A business impact analysis (BIA) of an IT system is a critical process that helps you understand the potential impact of disruptions of your IT infrastructure on business operations. For COB.RA, this analysis is essential input for the calculation of risks in later steps.
Tailoring the questionnaire (optional)
You can freely define the questions you want to ask. If you already have a set of questions in your company, you can simply reuse it. Both the number and the text of the questions are customizable.
For each of the questions, you define 25 different impact levels (impact grading scale), which help you translate the answers to the questions into business impact ratings.
Filling in the questionnaire
Usually, you would fill in the questionnaire with a group of business and IT experts. Let’s assume you have configured your business impact analysis to consist of 7 questions. For each of the questions, you would describe the business impact of a confidentiality, integrity, or availability breach. Your answers should be based on worst case scenarios, which are still considered realistic by all participants.
Together with your descriptions, you assign a rating (ranging between 0 and 25) that reflects the severity of the business impact. These ratings are key for the calculation of the final risk of the service. Given that the questionnaire was prepared with worst-case scenarios in mind, these ratings set the upper boundary for the overall risk of the service. At the same time, you will use these ratings to define the impact of threats in the coming steps.
What next?
Once you have filled in the questionnaire and used your impact grading scale to assign numeric ratings, you proceed with selecting components to document all relevant threats and controls.