BCP quantitative vs qualitative result according to Sybex 2015

SeabSeab Member Posts: 127

I study for the CISSP with the 2015 Sybex book, and there is something quite confusing...
In my comprehension; BCP are quantitative and qualitative, and normally a mix of both as a final result.
In the book, it is said that the result should be quantitative, only. - This is confusing to me.
The results of the BIA provide you
with quantitative measures that can help you prioritize the commitment of business continuity
resources to the various local, regional, and global risk exposures facing your organization.


It’s important to realize that there are two different types of analyses that business
planners use when facing a decision:
Quantitative Decision Making
Qualitative Decision Making

Page 101, from Sybex 2015

Thanks for any insight! :)


  • ScottFiestaScottFiesta Member Posts: 19 ■□□□□□□□□□
    It's not correct that a BCP, the COOP or DRPs should be based only on quantitative assessments. I was part of a large BCP team for over a year and during the BIA process we tackled several complex several elements that went into deciding which functions our business carried out were most critical. Several of these elements were things that you can not easily place a readily measured numerical metric against such as reputation. In those cases, a severity scale similar to something you'd find in ISO31000 documentation was used. For things like monetary loss, impacts are necessarily assigned in dollar values and then categorised on whatever scale you choose to use but there will always be parts of a properly executed BIA process that are simply not quantifiable like that.

    A lot of thought can be put into a BIA impact matrix so as to make rough comparisons between elements measured qualitatively (via subjective expert opinion) and quantitatively ($), and it's normally on this basis that decisions about the relative importance, and therefore recovery priority, of business functions can take place.
  • mycybersecmycybersec Registered Users Posts: 3 ■□□□□□□□□□
    It's normal for CISSP: it deals more with theory and concept than implementation and procedure. It is very broad but not very deep - as Sybex writes in its book :)
    Regarding "quantitative measures": I think it was just an example which doesn't mean that ONLY quantitative measures are usefull for prioritizing the commitment of business continuity resources.
  • SeabSeab Member Posts: 127
    Thanks for the confirmation guys, this is really what I thought as well!! icon_cheers.gif

Sign In or Register to comment.