to perform the BIA process, which may include appointing the following roles:
— the person sponsoring the BIA process;
— BIA steering committee;
— the person leading the BIA process;
— the person managing the BIA project (project manager);
— process owners;
— activity managers.
The person sponsoring the BI A process should

— be an executive representing top management,

— be well respected within the organization by other members of top management,

— have an organization-wide perspective,

2
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

— have the authority to commit the organization to action, and

— make final decisions regarding the BIA process.
T he B I A s te e r i n g c o m m i t te e s ho u ld

— re p re s e n t to p m a n a ge me nt,

— p ro vi de o n go i n g ad v ic e a n d g u id a nc e o n the c o nduc t o f the B I A p ro c e s s ,

— a g re e o n the me tho d s a nd o u tco me s ,

— make decisions regarding business continuity requirements, and

— assis t the p ers on le ad i n g the BI A p ro ce s s a nd p ro j e c t m a n a ge r in de te r m i n i n g the c o mp e te nc e s

required for BIA process-speci fic roles and responsibilities and the awareness, knowledge,
understanding, skills, and experience needed to ful fil them.
T he p e r s o n le ad i n g the B I A p ro c e s s s ho u ld

— h ave an u n de r s t a n d i n g of the o r g a n i z atio n , in p a r tic u l a r p ro du c t s , s er vice s , p ro c e s s e s , a nd

ac ti v i ti e s , a nd

— h ave e x p e r ie nc e i n c o nduc ti n g a B I A p ro ce s s .

T he p e r s o n m a n a g i n g the B I A p ro j e c t s ho u ld

— p l a n fo r a nd m a n a ge the B I A p ro ce s s ,

— h ave a n u nde r s ta nd i n g o f p ro j e c t p l a n n i n g ta s ks , a nd

— b e fa m i l i a r w i th the B I A p ro ce s s .

Process owners should have a relatively detailed understanding of the process they represent in
order to assist the project manager in identifying subject matter experts, organizational units, and
i m p ac t s o f d o w n t i m e .

Activity managers should

— have very detailed understanding of the activity in which they represent, including all of the
resources that enable the activity to operate, and
— be awa re o f a l te r n ate p ro c e s s e s a nd re s o u rce s th at c o u ld be ava i l ab le in the e ve n t of a lo s s of

primary resources.
NO TE I n s m a l l e r o r ga n i z ati o n s , th e s e r o l e s c a n b e c o m b i ne d .

T he o r ga n i z atio n s ho u ld e n s u re the co mp e te nce o f p e r s o n s le ad i n g o r p a r tic ip ati n g i n the B I A p ro ce s s .

C o mp e te nce s s ho u ld i nclude s ki l l s a n d ab i l i tie s re l ate d to the fo l lo w i n g:

— project/programme planning and management;

— information gathering;
— analysis;
— effective communication and collaboration;
— translating organizational objectives to business continuity requirements and resource needs;
— applying BIA concepts in the speci fic organization’s context;
— kno wle d ge o f the o r ga n i z atio n , i t s p ro duc t s a nd s e r v ic e s , p ro c e s s e s , ac ti vi tie s , a n d re s o u rc e s .

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
3
 ISO/TS 2 2 3 17: 2 015(E)

4.4 BC programme commitment

Top management commitment to the BIA process is necessary to ensure effective participation. To
obtain this support, the organization may consider communicating the BIA process’ value that includes
the following:

— ensuring the appropriate and most cost effective strategies are selected by determining the correct
business continuity requirements;
— providing evidence to management that business continuity requirements align with
organizational objectives;
— ensuring the organization meets its legal, contractual, and customer requirements during a
disruptive incident;
— identifying linkages between products and services and process, activities, and resources;
— providing an overview of the organization that can be used to improve its efficiency or explore new
opportunities (see Annex D) .

4.5 BC programme resources

The organization should provide resources to the BIA process that are sufficient to the following:
— achieve its BC policy and objectives;
— make adequate provision for people and people-related resources, including the time to ful fil BIA
process-speci fic roles and responsibilities, and training and awareness;
— meet the changing requirements of the organization;
— provide for ongoing operation and continual improvement of the BC programme, as well as the BI A
process.

5 Performing the business impact analysis

5.1 General

The BIA process prioritizes the various organizational components so that product and service delivery
can be resumed in a predetermined timeframe following a disruptive incident to the satisfaction of
interested parties. For purposes of this Technical Speci fication and consistent with ISO 22301, products
and services are created by processes that are made up of activities.
The products and services are prioritized first; this sets the time and service level parameters for
process prioritization. If required by the complexity of the organization, the processes can then be
separated into their constituent activities for prioritization.

Suitable, adequate, and effective outcomes of subsequent phases of the BC programme depend on the
accuracy of the BIA process. Each BIA should be completed consistently, carefully, and thoroughly.
Figure 3 shows how the various elements of the BI A process relate to each other. The diagram illustrates
that there can be overlap between the timing of these constituent phases of the process.

4
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

Figure 3 — Business impact analysis relationships

Successful BIA process outcomes may depend on the following:

— identifying customers and other interested parties, and anticipating their reactions to a
disruptive incident;
— engaging all relevant interested parties with an appropriate mandate;
— de ve l o p i n g ap p ro p r i ate s ki l l s a nd c o mp e te nc i e s w i th i n the o r ga n i z atio n o r p ro j e c t to c o nduc t the

analysis and present the results;

— gathering generally complete and accurate information (some information may be unavailable,
poorly understood, con fidential or withheld, thus identifying areas for further work);
— ensuring that those contributing to the BIA information gathering process have sufficient knowledge
and authority to speak on behalf of the organization, process, or activity;
— ensuring management representatives have sufficient authority to approve BIA results.

5.2 Project planning and management

5.2 .1 General

Although BIA is a process, organizations may use project management methods for a phase of the
BIA process. As the BIA process is potentially complex, using project management methods allows
o rga n i z ati o n s to c o o rd i n ate re s o u rc e s a nd ti me l i ne s .

Project planning tasks may include the following:

— deciding on the scope of this phase of the BIA process;
— communicating expectations to BIA process participants;

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
5
 ISO/TS 2 2 3 17: 2 015(E)

— identifying the person sponsoring the BIA process and top management participation;
— establishing BIA process-speci fic roles and responsibilities (including competencies);
— establishing the project plan;
— allocating resources for the BIA project;
— gaining acceptance of the project approach and plan;
— establishing or sourcing the skills necessary to meet BIA process objectives.
Project management tasks may include the following:
— implementing the BI A process (see 5 . 2 through 5 .6 );
— monitoring the implementation of the BI A process (see through 5 .6 );
— developing periodic reports on the status, noting performance expectations and recommendations
to improve performance in line with top management expectations (see 5 . 2 );
— performing modi fications of the BIA process approach and scope to meet top management expectations
and external (regulatory, statutory, customer, contractual) requirements (see Clause 6);
— collecting and reviewing lessons learned (see Clause 6 );
— making recommendations regarding BI A process improvement for future implementation (see
Clause 6) .

5.2 .2 Initial BIA considerations

An organization undertaking a BIA for the first time should plan additional time to
— identify products and services,
— create awareness and ensure education,

— identify a top management representative to sponsor the BIA process and/or BIA steering committee,
— determine impact categories and criteria,

— determine importance of the organization’s business/political environment,

— identify the organization’s structure to an appropriate level of detail,

— identify and select the right information sources for information gathering,
— document the work flow to a process and activity level, and
— complete information gathering through document review, interviews, workshops, and
questionnaires.

During the initial BIA, the organization may use the BIA results to prioritize subsequent business
continuity phases, including strategy selection.

5.3 Product and service prioritization

5.3 .1 Overview

As the first step in the BIA process, top management should agree on the priority of products and
services following a disruptive incident which may threaten the achievement of their objectives.

6
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

It is top management’s responsibility to make these decisions because they

— s e t the o b j e c ti ve s o f the o rga n i z ati o n ,

— have the ultimate responsibility for ensuring the continuity of the organization and the ful filment
o f i t s o b j e c ti ve s ,

— h ave the w ide s t v ie w o f the e nti re o r ga n i z atio n fro m wh i ch to a s s e s s p r io r i ti e s ,

— can cho o s e to o ve r r ide c o ntrac tu a l a nd o the r o b l i gatio n s in s e t ti n g p r io r i ti e s in e xc e p tio n a l

c i rc u m s ta nc e s , a n d

— are aware of planned future changes and other factors which may affect the business continuity
re qu i re me nt s .

If an organization has too many products and services to identify individually, the organization may
group together products and services when they have similar priorities. Conversely, it may be necessary
for the organization to identify customers that, despite sharing the same products and services, have
differing delivery timeframe expectations, or their value to the organization differs.
For each group of products and services, the organization should understand the impacts that may
result from a disruptive incident by
— identifying customer expectations and obligations, and the penalties associated with failing to
me e t the m a n d

— t a ki n g i n to ac co u nt the vi e ws o f o the r i n te re s te d p a r ti e s i n a s s e s s i n g i mp ac ts .

Other interested parties and their reaction to a disruptive incident may include the following:
— partner organizations: their willingness to continue to cooperate;
— media and society: brand value and public opinion;
— potential customers: loss of current and future market share;
— shareholders: effect on current share price and future investment;
— competitors: who may attempt to take advantage of the situation;
— staff: retention;
— re g u l ato r s a nd go ve r n me nt: p e n a l ti e s a nd r u le c h a n ge s .

The organization may use the examples in Tab le 1 to u nde r s t a nd the i mp ac ts o f a d i s r up ti ve i nc ide n t o n

the o r ga n i z atio n o ve r ti me :

Table 1 — Product and service level impact category examples

Impact categories Examples of impacts

Fi n a nc i a l Financial losses due to fines, penalties, lost pro fits, or diminished market share
Re p u ta ti o n a l N e ga ti ve o p i n i o n o r b r a n d d a m a ge

Legal and regulatory Litigation liability and withdrawal of license to trade

C o n tr ac tu a l B r e ac h o f c o n tr ac t s o r o b l i ga tio n s b e t we e n o r ga n i z ati o n s

B u s i n e s s o b j e c ti ve s Fa i l u r e to d e l i ve r o n o b j e c ti ve s o r t a ke ad va n ta ge o f o p p o r t u n i ti e s

Impacts almost always increase over time. However, impacts may not increase at the same rate. For
instance, financial impacts can suddenly increase as contract penalties are incurred or as customers
are lost, and reputational damage can occur suddenly at a point during the disruptive incident. See
F i g u re 4 fo r a n e x a mp le o f ho w d i ffe re n t i mp ac t c ate go r ie s i nc re a s e o ve r ti me .

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
7
 ISO/TS 2 2 3 17: 2 015(E)

Figure 4 — Impact of a disruptive incident on an organization over time

For each group of products and services, the top management should decide and document the following:

— time after which continued failure to deliver them becomes unacceptable to the organization
because the impacts noted above threaten its survival or make its obj ectives no longer achievable
(see Annex B for related terms);
— reason(s) why this time period has been identi fied with reference to the growing impacts over time.
The organization may, based on the example timeframe in Figure 4, set a target time for resuming
delivery of products and services at speci fied minimum levels (see Annex B for related terms) .

5.3 .2 Inputs

Top management may consider the following information in setting business continuity requirements
for products and services:

— current organizational mission, objectives, and strategic direction;

— current BC programme scope;
— assessment of product and service priorities from a previous top management review;
— list of legal and regulatory requirements to which the organization or speci fic products and services
are subject (as well as an assessment of the consequences of breaching each requirement);
— contractual requirements, including penalties for failure to deliver;
— assessment of reputational, financial, or other impacts for failure to deliver;

8
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

— re c e n t p o s t- i nc i de n t re p o r ts wh ich de s c r ib e the i mp ac t a s s o c i ate d w i th the d i s r up ti ve i nc i de n t.

5.3 .3 Outcomes

T he o u tco me s o f the p ro duc t a n d s e r vi ce p r i o r i ti z atio n p ro c e s s s ho u ld b e

— endorsement or modi fication of the organization’s BC programme scope,

— identi fication of legal, regulatory and contractual requirements (obligations),
— e va lu atio n o f i mp ac t s o ve r ti me a s i t re l ate s to a fa i lu re to de l i ve r p ro duc t s o r s e r vi ce s , wh ich s e r ve s

as the justi fication for business continuity requirements,

— con firmation of product and service delivery requirements (that may include time, quality, quantity,
service levels, and capability speci fications) following a disruptive incident that then sets the
p r io r i ti e s fo r ac ti vi tie s a nd re s o u rc e s ,

— identi fication of processes (that deliver the products and services),

— nomination of lead personnel to assist in identifying which processes deliver products and
s er vice s , a nd

— documentation of a list of prioritized products and services (grouped by timeframe or customer).

The organization may retain documentation describing the decisions made during the product and
s e r v ic e p r io r i ti z ati o n p ro ce s s .

5.4 Process prioritization

5.4.1 General

A p ro ce s s is a set of i n te r re l ate d or i nte r ac ti n g ac ti v i ti e s wh i ch tra n s fo r m i np u ts i n to o u tp u ts

(ISO 22300). Its priority is determined by the priority of the products and services which are its output.
Depending on its complexity, the organization may choose to omit process prioritization and proceed
directly to activity prioritization. If the organization chooses to perform a process prioritization, the
o rga n i z ati o n s ho u ld de te r m i ne ac ti v i tie s th at m a ke up tho s e p ro ce s s e s .

5.4.2 Inputs

T he i n fo r m ati o n re qu i re d fo r p ro c e s s p r io r i ti z atio n i nclude s the fo l lo w i n g:

— the scope of this BIA;

— product and service delivery requirements (which may include time, quality, quantity, service levels,
and capability speci fications);
— processes and the products and services they deliver;
— impacts over time of a failure to deliver products and services;
— legal, regulatory, and contractual requirements (obligations).
5.4.3 Outcomes

T he o u tco me s o f p ro c e s s p r i o r i ti z atio n s ho u ld b e the fo l lo w i n g:

— identi fication of the relationship between product and services, processes, and activities;
— identi fication of dependencies on other business processes;

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
9
 ISO/TS 2 2 3 17: 2 015(E)

— evaluation of impacts over time of a process failure (the impact categories in Table 1 could be used
to con firm the impacts of process disruption);
— priorities of processes;
— interdependency analysis of the processes that deliver products and services to customers;
— interdependency analysis of the activities that deliver processes;
— documented list of prioritized processes that deliver products and services; and
— initial documented list of activities that deliver processes.

5.5 Activity prioritization

5.5.1 Overview

An activity is a set of one or more tasks with a de fined output. The priority of the activity is determined
by the priority of the processes of which it forms a part.
The organization should perform activity level prioritization to understand the resources needed to
operate each activity following a disruptive incident, and to con firm the potential impact associated
with a disruptive incident.

Organizations should perform activity level prioritization to obtain a detailed understanding of day-to-
day resource requirements, enabling the organization to identify the quantity and timing of resources
necessary for recovery and to help con firm impact-related conclusions developed at the process level.
Resource-related information includes the following:

— people/skills/roles;
— facilities;
— equipment;
— records;
— financing;
— information and communications technologies (including applications, data, telephony, and networks);
— supplies, supply chains, and partners;
— dependencies on other processes and activities;
— special tools, spare parts, and consumables;
— limitations imposed on resources by logistics or regulations.
In addition to the impacts already considered in Table 1 , the organization may consider evaluating
operational impact, such as delays due to backlog of workload or manual workarounds or impacts to
interrelated activities.

5.5.2 Inputs

The inputs required to undertake activity prioritization include the following:

— scope of this BIA;
— process priorities;
— organizational chart;

10
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

— constituent activities of processes.

5.5.3 Information collection

The organization needs to collect the following information to perform the activity level BIA, including
activity detail, resource requirements, and interdependencies.
5.5.3 .1 Activity detail

The organization may collect the following details during activity prioritization:
— the processes that this activity supports;
— the operational methods of the activity;
— the duration or lead-time of this activity;
— f luctuations in demand or peak operating periods;
— factors not already discovered that may affect the determination of business continuity requirements
(e.g. backlogs or legal and regulatory requirements of this activity).

5.5.3 .2 Resource requirements

The resource information to be collected during an activity prioritization may include the following:
— staff and contractors (including minimum acceptable level for required service, and knowledge,
skills or quali fications required);
— workplace requirements;
— IT applications and communications (noting special requirements);
— records (e.g. electronic or hard copy);
— equipment (e.g. information and communications technology (ICT), office equipment,
manufacturing equipment);
— components and raw materials.

5.5.3 .3 Interdependencies

The interdependency information required to be collected during an activity prioritization includes

the following:

— reliance on other internal activities and resources, or supply chains;

— reliance on other internal activities on the outputs of this activity.
For the speci fication of ICT requirements, the following additional information may be collected:
— ICT asset name, location, and con figuration (e.g. memory, capacity, processor speed, and disk
drive space);
— dependencies on other ICT assets;
— end user pro files and usage characteristics;
— unique legal or regulatory requirements regarding the use of the ICT asset.

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
11
 ISO/TS 2 2 3 17: 2 015(E)

5.5.4 Outcomes

The outcomes of activity prioritization should be the following:

— con firmation of impacts over time, which serves as justi fication for business continuity requirements
(time and capability);
— resource needs to perform each prioritized activity (including facilities, people, equipment, ICT
assets, supplies, finance and information);
— how up to date the information needs to be (see Annex B for related terms);
— dependencies on other activities, supply chains, partners, and other interested parties;
— analysis of dependencies on the resources needed to deliver each activity;
— documented list of activities and their prioritized timeframes that support processes;
— documented list of resources and their prioritized timeframes that enable activities.

5.6 Analysis and consolidation

5.6.1 Overview

While analysis occurs during the entire BIA process, the organization should perform a final analysis
(or consolidation of analyses). This involves reviewing the outcomes from the prioritization, and
drawing conclusions that lead to business continuity requirements.
The organization should choose the appropriate quantitative and/or qualitative analytic approach(es),
which may be in fluenced by the type, size, or nature of the organization, as well as resource and skill
constraints. The approach(es) selected will also depend on the type of information gathered.
Regardless of approach, the organization should challenge and check the information to ensure that it is

— correct: accurate and reliable,

— credible: believable and reasonable,

— consistent: clear and repeatable,

— current: up-to-date and available in a timely manner, and

— complete: comprehensive.

5.6.2 Inputs

The organization should obtain validated and approved information gathered from all levels of the BI A
process in order to perform analyses.

5.6.3 Methods

The organization may use a combination of quantitative and qualitative techniques to analyze the
information collected. Table 2 contains examples of analytic techniques.

12
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

Table 2 — BI A analysis techniques

Quantitative analytic techniques Qualitative analytic techniques

Common sense and cross checks

Stress tes ting

Interdependency analysis
Review of pos t-incident reviews and recommendations
Financial analysis approaches
Supplier-Input-Process- Output- Customer (SIPOC )

Fishbone (Ishikawa) diagrams

5.6.4 Outcomes

The outcomes of applying analysis techniques and consolidating information are the following:
— con firmation of impacts over time;
— review and con firmation of resource dependencies and requirements;
— consolidation of resource requirements (e.g. across processes, organizational structures, or locations);
— review and con firmation of the interdependencies of processes and activities, and their relation to
the delivery of products and services, that serve as the input to business continuity strategy selection.

5.7 Obtain top management endorsement of BIA results

5.7.1 General

The organization should seek management endorsement of results, including product and service,
process, activity, and resource prioritization following one or more individual BIAs.
The organization should compile BI A results to ensure the information collected can be maintained and
updated on a periodic basis before seeking management endorsement. The presentation of BI A results
can be in a variety of media and may contain different levels of detail depending on the audience.
The organization should provide the following key BIA results to top management for their review,
amendment (if necessary), and endorsement before moving on to next steps:
— product and service prioritization (if changed from original determination);
— process prioritization; and
— pctivity prioritization (including resources and interdependencies).
NOTE The organization can choose to receive this endorsement during a management review (see Annex A) .

5.7.2 Inputs

The person responsible for the BI A process should use outputs from 5 . 2 to 5 .6 as inputs into top
management endorsement.

5.7.3 Methods

The organization should include at least the following topics in the BIA summary report:
— an overview of the BIA process, including objectives and scope;
— impacts in fluencing the assignment of business continuity requirements (see 5 . 3 .1);
— recommended prioritized timeframes for products and services, processes, activities, and resources;

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
13
 ISO/TS 2 2 3 17: 2 015(E)

— conclusions and next steps.

The organization may develop materials to be presented to top management following the completion
of the BIA summary report, by performing the following methods:
— summarizing information to top management by facilitating one-on-one meetings with top
management members or facilitating a group meeting with top management;
— extracting and providing the executive summary, which highlights key findings and conclusions; and
— facilitating one-on-one meetings with top management to review the summary report in detail.
5.7.4 Outcomes

The endorsement of the BIA results by top management should be documented according to established
document management practices. The BIA results can then be passed to the business continuity
strategy selection process.

5.8 After the BIA — Business continuity strategy selection

Following the completion of the BIA, the organization should continue to business continuity strategy
selection. Approved business continuity requirements enable the organization to determine and
select appropriate business continuity strategies to enable an effective response and recovery from a
disruptive incident. E xamples include the following:

— alternate workplace arrangements;

— alternate supply chain arrangements;
— ICT recovery options;
— alternate sources of people;
— alternate sources of equipment;
— workarounds and alternate procedures.

The BIA may also lead to a reconsideration of how the organization delivers its products and services
(see Annex D) .

6 BIA process monitoring and review

Organization should review/perform the BIA process on a periodic basis (typically annually) or as part
of organizational change that may affect the accuracy of business continuity requirements.
Top management may publish an annual strategic plan or review that con firms or revises the
organization’s strategic objectives. A change in the strategic objectives of the organization may be
— re flected in the business continuity policy by a change in the scope of the BC programme, by adding
or removing certain products and services or

— a change in the priorities of products and services which may initiate a review of each BIA at the
process and activity levels.
A review of different components of the BIA process may be triggered by the following considerations:
— annual review;
— strategic directional change;
— product or service change;

14
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

— regulatory change;
— customer and/or contractual change;
— operational change, including new/change application/ICT, supply chain (insourcing/outsourcing),
and site/facility resources;
— structural change;
— following a business continuity exercise;
— fo l l o w i n g a d i s r up ti ve i nc i de n t.

In areas of the organization which have changed little since the last BIA, it may be appropriate to check
and con firm the previous results rather than conduct a full review.

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
15
 ISO/TS 2 2 3 17: 2 015(E)

Annex A
(informative)

Business impact analysis within an ISO 2 2 3 01 business continuity

management system

Table A.1 — Business impact analysis within an ISO 22301 business continuity management
system

ISO/TS 22317 ISO 22301

Introduction 0. 3 Components of PDC A in this International Standard

4. 2 BC programme context and scope 4 Context of the organization

4. 3 BC programme roles 5 .4 Organizational roles, responsibilities and

authorities

7. 2 Competence

4.4 BC programme commitment 5 Commitment

4. 5 BC programme resources 7.1 Resources

5 Performing the business impact analysis 8.2 Business impact analysis and risk assessment
5.8 Next step — Business continuity strategy selection 8.3 Business continuity strategy

16
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

Annex B
(informative)

Business impact analysis terminology mapping

B.1 Business impact analysis terminology mapping

Some of these ISO 22301 terms are not used in this Technical Speci fication. However, these terms are
common with respect to the performance of the BI A process.

Table B.1 — Business impact analysis terminology mapping

Number Term De finition ISO/TS 22317

references

Maximum Acceptable
Outage (M AO) or Time it would take for adverse impacts, which might
1 Maximum Tolerable arise as a result of not providing a product/service 5 . 3 .1
Period of Disruption or performing an activity, to become unacceptable.
(M TPoD or M TPD)

M inimum level of services and/or products that is

acceptable to the organization to achieve its
M inimum Business business obj ectives during a disruption.
2 Continuity Objective 5 . 3 .1
(MBCO) Note: This should not be confused with BC
obj ectives in ISO 2 23 01: 201 2 , 6. 2 which refer to
BC programme obj ectives

Target time following an incident for:

Product or service delivery resumption, or

Activity resumption, or
3
Recovery Time Objective Resources recovery 5 . 3 .1
(RTO)
NOTE For products, services and activities, the
recovery time objective must be less than the time it
would take for the adverse impacts that would arise
as a result of not providing a product/service or
performing an activity to become unacceptable.
Recovery Point Objective Point to which information used by an activity must
4 (RPO) or Maximum Data be restored to enable the activity to operate on 5 . 5 .4
Loss (MDL) resumption.

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
17
 ISO/TS 2 2 3 17: 2 015(E)

Annex C
(informative)

Business impact analysis information collecting methods

C.1 Business impact analysis information collecting methods

This Annex summarizes common methods to collect information necessary to reach BIA conclusions.
No matter how information is collected, it should be collected in a consistent manner so that the
information can be compared across the organization.

The organization should consider the following factors which may in fluence the selection of the
method or methods:

— the information needed: Is the information required to perform the analysis quanti fiable/discrete
or subjective?;
— previous experience with performing a BIA: Is this the first BIA performed?;
— the need to create business continuity awareness with BC programme participants: Is business
continuity an understood concept and are its outcomes known among interested parties?;
— the complexity of the business: How complex are the activities within the scope of the BIA process?;
— BIA process participant competency: What skills and experiences do business continuity
practitioners have with implementing the BIA process?;
— BIA process participant availability and geographic location: What are the physical locations and
time constraints for those representing activities?

In general, the five most common methods of BIA information gathering are
— documentation review,

— interview,

— survey/questionnaire,
— workshop, and

— scenario-based exercise (caution is advised as different scenarios may result in different

magnitudes of impact) .

The methods to ensure information consistency, regardless of information collection method, are
the following:

— provide training for those who are leading or participating;

— identify information requirements;
— provide oversight or quality assurance of outputs;
— perform a trial of information collection method before implementing on a whole scale.

18
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

C.2 Documentation review

The organization should review the following documentation as an essential step in preparing for
interviews, developing survey questions, and eventually performing analysis-related work:
— strategy documents;
— marketing materials;
— annual reports;
— business performance metrics;
— standard operating procedures describing day-to-day task execution;
— equipment and information and communications technology (ICT) lists;
— insurance policies;
— post-incident reports;
— training materials;
— prior BIA information;
— process documentation;
— organizational charts;
— roles and responsibilities;
— customer-related service level agreements;
— contractual requirements.

C.3 Interview

Organizations may perform interviews to enable discussion regarding day-to-day operations, resource
needs, obligations, and possible impacts if a disruptive incident were to affect the activity’s capability
to deliver processes, and products or services.

Although many ways to structure an interview exist, topics should include the following:
— BI A process overview, obj ectives, desired outcomes, and the relationship of the BI A process to the
remaining business continuity planning process;
— BIA participant expectations;
— the relationship of activities to processes;
— activity discussion;
— next steps, including a review of the interview summary, comments and corrections, and approval.
The activity discussion may cover the following topics:
— activity overview and relationship to products and services and processes, with emphasis on key
tasks and the timeframes necessary to perform the activity as a whole or the subordinate tasks
(including fluctuations in demand or peak operating periods);
— resource dependencies and requirements (see 5 . 5 .1) , including existing workarounds and how long
they remain viable;
— known impact associated with process downtime (see 5 . 3 .1 );

© ISO 2 01 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
19
 ISO/TS 2 2 3 17: 2 015(E)

— known activity-speci fic obligations.

I n te r vi e w go o d p rac tic e i nclude s the fo l lo w i n g:

— prepare adequately, which often includes an agenda with instructions for the interview participant
on preparing for the interview;
— research on the activity in order to inform interview questions;
— repeat key information to ensure it was heard accurately;
— document an interview summary, solicit feedback, and obtain approval.

C.4 Survey/Questionnaire

Organizations may use surveys or questionnaires to effectively collect discrete information, meaning
information with a finite number of possibilities or information that can be quanti fied. Organizations
can choose to deliver surveys as
— hard-copy documents,
— e le c tro n ic do c u me nt s , o r

— online survey service.

I t i s i mp o r ta nt th at the que s tio n s b e cle a r i n the i r i n te nt a n d l a n g u a ge , a n d a c o nt ac t s ho u ld b e p ro v ide d

to resolve questions that the interviewee may have.

Common survey content may include the following:
— va l i d a t i o n of the i mp ac ts a s s o c i a te d w i th a d i s r u p t i ve i nc ide nt, i nclud i n g ho w the i mp ac t

changes over time;

— identi fication of additional legal, regulatory, or contractual obligations speci fic to the activity;
— identi fication of resource dependencies and requirements, as well as recovery timeline following a
d i s r up ti ve i nc ide nt.

C.5 Workshops

Workshops with participants representing different activities or processes may be used to collect similar
information to interviews but in addition may develop and share outcomes with the group in order to
— p ro duce add i ti o n a l , mo re c o mp le te i n fo r m atio n a n d

— resolve competing, possibly unrealistic expectations.

C.6 Scenario-based exercise

Using a scenario-based exercise enables participants to decide on the priority of products and services,
p ro c e s s e s , a n d/o r ac ti v i ti e s w i th i n the co n te x t o f a s i mu l ate d d i s r up ti ve i nc ide nt. At a to p m a n a ge me nt

level, the exercise should be sufficiently challenging that the tolerance of customers is stretched
to breaking point so that impacts can be identi fied and evaluated and difficult decisions about
priorities can be made. At a process and activity level, an exercise can explore the logistics, timing and
dependencies on other activities and supply chains.
Fo r a to p m a n a ge me n t e xe rc i s e , s ce n a r i o s s ho u ld be ke p t s i mp le so th at p a r tic ip a n ts c o nce n trate on

priorities prompted by information injects relating to external pressures such as complaints from
c u s to me r s a nd me d i a p re s s u re . T i me s ho u ld be a l lo we d fo r p r io r i ti e s to be de b ate d rathe r th a n

fo l lo w i n g a s tr ic t i nc ide n t ti me l i ne .

20
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
 ISO/TS 2 2 3 17:2 015(E)

For a process or activity level exercise the objectives should focus on identifying the resources required
for recovery requirements and the order, feasibility and maximum time available for recovery to
achieve the required recovery of product and service delivery.
The outcomes of an exercise may include the following:
— identi fication of the impacts that would result from a disruption to product and service delivery and
the time at which such impacts would become unacceptable;
— prioritization of product and service delivery, processes, and/or activities;
— resources required to support an activity including supplies;
— interdependencies of the activity on other activities.
These outcomes may not give results that are as comprehensive as a series of structured interviews but
the engagement of the participants and the apparent realism of the situation may give more reliable
re s u l t s . T h i s me tho d i s a l s o u s e fu l whe n the ti me ava i l ab le w i th the p a r tic ip a n ts i s l i m i te d .

NO TE W h e n p e r fo r m i n g s c e n a r i o - b a s e d i n fo r m ati o n c o l l e c ti o n , b e s u r e to c o n c e n tr a te o n th e i m p ac t o f th e

s c e n a r i o , a s o p p o s e d to c au s e o f th e s c e n a r i o .

Tab le s C .1 to C.5 g i ve add i tio n a l i n fo r m atio n re ga rd i n g ad va n ta ge s , d i s ad va n ta ge s , o p p o r tu n i ti e s , a nd

tip s re ga rd i n g e ac h o f the s e i n fo r m atio n gathe r i n g ap p ro ac he s .

Table C.1 — Document review

Advantages Disadvantages

Potentially detailed and thought through T i me c o n s u m i n g

Evidence already exists/does not require additional L ac k o f e x p l a n ati o n a n d c o n te x t

e ffo r t o r ve rb a l c o m mu n i c ati o n s
C o u l d b e o u t- o f- d ate o r i nc o r r e c t

Needed information could be difficult to locate due to

L e ve r a ge s p r e v i o u s e ffo r ts/p r o mo te s c o o p e r ati o n

Easy to access vo l u me

Opportunities Tips

Information can come from many sources

P a i r w i th m e e ti n g to e n s u r e u n d e r s ta n d c o n te x t

C a n e n ab l e the c o mp i l ati o n o f d r a ft qu e s ti o n n a i r e s/

Re ad ava i l ab l e do c u me n t ati o n i n p r e p a r a ti o n fo r
i n te r v i e w qu e s ti o n s

i n te r v i e ws a n d wo rks h o p s

Can con firm information from other method

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
21
 ISO/TS 2 2 3 17: 2 015(E)

Table C.2 — Interviews

Advantages Disadvantages

Involves s taff and raises awareness Time consuming

Interviewer gains knowledge of people and functions Need to prepare

Discovers actual impacts (near-misses) May use more staff time

Address personal views and fears Questionnaire draft still needed

Personal response

Lacks consistency if more than one interviewer

Opportunities Tips

Use of senior participants Formalize interview structure

Where qualitative assessment is required Interview in location

Use where awareness is a requirement Try to interview in context of business deliverables not
process aims

Take time to explain purpose of the BI A process

Table C. 3 — Workshops

Advantages Disadvantages

Cross-process perspective Difficult to timetable

Brain storming Difficult to deal with dissent and internal politics in a
group
Shows organization’s commitment
Facilitation skills required
Fewer distractions
Lots of preparation
More professional

Opportunities Tips

When rapid results required Sell to management on the basis of cos t savings

High level of organizational commitment Prepare it well — only get one chance!
Can also be used to raise awreness of business Retain focus on impacts, not causes
continuity

Table C.4 — Scenario-based exercise

Advantages Disadvantages

Forces decision on timescales and priorities Signi ficant preparation required

Provides relatable context for understanding strategy Could narrow scope of discussion to scenario at hand
options and decisions (including manual workarounds (leaving out other resource losses or threats)
and alternate procedures)

More realistic decisions may emerge

Opportunities Tips

Can also be used to raise awareness of business Make the scenario and exercise realis tic to encourage
continuity buy-in and involvement
Plans can be developed or exercised in addition

22
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

Table C.5 — Questionnaires/Surveys

Advantages Disadvantages

Easy to analyze Ques tion nai re fatigue

E as ier to s tandardi ze res p ons e I nterpre tation of ques tions

Produces ‘hard-copy’ evidence Nee d to cros s- che ck

C an b e automated Possibility of error in questions nullifying results

Software available for remote entry L ack of i nvolvement

M i s s s oft i s s ues

M i s s maj or i s s ues through not chal lengi ng res p on se

Opportunities Tips

I n a matu re B C programme/organ i z ation D atab as e or s pre adshe ets for graphs

When i n formation can b e numerical or ran ke d Keep i n formation re qui rements tight

As a fol low-up Verify information

I f the nu mb er of res p ondents are high M i x with i nter views

Remote location s

© I SO 2 0 1 5 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
23
 ISO/TS 2 2 3 17: 2 015(E)

Annex D
(informative)

Other uses for the business impact analysis process

D.1 The collection of information useful for plan development and incident
response

The BIA process contents described in this Technical Speci fication comprise only the information
required to select appropriate business continuity strategies to meet business continuity requirements.
Conducting a BIA through any of the methods described may be an opportunity to collect the following
additional information which will be useful in developing plans or in responding to a disruptive incident.

At the top management level:

— the planned strategic direction of the organization, such as mergers, relocation or acquisitions
which may affect business continuity strategy in the future and should be taken into account when
selecting current strategies;
— exploration of business continuity strategy opportunities such as cooperation with other
organisations (who may be competitors) to provide mutual aid.
At the process level:

— opportunities to buy-in a service to deliver elements or all of the process temporarily, or outsource
elements or all of a process permanently after a disruptive incident.
At the activity level:
— the documentation of workarounds for the absence of resources and their limitations of quality,
extra resource needs, and for how long they are effective;
— feasibility of sourcing alternate supplies;
— characteristics of staff.

Characteristics of staff include the following:

— skills of individual members of staff (in current and past roles);

— contact details;
— their primary work location, home location, and mode of transport to work;
— ability to work from home (including network capacity, equipment, and desk location);
— records and their location.

D.2 Increasing the efficiency of the organization

The overview of the operation of an organization that emerges from the BIA process may enable
participants in the process to identify changes that can improve its efficiency. These changes may not
have been apparent until the organization explores its web of interdependencies.

A better understanding of the time imperatives of product and service delivery could improve
scheduling and prioritization when resources are temporarily limited.
24
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© ISO 2 01 5 – All rights reserved
 ISO/TS 2 2 3 17:2 015(E)

K no w i n g the ti me i mp e rati ve s of va r io u s p a r ts of a m a nu fac tu r i n g p ro ce s s cou ld i mp ro ve the

o p ti m i z ati o n o f s to cks o f r aw m ate r i a l s o r s p a re p a r ts .

Understanding the interdependencies of activities may suggest changes in management structure.

D.3 To explore alternative strategic planning options

The BIA process described in this Technical Speci fication determines the business continuity
requirements of an organization as they are at present. However, the organization can also apply the BIA
process to one or more future situations in order to understand the business continuity implications of
p l a n ne d ch a n ge s .

This application of the BIA process may be useful if the organization is planning signi ficant changes
s uc h a s the fo l lo w i n g:

— rearrangement of workspace: a new site, site closure or consolidation;

— change in resource: staff increase or decrease;
— change in technology: automation or ICT hardware;
— p ro duc t o r s e r vi ce ch a n ge : ne w c o n trac ts o r ch a n ge i n b u s i ne s s te r m s .

T he ap p l i c ati o n of a fu tu re - lo o ki n g BI A p ro c e s s co u ld e x p lo re va r i o u s o p tio n s to u n de r s ta n d the

business impact of each change as there may be signi ficant differences within which disruption to
products, services, processes or activities remains acceptable. These conclusions may be used as an
i np u t i nto the de c i s io n- m a ki n g p ro c e s s . Fo r e x a mp le :

— a call center service delivered from two sites may provide an acceptable, if not degraded, service
compared to downtime potential if a single site was used and became non-operational;
— the i mp ac t o f a lo s s fo l lo w i n g the p ro p o s e d ch a n ge is u n acc e p tab l e , so the o r ga n i z atio n ab a ndo n s

the proposed change;

— space freed by relocation may be considered as potential recovery space rather than disposed of;
— a change in staff numbers may affect the time taken to recover an activity;
— new information and communication technologies may have different recovery timeframes and some
may be feasible within the time available so this should be ascertained as part of the selection process;
— it should be veri fied that service levels and contractual obligations for recovery are achievable prior
to a g re e me nt .

D.4 To assist with longer term strategy decision-making

T he me tho d o f e va lu ati n g i mp ac t s o ve r ti me co u ld b e ap p l i e d at a s trate g i c le ve l to a nu mb e r o f s trate g i c

decisions other than recovery requirements.

Many long-term shifts in organization’s operations are driven by external factors such as the following:
— pending regulation;
— changes the business environment;
— degradation of the physical environment;
— s h i fts i n p ub l ic o p i n io n .

The organization need not respond immediately to these changes, but top management may assess
the growing impacts over time to reach a decision as to when, roughly, the reputational or financial

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
25
 ISO/TS 2 2 3 17: 2 015(E)

impacts of not responding to the changing circumstances become unacceptable. This may then be a
co n s i de ratio n i n s trate g i c p l a n n i n g.

D.5 Proj ect BIA

The BIA as described in this Technical Speci fication assumes that the product and service delivery
d ate s c a n b e p o s t p o ne d to a p o i nt th at i s j u s t ac ce p t ab le to the i n te re s te d p a r ti e s . At ti me s , the p ro duc t

is a project without delivery date flexibility and cancellation may be unacceptable. The organization
can apply the BIA process to determine if the delivery date of the project can be shifted, but only by a
set time since the consequences of further delay would be unacceptable.
In this case, the process and activity level prioritization efforts may be conducted in reverse. To do
so, the organization may use the time taken by each activity to work backwards from the set date
to ascertain at what point each activity needs to be started to achieve the deadline, and optionally
to assess wh ic h ac ti vi tie s can be o m i t te d or s c a le d to de l i ve r the p ro j e c t to the m i n i mu m acc e p tab le

speci fication. This is conventional project planning and critical path analysis but with the BIA driving
the due dates and informing the duration of contingency time to be inserted into the project plan. As
the project progresses this contingency time can be monitored and slippage controlled by dropping
activities that are not in the minimum speci fication.
While this approach does not guarantee on-time delivery of projects, it does ensure top management
understanding of the impacts of delays. They may choose to identify which projects are within the
scope of this approach and whether business continuity staff should be involved.

D.6 Business impact analysis as a risk analysis

Some risk management standards use the term “business impact analysis”.
Although it is possible to identify the impact of identi fied threats, this is of limited use in determining
business continuity strategies which are intended to be useful to respond to both identi fied and
unexpected disruptive incidents. Business continuity requirements de fined only by identi fied threats
may not be comprehensive.
In this method, the measurement of impact by a single variable ignores the essential parameter of
time. The impact of a disruptive incident on an organization’s reputation and finances almost always
increases over time, possibly being negligible immediately after the disruptive incident to being
s u r v i va l th re ate n i n g at s o me ti me l ate r. A s i n gle va lue fo r i mp ac t c a n no t de s c r i b e th i s va r i ati o n .

The impact of a disruptive incident on an organization appears to be more closely related to the speed
a nd e ffe c ti ve ne s s o f the re tu r n to p ro v id i n g p ro duc ts a nd s e r v ic e s to c u s to me r s th a n the n atu re o f the

th re at th at c au s e d the d i s r up ti ve i nc i de n t. I nde e d , s o me o rga n i z atio n s h ave e n h a nce d the i r re p u tatio n

by their response to a disruptive incident.

The approach used within this Technical Speci fication assumes that the organization should be
prepared for any disruptive incident. Therefore, the identi fication of threats and an attempt to assess
the i r l i ke l i ho o d , as de s c r i b e d in r i s k- b a s e d s t a nd a rd s , is i n ap p ro p r i ate as a me tho d to de te r m i ne

recovery requirements.

26
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
 ISO/TS 2 2 3 17:2 015(E)

Bibliography

[1] ISO 223 0 0, Societal security — Terminology

[2 ] I S O 2 2 3 01 : 2 01 2 , Societal security — Business continuity management systems — Requirements
[3 ] ISO 22313 , Societal security — Business continuity management systems — Guidance

© I S O 2 0 1 5 – Al l ri gh ts re s e rve d
I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n
27
 ISO/TS 2 2 3 17: 2 015(E)

ICS 03.100.01
Price based on 27 pages

© ISO 2015 – All rights reserved

I n tern ati o n al Org an i z ati o n fo r S tan d ard i z ati o n