Risk Assessment
Business and IT Impact Analysis
Questionnaire
The Business and IT Impact questionnaire which is used for risk assessment is ISO 27000 (formerly ISO 17799), Sarbanes Oxley, COBIT, PCI-DSS, and HIPAA Compliant.
The Business Impact Analysis (BIA) is the backbone of the entire business continuity exercise. Even so, it cannot stand alone and without full support, approval and backing from the highest level of management, the exercise will not achieve its full potential. A well-executed BIA can make the difference between a fully developed, robust business continuity plan, and a mediocre one.
The BIA can be adjusted to cover any specific requirement but it does have a fundamental theme at its core. The purpose is to identify the effect of many different external and internal impacts upon the various parts of your organization in times of crisis. It will show which parts of your organization will be most affected by an incident and what effect it will have upon the company as a whole. In other words, we will use the BIA to establish which are the most critical business functions to your company's survival. Each organization has hundreds of operations in its overall business but only a percentage will be key to its survival and it is these that we need to build business contingencies for. Of course, we will not ignore the remainder but because they are less critical, we can prepare recovery plans for them instead.
Risk Versus Business Impact Analysis
Risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to those threats. Risk assessment involves evaluating existing physical and environmental security and controls and assessing their adequacy relative to the potential threats of the organization.
Business impact analysis involves identifying the critical business functions within the organization and determining the impact of not performing the business function beyond the maximum acceptable outage. Types of criteria that can be used to evaluate the impact include: customer service; internal operations; legal/statutory and financial.
This Business and IT Impact Analysis Questionnaire has been designed by one of Industry's most experienced application assessment consultants. This Questionnaire has been used in over 500 assessment, DRP and business impact projects in the past four years. Included is a Risk Ranking definition. The Word version of the questionnaire is automated with check boxes that can be updated in Word.
The Questionnaire (Form) is a 23 pages in length and contains the following:
- Facilities / Business Function / Application
- Sarbanes-Oxley Compliance
- ISO 27000 Series Compliance
- HIPAA Compliance
- System of Internal Controls
- User Environment
- Processing Environment
- Historical Information
- Operating Environment
- Criticality of Application
- Database / File Name
- Documentation
- Security
- Application Support and Maintenance
- Resource Usage
- Hardware Requirements by Department
- Backups
