Sunday, December 27, 2009

Information Security: What comes first - Business Impact Analysis or Risk Assessment?

Last week, I attended a 2 day course on ISO 27001: Information Security Management System. The course was meant for auditors and as part of the course we discussed the relevance of Business Impact Analysis (BIA) and Risk Assessment (RA) in the context of Information Security Management System (ISMS). The questions that was asked was what comes first: BIA or RA?

My immediate response was Risk Assessment. As an organisation, one would need to identify all risks, Rank the risks based on the quantum of impact and probability of occurance, and finally Formulate mitigation plan for top risks. By my argument, business impact analysis was a sub set of Risk Assessment.

However, there was a counter argument to this. For large organisations, it is time and effort intensive exercise, if not impossible, to identify all risks and assess their impact. So rather than carrying out risk assessment, it would be a lot easier to carry-out Business Impact Analysis upfront. This would involve identifying critical activities of the business value chain or critical assets and assessing the impact (in terms of loss of production, loss of revenues, loss of person hours of time, etc) to the overall business in case of their non performance. Risk assessment would then be carried out to identify the risks that would impact these critical value chain activities or assets adversely, which is followed by formulating a mitigation plan for the top risks identified.

On the second thoughts the later approach seemed very rational and logical. What do you think?


  1. Keep in mind that certification is based on what management defines as the scope; this "option" allows the BIA/RA effort to be limited to a specific operation within a region.

  2. In most of the information security system business impact analysis was first comes then only risk assessments are come over.