This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is William J. McBorrough.

What is it?

A systematic process by which an organization gathers information about its essential business functions and processes and evaluates the potential impact to the organization if those functions and processes were interrupted or otherwise adversely affected. Also referred to as a business impact analysis.

Why is it important?

This term is important because it helps organizations prioritize the allocation of time and resources to prevent, manage, and recover from incidents that affect critical business operations and assets. A business impact assessment also provides information to help create an incident response plan and a business continuity plan.

Why does a business professional need to know this?

Conducting a business impact assessment (BIA) can help you see how security and risk management relates to the critical functions and overall mission of your organization. Security must support those functions and that mission.

Implementing security controls and managing cybersecurity risks costs time, money, and resources. A business impact assessment helps business professionals balance priorities and apply resources where they can have the greatest effect.

A business impact assessment is critical to both the risk management program and the business continuity plan, which enable an organization to assess and manage risks to critical assets and functions and recover and continue business operations when those assets and functions are negatively affected.

Essential questions that must be answered as part of the BIA include the following:

  • What information systems and functions are critical to the mission of the organization?
  • What do those systems and functions depend on?
  • If those systems and functions are impaired or interrupted, how quickly must they resume before the organization incurs a significant loss or unacceptable business impact?

Business professionals must work with cybersecurity professionals to help identify security risks to the organization’s business operations and information systems. A business impact assessment can help prioritize efforts to mitigate the potential impact of those risks to the organization.