How to conduct an ISO 22301-compliant business impact analysis

If your organisation has adopted, or plans to adopt, ISO 22301, you will need to conduct a business impact analysis (BIA). Getting this process right is essential, as its conclusions inform risk assessments, security strategies and other vital components of business continuity.

Why you need a BIA

A BIA assesses the risks an organisation faces, how disruptive they will be and how long it will take to recover. Without a BIA, there’s no assurance that all potential interruptions have been accounted for. There is also no way of knowing whether the organisation’s resilience, response and recovery capabilities are comprehensive and representative of its top priorities.

What a BIA involves

ISO 22301 doesn’t detail exactly what a BIA should look like, as the risks and demands will vary greatly between organisations. However, there are universal factors that organisations should base their analysis around. You should always start by gathering as much relevant information about the organisation as possible. This information should be evaluated, with the findings forming a report that will be presented to senior management.

Information gathering will often consist of a detailed questionnaire, survey or interview with staff. The aim is to identify critical business processes, resources and relationships between systems. To do this, you should consider asking:

  • What principle activities the organisation performs;
  • How staff would rank the importance of specific processes;
  • How disruption to certain functions will affect the organisation financially and logistically;
  • Which staff are required to recover crucial systems; and
  • How long will it take for the organisation to recover following certain disruptions.

Conducting a BIA can seem daunting even when you know what questions you need to ask. Some organisations outsource the process, but there are other, less expensive ways to get help. Many organisations only need template documents to nudge them in the right direction. A visual cue and advice on what the end result should look like can be a massive advantage for those who are unsure where to begin.

BIA templates

If documentation templates sound appealing, you should take a look at our ISO22301 BCMS Documentation Toolkit. It contains a complete set of easy-to-use and customisable templates to help you comply with ISO 22301, including the BIA procedure and an analysis tool.

Business Impact Analysis (BIA) Tool

Our BIA tool includes expert advice.

The ISO22301 BCMS Documentation Toolkit was designed and developed by experienced business continuity consultants, and enables you to:

  • View ISO 22301-compliant documentation;
  • Embed the documentation in your organisation quickly and easily; and
  • Mitigate the effects of unplanned business disruptions, and develop plans to cope with incidents.

It also includes professional guidance and advice, which helps you become your own expert while also saving time and money.

You might also be interested in our book of the month, A Manager’s Guide to ISO22301, which includes illustrative examples on conducting a BIA and other requirements of the Standard.

This guide is written in a friendly, non-technical way, making it the ideal introduction to ISO 22301 and BIAs.

Buy before the end of May to save 10% >>


Practical guidance for implementing an ISO 22301 business continuity management system