Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Using Business Impact Analysis to Inform Risk Prioritization and Response

Published

Author(s)

Stephen Quinn, Nahla Ivy, Julie Chua, Matthew Barrett, Greg Witte, Larry Feldman, Daniel Topper, Robert Gardner

Abstract

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong). The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the ERM/CSRM process, as described in the NIST IR 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.
Citation
NIST Interagency/Internal Report (NISTIR) - 8286D
Report Number
8286D

Keywords

business impact analysis, cybersecurity risk management, cybersecurity risk register, enterprise risk management, information and communications technology

Citation

Quinn, S. , Ivy, N. , Chua, J. , Barrett, M. , Witte, G. , Feldman, L. , Topper, D. and Gardner, R. (2022), Using Business Impact Analysis to Inform Risk Prioritization and Response, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8286D, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935699 (Accessed December 3, 2022)
Created November 17, 2022, Updated November 29, 2022