BIA vs Risk Analysis

Business Impact Analysis & Risk Analysis - How does one differentiate between 'em. .. any discrete steps that someone can advise ? and if somehow these are co-related, somewhere ?

-- Sam

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

jt2929

Risk Analysis provides a cost/benefit comparison related to the cost of controls against the potential cost of loss.
Business Impact Analysis is a functional analysis of the entire business, and applies a ranking of criticality to those business functions.

Sam_aqua

Agree, not sure if this is correct to say, but someone might think that Risk analysis can be considered as a part of BIA step in a specific situation .. however the opposite might not hold true..

cfirsten

Another question, BCP this time:

A business continuity plan is an example of a xxxxxxx control?

1. Corrective
2. Detective
3. Preventive
4. Collective

I answered Preventive, but the correct answer given was Corrective. Am I wrong here? You are trying to prevent business interruptions, a corrective control might happen after the fact, to correct a procedure or a control that was wrong. Hmmm... Any advice, thanks.

soccarplayer29

A business continuity plan wouldn't prevent a disruption in operations so I wouldn't consider it a preventative control. I guess corrective would be the answer

jt2929

cfirsten wrote: »

Another question, BCP this time:

A business continuity plan is an example of a xxxxxxx control?

1. Corrective
2. Detective
3. Preventive
4. Collective

I answered Preventive, but the correct answer given was Corrective. Am I wrong here? You are trying to prevent business interruptions, a corrective control might happen after the fact, to correct a procedure or a control that was wrong. Hmmm... Any advice, thanks.

Out of those, I would choose 1.

cfirsten

Hmmm... interesting. I thought of it(BCP), that you are trying to prevent business disruptions, of course, you can't prevent a disaster, but if a disaster happens are you prepared. You could think of it as a corrective action after a disaster but.... I'll do some more research in my third edition from ISC2 to see if I can find something similar. Thank you for your thoughts.

soccarplayer29

The wording impacts this conversation. If you're just talking about the Business Continuity Plan then I don't consider that preventative.

If you're talking about the Business Continuity Program (plan, process, disaster activities) then maybe I could get behind the idea of it being preventative...but I'd still lean towards corrective.

jt2929

Think of what a BCP is. It's a plan to keep the business running after a disaster or disruption (correct the outage). There is nothing preventive about it.

cfirsten

I have to learn to wrap my mind around it. Anyways I looked in three of my books, AIO, 11th hour and ISC2 and couldn't find anything about it or even a hint. I even looked in the NIST 800-34, read the whole thing

. Another one that's puzzling, hope I don't bother the forum too much with my stupid questions:

When reviewing a reciprocal disaster recovery agreement between two companies, which of the following should be the main concern?

1. The soundness of the business impact analysis
2. Hardware and software compatibility
3. Frequency of system testing
4. Differences in business missions

The correct answer was number 2 and I've answered number 4. At least in my mind, I would worry primarily about the other business; what if I'm Amazon and I want to enter into an agreement with eBay, I'd probably say a big no to that. Hardware and software might be the last on my list, first I'll have to deal with whom I'm doing business with. How do you choose between different companies? Should you look for the least compatible, as far as our lines of business, or for the most, or for the one that agrees to the reciprocal?

But then again, the question says: "when reviewing", so does that mean that the agreement is already in place and we're past number 4? I'm overthinking it, maybe.

soccarplayer29

For this new example:

My view is that the reciprocal agreement between the two companies has already been established and it's asking you to review the established agreement. The goal of this agreement is about being able to continue/recovery your businesses operations. With that in mind I wouldn't care about the other businesses' mission after the agreement had already been agreed upon. Testing is great, but if the results aren't desirable then that's no good. If the BIA wasn't correct then that's a problem, but the best answer is the compatibility because if that won't allow your businesses operations to continue/recover

cfirsten

Yeah, that's what I thought, the agreement is already there. So is my assumption correct? If I were to start from scratch with no agreement at all, my main focus should be our lines of business. What I did find about this one is in the CBK book, in case anyone cares, page 1117:

"Reciprocal Agreements/Mutual Aid Agreements: Other similar organizations may be able to accommodate those affected. For example, one law firm may be able to provide office space to another in the event of an outage......."

I'm taking my exam next week, don't wish me luck, pray for me

. They're going to kill me in there, all by myself, I'll keep you posted afterwards. Thank you everyone for taking the time to answer.

cfirsten

And I shall have my vengeance, lol. Yeah, this is from the Sybex book. Doesn't mean that one is right and/or the other wrong, it's just how they all have their opinions on it.

BCP_screenshot.jpg