Differences between Risk Analysis and Business Impact Analysis

Risk Management is a process aimed at achieving an optimal balance between realizing opportunities for gain an minimizing vulnerabilities and loss.

Business Impact Analysis (BIA) is performed to determine the impact of losing the availability of any resources to an organization.

Performing a BIA is part of Risk Management. Risk Assessment is part of Risk Management, and determines the negative impact of  exploited vulnerabilities. BIA must be performed as part of the Risk Assessment step, in order to determine the impact of losing the availability a given resource.

Key elements that must be supplied to management on a consistent basis regarding information security risk are likelihood and impact related to identified risk. Likelihood (or probability) is determined by the risk analysis process and impact by a BIA. [unknown source] However, some sources (like CISM RQA&EM 9th ed., S2-25) consider that risk analysis comprehends both likelihood and impact.

Both business analysis and BIA is applied to an asset or resource [CISM RM 15th ed., Definitions].

Results of BIA include listing critical business resources, identifying disruption impacts and allowable outage times and developing recovery priorities [CISM RQA&EM 9th S2-127]

Business Continuity Plan (BPC) is a plan used by an organization to respond to disruption of critical business process.

Recovery Time Objetives (RTO) of a  given asset are determined by performing a BIA in coordination with developing a BPC.


External References

  • CISA Review Manual (26th Edition)“, ISACA, 2015
  • CISM Review Manual (15th Edition)“, ISACA, 2016

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *