# Business Impact Analysis (BIA) One-sentence definition: Process to determine critical business processes, dependencies, and the impact of disruption to set recovery priorities. ## Key Facts - Identify critical functions, dependencies (people, tech, vendors), and impacts (financial, reputational, legal, safety). - Determine Maximum Tolerable Downtime (MTD/MAO) for each function. - Derive recovery objectives (RTO, RPO) and resource requirements. - Consider upstream/downstream dependencies and single points of failure. - Use workshops, questionnaires, and data review; validate with leadership. - Feed outputs into BCP/DR strategy and investments. - **Label:** **Prioritization** tool for continuity planning. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose what information BIA provides vs risk assessment or DR tests. **Mnemonic:** “What breaks, how bad, how long.” ## Mini Scenario Q: If MTD is 24h but current RTO is 48h—what does this imply? A: Gap; need additional controls/strategies to meet objectives. ## Revision Checklist - Define MTD and list 3 impact types. - Explain how BIA informs RTO/RPO. - Name two data-gathering methods. ## Related [[RTO, RPO, WRT]] · [[Business Continuity Management (BCP)]] · [[Disaster Recovery Planning (DRP)]] · [[Risk Management Lifecycle]] · [[Security Metrics, KPIs, KRIs]] · [[Domain 1 - Index]]