ISO/TS 22317:2021 pdf download – Security and resilience — Business continuity management systems — Guidelines for business impact analysis.
1 Scope This document gives guidelines for an organization to implement and maintain a formal and documented business impact analysis (BIA) process appropriate to its needs. It does not prescribe a uniform process for performing a BIA. This document is applicable to all organizations regardless of type, size and nature, whether in the private, public or not-for-profit sectors. The guidance can be adapted to the needs, objectives, resources and constraints of the organization. 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Security and resilience — Vocabulary ISO 22301, Security and resilience — Business continuity management systems — Requirements
4.2 Context and scope 4.2.1 Context The outcomes of the BIA process are dependent on the organization’s understanding of the following, so that it can achieve its purpose by delivering its products and services to customers: — the external environment (including suppliers, statutory and regulatory bodies) in which it operates; — the internal operating environment, inclusive of business processes, activities and resources, as well as the potential impact caused by disruption to the delivery of products and services; NOTE In organizations operating within a non-commercial environment, the “customer ” can be the public or an overseeing authority, such as the government. 4.2.2 Scope The BIA process should cover the whole of the BCMS scope. The organization should have defined and documented the scope of the BCMS in terms of its products and services. The outcomes of the BIA process can require the organization to reconsider the scope of the BCMS by adding or removing products and services. The organization should first prioritize all products and services in scope which can include internal strategic services (see 5.4.3). Those with higher priorities can be addressed first. 4.3 Roles and responsibilities 4.3.1 General Top management should ensure: — responsibilities and authorities for relevant roles are assigned and communicated within the organization; — that persons leading the BIA process are competent; — resources necessary to perform the BIA process are provided. Top management should ensure that the following roles (other roles can be appropriate) to perform the BIA process are appointed: a) BIA leader (this can be the same person as the BCMS manager) (see 4.3.2); b) activity owners (see 4.3.3 ).
5.3.2 Define impact types and criteria The organization can experience different types of impacts such as damage to reputation or business objectives, financial losses and litigation. Impact types are not the same as consequence types or categories as used in risk management. Impact is the result of a disruption on the organization. To compare and assess impacts that are very different in a consistent manner, the organization should define impact types and criteria. The organization should define impact types to understand the impact over time of a disruption to the delivery of products and services. Top management should approve the proposed impact types and criteria. The choice of impact types and criteria are influenced by the organization’s sector, context and the nature of its activities, as well as organizational culture. The selection of one or more impact types and criteria, including the need for quantitative and qualitative impact information and the level of detail collected, should be suitable for the organization to select or justify business continuity priorities and requirements.
5.3.3 Define time frames Impacts almost always increase over time. However, impacts do not always increase at the same rate. For instance, financial impacts can arise as contract penalties are incurred or as customers are lost, while reputational damage can occur suddenly at a point during the disruption. To assess the magnitude of the impact over time, the organization can choose a set number of time frames at which to consider the magnitude of the impact (e.g. at 1 hour, at 6 hours, at 24 hours, at 3 days, at 1 week) or a set number of time frames within which to consider the increasing magnitude of impact (e.g. 0 to 1 hour, 1 to 6 hours, 6 to 24 hours). The chosen ranges can vary between organizations depending on their context.
