ISO 27001BIA

Business Impact Analysis: how to run it in half a day

BIA usually means endless Excel sheets. Here is a lightweight format that produces useful results in four hours.

1 min read

TL;DR

BIA in half a day: lightweight format yielding a usable process × impact matrix. 4 hours, 2 workshops with process owners, output a 5-page PDF. Sufficient for ISO 27001:2022 and NIS2.

Why BIA matters

BIA (Business Impact Analysis) connects business processes to ICT systems. Without it, declared RTO and RPO are indefensible. ISO 27001:2022 control A.5.30 and NIS2 Article 21 effectively require it.

The lightweight 4-hour format

Hour 1 — Process identification (workshop with management)

List of business processes (max 20). For each:

  • process name;
  • owner;
  • main inputs/outputs;
  • frequency (continuous, daily, monthly).

Hour 2 — Impact quantification

For each process, 3 numbers:

  • MTPD (Maximum Tolerable Period of Disruption): beyond how long does the company close?
  • hourly downtime cost (lost revenue + idle staff cost + penalties);
  • data loss cost (how far back can you go?).

Hour 3 — ICT dependency mapping

For each process:

  • required ICT systems;
  • input data;
  • external services needed (SaaS, authentication);
  • required roles.

Hour 4 — Documentation and approval

Compile into a 5-page PDF:

  • 1 page summary;
  • 1 page methodology;
  • 2 pages process × impact matrix;
  • 1 page ICT mapping.

Have it signed by management.

Common mistakes

  • too many processes: above 20 you lose focus. Group them.
  • estimates without data: use historical company data, not opinions.
  • not updating it: valid 24 months, then redo.

Useful outputs

From BIA you directly derive:

  • target RTO/RPO per process;
  • list of critical systems;
  • restart priorities;
  • DR plan requirements.

FAQ

Can I do BIA alone (without involving business)?

No. BIA's value is process owner involvement. Without it, it is a useless IT-only exercise.

Must BIA be certified?

No, it is internal documentation. But it must be dated and signed.

Is BIA the same as risk assessment?

No. BIA quantifies impact. Risk assessment scores likelihood and impact. They are complementary.

For risk assessment, Risk assessment for DR. For A.5.30, Annex A.5.30.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo