CISSP · Question #245
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
The correct answer is C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD). A Business Impact Analysis (BIA) identifies critical business functions, the resources needed to support them, and the maximum tolerable downtime (MTD) if those functions are disrupted.
Question
The goal of a Business Impact Analysis (BIA) is to determine which of the following?
Options
- ACost effectiveness of business recovery
- BCost effectiveness of installing software security patches
- CResource priorities for recovery and Maximum Tolerable Downtime (MTD)
- DWhich security measures should be implemented
How the community answered
(27 responses)- A7% (2)
- C89% (24)
- D4% (1)
Why each option
A Business Impact Analysis (BIA) identifies critical business functions, the resources needed to support them, and the maximum tolerable downtime (MTD) if those functions are disrupted.
Cost effectiveness of business recovery is a consideration during the Business Continuity Plan (BCP) development phase, not the primary output of a BIA, which focuses on impact and recovery metrics rather than cost analysis.
Evaluating the cost effectiveness of software security patches is a vulnerability management or risk management activity, entirely unrelated to the scope of a Business Impact Analysis.
The primary goal of a BIA is to identify and prioritize critical systems and resources required for business continuity, and to establish key recovery metrics such as Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO). These metrics directly inform continuity planning by quantifying how long a business process can be unavailable before causing unacceptable harm. This makes resource prioritization and MTD determination the definitive outputs of a BIA.
Determining which security measures to implement is the outcome of a risk assessment or risk treatment process, not a BIA, which is specifically concerned with operational impact and recovery priorities.
Concept tested: Business Impact Analysis goals and recovery metrics
Source: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.