Introduction

This Guide
This guide describes the steps that
users should take to carry out a
Business Impact Assessment using the
BIA Assistant. Business Impact
Assessment is the first phase in the
IRAM methodology (see Figure 1).

The BIA Assistant

The BIA Assistant is an easy-to-use tool

designed to help Members automate
the Business Impact Assessment phase
of the IRAM methodology.

The BIA Assistant supports the risk

analyst in assessing the possible
business impact that could arise for a
system. It covers all stages in the
Business Impact Assessment process.
In particular it allows the risk analyst
and their organisation to determine the: Figure 1: The Business Impact Assessment
process

 possible business impact that could arise as a result of an incident that compromises
information in a system
 business security requirements of the system being assessed
 next steps that should to be taken to protect information in the system.

The results that are produced by the BIA Assistant are an essential input into the Threat and
Vulnerability Assessment process (using the T&VA Assistant) – the next phase in the IRAM
methodology.

The remainder of this guide describes the steps required of a risk analyst to complete a
Business Impact Assessment using the BIA Assistant.
Contents #1 Overview of the BIA
Assistant
#2 Defining the Business
Impact Reference
Table
#3 Completing the
System Profile form
#4 Completing the BIR
forms

BIR - Confidentiality

BIR - Integrity

BIR - Availability
#5 Completing the BIA
Summary form
#1 Overview of the BIA Assistant
Business Impact Assessment is a business-driven undertaking that helps ensure the business
need of the organisation for protecting information is clearly identified. In doing so it helps
determine both the scope and the focus of all subsequent steps in the information risk analysis
process.

Upon opening the BIA Assistant you are presented with a number of worksheet tabs. The
Introduction and Warning tabs are informational and play no part in undertaking a Business
Impact Assessment. Clicking on any of the other tabs will take you to a different part of the
Business Impact Assessment process. The key tabs that you will need to access to conduct a
Business Impact Assessment are:

 BIRT: a form used to define the Business Impact Reference Table (typically a one-off
activity for an organisation)
 System profile: a form used to capture key administration, scoping and background
information about the system being assessed
 BIR – confidentiality: a form used to capture the results from assessing business impact
as a result of a loss of confidentiality
 BIR – integrity: a form used to capture the results from assessing business impact as a
result of a loss of integrity
 BIR – availability: a form used to capture the results from assessing business impact as a
result of a loss of availability
 BIA summary – a form used to present the overall results and recommendations from the
Business Impact Assessment.

The remainder of this guide will take you through the completion of the forms required to
conduct a Business Impact Assessment. Used in conjunction with the ISF’s report entitled
Business Impact Assessment, the risk analyst will be able to gain a good understanding of how
to conduct a Business Impact Assessment.
#2 Defining the Business Impact
Reference Table
Prior to undertaking any Business Impact Assessment in an organisation it is necessary to
define the business impact types and the business impact ratings in the Business Impact
Reference Table (see Figure 2).

Figure 2: The Business Impact Reference Table

The Business impact types (eg F1 Loss of sales, orders or contracts) and the Business
impact ratings (eg 20% +, 11% to 20%, 6% to 10%, 1 to 5%, Less than 5%) that are defined in
the Business Impact Reference Table are unique for each organisation and because all
Business Impact Assessments will refer to them it is important to ensure that these values are
accurate and representative of the organisation.

Once defined, the values in the Business Impact Reference Table are used by the other forms
in the BIA Assistant. Typically the definition of the Business Impact Reference Table is
conducted as a one-off activity and then sent out as a common reference source for all
Business Impact Assessments that are conducted.

In defining the Business Impact Reference Table, the risk analyst should gain senior
management agreement to the Business impact types and Business impact ratings that will
be used in all Business Impact Assessments in the organisation.
The Business Impact Reference Table comes with a default set of values. These are grouped
into the following Business impact type categories:

 Financial
 Operational
 Customer-related
 Employee-related.

To change the default Business Impact Reference Table, the risk analyst should carry out the
steps described below.

Step 1 Modify, add or delete Business impact types

To modify an existing Business impact type the risk analyst should simply select the
appropriate Business impact type description field and then double click. The text in this field
will then be able to be edited and changed as required. The same approach should be used to
modify the Appropriate measure description.

To add a new Business impact type the risk analyst should click on the appropriate button in
each Business impact type category. For the Financial category this is called Add new
Financial impact type. Upon clicking on this button a new row will be created in the Financial
category into which a new Business impact type description and Appropriate measure
description may be added.

To delete a Business impact type that is not required the risk analyst should click on the ‘X’
box that can be found in the top right hand corner of each Business impact type description
field.

Step 2 Modify, add or delete Business impact ratings

To modify an existing Business impact rating the risk analyst should select the appropriate
Business impact rating field and double-click. The values in this field will then be able to be
edited and changed as required.

To add new Business impact rating values for a newly created Business impact type the
risk analyst should simply select the appropriate field and double click to start editing.

Business impact ratings that are associated with a particular Business impact type are
automatically deleted when that Business impact type is deleted.
Step 3 Freeze the BIRT

To protect the values in a BIRT so that they cannot be changed in an unauthorised manner, the
risk analyst should click on the Freeze BIRT button. The risk analyst will then be requested to
enter a password. Once this step has been completed the BIA Assistant, with the protected
BIRT, may be sent out to all those undertaking Business Impact Assessments in the
organisation.
#3 Completing the System profile
form
For each Business Impact Assessment that is undertaken a System profile form should be
completed. This form allows key background information about the system being assessed to
be captured and referred to by all those participating in the Business Impact Assessment
process (see Figure 2 below).

Figure 3: The System profile form

The General information section that can be found in the System profile form is used to help
identify the system being assessed (the information captured here is also used in the BIA
Summary form). All other sections record information about the key business and technical
characteristics of the system – information that is essential in scoping the assessment and in
making judgements about potential business impact.

In the System profile form there are two main areas. The first area contains sections that are
pre-defined (eg General information, Type of system, Business contribution) while the second
contains a section – Additional information - that is user-defined and can contain further
information that may be required.
The General information, Type of system and Scale of activity sections are text entry. The
Business contribution section contains drop-down box selections and the Key trends (in
previous 12 months) section uses radio button selections. The Technical information section
is mixed, consisting of text entry fields, drop-down boxes and radio buttons.

To use the System profile form the risk analyst should carry out the following steps.

Step 1 Enter pre-defined System Profile information

To enter text-based information in pre-defined fields, the risk analyst should double-click on the
appropriate field and type in the description. Moving to the next field can be done either my
moving the mouse cursor or clicking or by using the Tab key.

For those sections containing drop-down boxes and radio buttons the mouse cursor should be
positioned correctly and the appropriate choice selected.

Step 2 Enter user-defined System Profile information

When using the user-defined section the risk analyst should first enter the heading of each field
and then the associated content .To enter text the risk analyst should double-click on the
appropriate field and type in the description. Moving to the next field can be done either by
moving the mouse cursor or clicking or by using the Tab key. Five user-defined fields may be
set up in this manner.
#4 Completing the BIR forms
To undertake a Business Impact Assessment it is necessary to assess the potential business
impact that could arise from a loss of confidentiality, integrity and availability. To assess each of
these properties of information using the BIA Assistant the following three forms need to be
completed:

1. Business Impact Rating - Confidentiality

2. Business Impact Rating - Integrity
3. Business Impact Rating – Availability.

Each form is accessible from the tabs at the bottom of the screen (or from clicking on the Next
button in the bottom right of each form). Each form allows the risk analyst to consider a different
property of information in turn. All forms contain a high degree of commonality and the
appearance is the same as the Business Impact Reference Table.

It is recommended that the assessment occurs in a workshop environment where interactive

consultation can take place with the key stakeholders of the system being assessed.

In completing the BIR forms, the risk analyst should prompt the participants in the workshop to
determine an agreed Business impact rating for each of the Business impact types (see
Figure 4).

Figure 2: Completing a BIR form

Participants in the workshop can rate business impact on a five point scale ranging from A-Very
High to E-Very Low.
Once the group has reached a consensus on an appropriate level of impact, the risk analyst
should click on the appropriate box in the BIR form. A corresponding ‘X’ will appear in the
correct Business impact rating field.

In instances where business impact ratings are marked at extreme ends of the rating scheme, it
is recommended that the risk analyst enters further information in the Explanatory comments
field.

When the level of impact rating for every Business impact type has been completed the risk
analyst along with the participants are presented with an Overall rating as shown in Figure 5
below: This rating is automatically determined by taking the highest rated Business impact
type. This value can be manually changed, either higher or lower if required. Where a manual
change is made to the Overall rating it is recommended that an explanation is provided in the
Explanatory comments field.

Figure 5: Determining the Overall rating

Instructional guidance on how to complete each of the forms is detailed in the sections below.
#4.1 BIR - Confidentiality

By clicking on the BIR - confidentiality tab you will be presented with the following screen:

Figure 6: Business Impact Rating - Confidentiality form

The Business Impact Rating – Confidentiality form gives the risk analyst the opportunity to
record the results of the confidentiality aspect of a business impact assessment.

In completing the Business Impact Rating – Confidentiality form, the risk analyst should prompt
participants in the workshop to determine an agreed Business impact rating for each of the
Business impact types. The steps for the completion of the form are described below:

Step 1 Select first Business impact rating

Select an appropriate level of impact for F1: Loss of sales, orders or contracts by clicking on
the cell that corresponds to your chosen rating. The cell will be marked with a large ‘X’ to
denote the selection. If you wish to change your selection, simply click on any of the other
Business impact ratings.

Step 2 Repeat for all Business impact types

Repeat this selection process for all of the remaining business impact types, in each of the
remaining Business impact type categories.
Step 3 Determine Overall rating

Check the Overall rating that is automatically calculated and amend if necessary.
#4.2 Integrity

By clicking on the BIR - integrity tab you will be presented with the following screen:

Figure 7: Business Impact Rating - Integrity form

The Business Impact Rating – Integrity form gives the risk analyst the opportunity to record the
results of the integrity aspect of a business impact assessment.

In completing the Business Impact Rating – Integrity form, the risk analyst should prompt
participants in the workshop to determine an agreed Business impact rating for each of the
Business impact types. The steps for the completion of the form are described below:

Step 1 Select first Business impact rating

Select an appropriate level of impact for F1: Loss of sales, orders or contracts by clicking on
the cell that corresponds to your chosen rating. The cell will be marked with a large ‘X’ to
denote the selection. If you wish to change your selection, simply click on any of the other
Business impact ratings.

Step 2 Repeat for all Business impact types

Repeat this selection process for all of the remaining business impact types, in each of the
remaining Business impact type categories.
Step 3 Determine Overall rating

Check the Overall rating that is automatically calculated and amend if necessary.
#4.3 Availability

By clicking on the BIR – availability tab you will be presented with the following screen:

Figure 3: Business Impact Rating - Availability form

The Business Impact Rating – Availability form gives the risk analyst the opportunity to record
the results of the availability aspect of a business impact assessment.

In completing the Business Impact Rating – Availability form, the risk analyst should prompt
participants in the workshop to determine an agreed Business impact rating for each of the
Business impact types. The steps for the completion of the form are described below:

Step 1 Select first Business impact rating

Select an appropriate level of impact for F1: Loss of sales, orders or contracts by clicking on
the cell that corresponds to An hour – the smallest duration of outage. The risk analyst is then
presented with a drop-down box for the Business impact rating that could occur if the system
were to be unavailable for an hour. Select the appropriate Business impact rating. By
selecting a Business impact rating all longer durations of outage (ie A day, 2 – 3 days, A
week) will automatically be completed with a Business impact rating of the same value. This
automatic calculation may be adjusted if required.
Step 2 Repeat for all Business impact types

Repeat this selection process for all of the remaining business impact types, in each of the
remaining Business impact type categories.

Step 3 Determine Overall ratings

Check the Overall rating that is automatically calculated for each Duration of outage and
amend if necessary.
#5 Completing the BIA Summary form
The BIA Summary form contains all of the results from the Business Impact Assessment. This
form can be accessed either by clicking on the:

 BIA summary tab at the bottom of the screen

 Next button from within the Business Impact Rating – Availability screen
 Summary button of the process shown on the Introduction screen.

The BIA Summary form fulfils two main functions. The first is to bring together the overall
findings for consolidation, review and final agreement. The second is to act as a management
report for presentation and communication.

Selecting the BIA Summary form displays the screen shown in Figure 9.

Figure 4: BIA Summary form

When all level of Business impact ratings and Overall ratings have been determined for
Confidentiality, Integrity and Availability, the risk analyst should then complete the BIA
Summary.

Most of the information contained in the BIA Summary is automatically entered when the risk
analyst completes the different forms in the Business Impact Assessment process using the BIA
Assistant.
The role of the risk analyst at this stage of the process is to prompt the participants in the
workshop to discuss and confirm the Overall ratings and other information contained in the BIA
Summary. There are also a number of key decisions, such as the Overall Classification, that
need to be made and these are described in the steps that follow.

Step 1 Confirm Business Impact Assessment Ratings

By scrolling down the BIA Summary form the risk analyst can see the Business Impact
Assessment Ratings that have been automatically carried forward for Confidentiality, Integrity
and Availability (see Figure 10).

Figure 10: Business Impact Assessment Ratings

The risk analyst should prompt the participants in the workshop to discuss and agree the ratings
that appear in this form. The Overall Business Impact Ratings cannot be changed in this form
and typically these values would not be altered at this stage of the process (in exceptional
circumstances these values can be changed by amending the overall ratings in the appropriate
form(s) earlier in the process).

In contrast, the values in the Business Security Requirements Rating can be changed. These
are automatically populated from the highest ratings for Loss of confidentiality, Loss of integrity
and Loss of availability. Where the participants agree that a value in this table should be
changed, the reason for this should be noted in the Additional information section at the end of
the BIA Summary form.

The Critical Timescale value that is captured in the BIR – Availability form is also presented in
this form for consultation and review.
Step 2 Determine Overall Classification

The final important classification to be determined by the participants in the workshop is the one
for the Overall Classification. This is not automatically transferred from the highest value for the
Business Security Requirements Rating and has to be manually entered (by clicking on the
appropriate box for High, Medium or Low).

The role of the risk analyst when deciding the Overall Classification is to encourage participants
to reach a consensus decision based upon the assessment for all properties of information.
Where it is difficult to do this and a compromise needs to be made (eg when increasing or
decreasing the Overall Classification rating from the values in Business Security Requirements
Rating) then this should be recorded in the Additional information section at the end of the form.
Ultimately the value in the Overall Classification should reflect the importance of the system
being assessed to the organisation and will also automatically determine the value that is
entered in the Next steps section (see Figure 11). This describes the action that should be
taken by the organisation after the assessment and in particular refers to the type of Threat and
Vulnerability Assessment that is conducted. .

Figure 11: Next steps

Step 3 Enter Actions and Additional information

Any actions that have are identified in the assessment should be recorded in the Actions
section and any Further information that helps to explain the rationale for the final decisions
made on any ratings or the Overall classification should be recorded in the Additional
information section.

The risk analyst and system owner should then sign-off the agreed upon Business Impact
Assessment Ratings, Overall Classification and chosen Next steps in the Overall Classification.

Upon completion the assessment should be saved for later reference.