Business Impact Analysis

Clause 4.1.1 Requirements Of BS25999-2:2007

Executive Summary

This document attempts to provide an understanding of the BIA process as required by the British Standard, BS259992:2007 A flow chart illustrates the flow of the BIA process per Clause 4.1.1 of the standard Subsequently, each step in the process has been demonstrated by means of an example

Most of the content within the example tables are selfexplanatory, however some of them have been supported with call outs The example does not strictly stick to the BS standard but includes additional items which are believed to add value from the actionable information point of view

02/08/2009

Dipankar Ghosh

Section 4.1.1 Of BS259994.1.1 Business Impact Analysis 4.1.1.1 There shall be a defined, documented and appropriate method for determining 2:2007 any disruption of the activities that support the organisations key the impact of
products and services (see 3.2.1) 4.1.1.2 The organisation shall:
a) b) c)

Identify activities that support its key products and services Identify impacts resulting from the disruption to these activities, and determine how these vary over time Establish maximum tolerable period of disruption (MTPoD) for each activity by identifying:
(1) (2) (3)

The maximum time after the start of the disruption within which each activity needs to be resumed The minimum level at which each activity needs to be performed upon resumption; and The length of time within which normal levels of operation need to be resumed;

d) e) f) g) h)

Categorise its activities according to their priority for recovery and identify its critical activities Identify all dependencies relevant to the critical activities, including suppliers and outsourced partners For suppliers and outsource partners on whom critical activities depend determine what BCM arrangements are in place for the relevant products and services they provide Set recovery time objectives (RTO) for the resumption of critical activities within their maximum tolerable period of disruption; and Estimate the resources that each critical activity will require for resumption
Dipankar Ghosh 3

02/08/2009

BIA Flow Chart

02/08/2009

Dipankar Ghosh

Identifying Activities & Impacts Including Impacts Over Time (4.1.1.2)

Company City XYZ Building Grand HQ Indore Department Software Development Activity/Process Company Values Impact Over Time On Values MTPoD

4.1.1.2 c 2 4.1.1.2 c 3

30 min

4.1.1.2 b Identify impacts and determine how they vary over time

1 hr

8 hrs 1 day 1 wk 1 mth

RTO Minimum Level Time To (< MTPoD) Of Performance Resume Normal Operations

Software requirements analysis

Human Life Implications Financial Implications

L L

L L L L L L L L L

L L L L L L L L L

L L L L L L M M L

L M M M L M M H L

L H H H L H H H L

3 days

2 days

Do paper based requirements analysis for all projects for which deadlines are near

5 days

Reputation Loss L Customer Satisfaction Software architecture and design Human Life Implications Financial Implications L L L

16 hours

12 hours

Reputation Loss L Customer Satisfaction Software construction Human Life Implications Financial Implications These L L

Do paper based design and architecture activities for all projects for which deadlines are near

2 days

16 hours

12 hours

4.1.1.2 a Identify activities supporting 02/08/2009key products &

4.1.1.2L c 1 M L L M H are the cells which are the transition points from Reputation Loss L Low to Medium impact and may be L L M M H used to derive the MTPoD. Using ones judgementL the MTPoD can be considered as H any Customer L L M H Satisfaction between the time represented by the time transitioning low impactDipankar Ghosh time and the next medium impact time. In this example it is a

Software 1 day construction work for projects for which deadlines are near

4.1.1.2 g Note that RTO is mandatory only for the critical activities per the standard. It can be calculated after putting a safety cushion per company policy over the MTPoD. The safety 5 cushion should consider the cycle time to deliver

Categorising Activities by Priorities and Identifying Critical Activities

Activity/Process Company Values Impact Over Time On Values
8 hrs 1 day 1 week

MTPoD

30 min

1 hr

1 month

RTO (< MTPoD)

Priority

Software Requirements analysis

Human Life Implications Financial Implications Reputation Loss Customer Satisfaction Human Life Implications Financial Implications Reputation Loss Customer Satisfaction

L L L L L L L L L L L L

L L L L L L L L L L L L

L L L L L L L L L L L L

L L L L L L M M L M M M

L M M M L M M H L M M H

L H H H L H H H L H H H

3 days

2 days

Select your time intervals as appropriate for your function

Software architecture and design

16 hours

12 hours

4.1.1.2 d Indentify activities which are critical to the organisation. This may be based on the companys Criticality policy. For example, any activity whose Not Critical RTO is <= 16 Hours can be considered to be critical by the company. All other activities though could become critical Critical over time if they are not brought up within their respective RTOs.

Software construction

Human Life Implications Financial Implications Reputation Loss Customer Satisfaction

16 hours

12 hours

Critical

02/08/2009

Dipankar Ghosh

4.1.1.2 d Prioritising activities by comparing the RTOs of the activities and ensuring activities with lower RTOs are given higher

Software requirements analysis

Identify Dependencies for All Critical Activities You Are Dependent On Them
Activity / Process
Priority Criticality Agency/Department External/Internal

Description of dependency

Critical

Sales and Accounts Management Technology

Internal

Receive inputs from this team on client requirements Ensure that network, systems, telecom and other technical resources required are available

Internal

Client

External/Internal

Receive inputs on software requirements Ensure that network, systems, telecom and other technical resources required are available

Software architecture and 1 design

Critical

Technology

Internal

Client

External/Internal

Receive design review and approval

Software construction

Critical

Technology

Internal

Ensure that network, systems, telecom and other technical resources required are available

4.1.1.2 e Additionally, if you are dependent upon a supplier/partner you are required to ensure that the supplier/partner has adequate BCM arrangements. This will entail some sort of audit of your supplier/partner BCM processes. 02/08/2009 Also ensure that there are alternatives to your

4.1.1.2 e Identify internal and external dependencies. This includes those who are dependant on you and those you are Dipankar Ghosh dependant upon.

Software analysis

Identify Dependencies for All Critical Activities They Are Dependent On You
Activity / Process
Priority Criticality Agency/Department External/Internal

Description of dependency

requirements2

Critical

Sales and Management Client

AccountsInternal

Provide outputs to this team to take these up with client Provide outputs to client for their consideration/feedback/approval etc.

External/Internal

Software Quality

Internal

Provide system requirements specs to produce test plans and test cases

Software architecture and1 design

Critical

Client

External/Internal

Provide design deliverables to client for approval Provide design deliverables to consider for test plans and test cases

Software Quality

Internal

Software construction

Critical

Client

External/Internal

Ensure that network, systems, telecom and other technical resources required are available

02/08/2009

Dipankar Ghosh

Estimating Resources for Critical Activities for Resumption

Not Critical Critical
Activity/Process Resources Elapsed Time
12 hrs 1 day 2 days Work from Home Required?

Alternative Arrangement

Action

Who/When

Software requirements Staff analysis (RTO 2 days) Business Analyst 0 0 1 In absence of business analyst the architect and the senior programmer will do the job. In absence of architect the senior programmer will do the job. If required, another senior programmer will be utilised. In absence of the senior programmer the architect will do the job. If required, another senior programmer will be utilised. -

Select your time intervals as appropriate for your function as well the type of resource. E.g. Staff may have different intervals than say IT Applications, which in turn may have different time frames for Utilities

S/w Architect

While some would Senior Programmer

02/08/2009

like to put a MTPoD and/or RTO to the resources this paper provides the alternative approach of recording the actual requirements against elapsed time. This takes care of the MTPoD/RTO information for the resources and at the same time provides additional information such as numbers reqd.

4.1.1.2 h Estimate resources for each critical activity for resumption. Add as much information you want on these resources. For example, for staff members it can be whether working from home is required or not. It is also prudent to have alternative (backup) arrangements for the resources required and identify any gaps that may exist and have a plan for the same.

Dipankar Ghosh

Activity/ Process

Estimating Resources for Critical Activities for Resumption

Not Critical Critical
Resources Elapsed Time
1 day

Alternative Arrangements

Action

Who/When

1 hr

12 hours

2 days

Software Requirements analysis (RTO 2 days)

Premises

PM Towers

None

1.

2.

Arrangement for 1. BX home working to be 14/08/09 made. To ensure that each person has a PC/laptop, telephone/mobile and internet Finalise contract with 2. ZC 3rd party for making 31/08/09 alternate premises available with 3-5 desk positions within an hour of notice. To include Telephone with STD/ISD and broadband internet

Software Desk Positions Requirements Analysis (RTO 2 days) Software

None

As in premises above

Software Requirements Analysis (RTO 2 days)

MS Office Visio

0 0

0 0

0 0

3 1

Utilise paper Utilise paper

02/08/2009

Dipankar Ghosh

10

Estimating Resources for Critical Activities for Resumption

Not Critical Critical
Activity/ Process Resources
1 hr

Elapsed Time
12 hours 1 day 2 days

Alternative Arrangements

Action

Who/When

Software Requirements analysis (RTO 2 days)

Hardware

PC/Laptop

None

1. Make arrangements with current TD PC/Laptop suppliers / alternate 31/08/09 suppliers to provide spare PC/Laptops within 4 hours of request 2. Finalise contract with 3rd party for making alternate premises available with 3-5 desk positions within an hour of notice. To include Telephone with STD/ISD and broadband internet -

Storage (pen drive/disc)

Spare pen drives/discs available Spare speakers/mic available

Speaker/Mic

02/08/2009

Dipankar Ghosh

11

Estimating Resources for Critical Activities for Resumption

Not Critical Critical
Activity/ Process Resources
1 hr

Elapsed Time
12 hours 1 day 2 days

Alternative Arrangements

Action

Who/When

Software Requirements analysis (RTO 2 days)

Telecom &Internet

Telephone/Mobile with STD/ISD facility

1. Use facility at alternate recovery location (ref Premises section above) 2. Use facility available at home (ref Premises section above)

Internet

As above

02/08/2009

Dipankar Ghosh

12

Estimating Resources for Critical Activities for Resumption

Not Critical Critical
Activity/ Process Resources
1 hr

Elapsed Time
12 hours 1 day 2 days

Alternative Arrangements

Action

Who/When

Software Requirements analysis (RTO 2 days)

Utilities/Other

Water Supply

None

Arrange with at least 2 local water suppliers to provide 10,000 litres (2 days supply) at a notice of 4 hours. -

KK 09/01/10

Power Supply

Standby Genset of 100 KVA available within 10 minutes of power outage None

Air conditioning System

Procure and install wall / pedestal fans

KK 19/01/10

Fuel Supply

20,000 KL (equivalent of3 days requirement) diesel always available in store

02/08/2009

Dipankar Ghosh

13