nerdexam
(ISC)2

CISSP · Question #245

The goal of a Business Impact Analysis (BIA) is to determine which of the following?

The correct answer is C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD). A Business Impact Analysis (BIA) identifies critical business functions, the resources needed to support them, and the maximum tolerable downtime (MTD) if those functions are disrupted.

Submitted by the_admin· Mar 5, 2026Security Operations

Question

The goal of a Business Impact Analysis (BIA) is to determine which of the following?

Options

  • ACost effectiveness of business recovery
  • BCost effectiveness of installing software security patches
  • CResource priorities for recovery and Maximum Tolerable Downtime (MTD)
  • DWhich security measures should be implemented

How the community answered

(27 responses)
  • A
    7% (2)
  • C
    89% (24)
  • D
    4% (1)

Why each option

A Business Impact Analysis (BIA) identifies critical business functions, the resources needed to support them, and the maximum tolerable downtime (MTD) if those functions are disrupted.

ACost effectiveness of business recovery

Cost effectiveness of business recovery is a consideration during the Business Continuity Plan (BCP) development phase, not the primary output of a BIA, which focuses on impact and recovery metrics rather than cost analysis.

BCost effectiveness of installing software security patches

Evaluating the cost effectiveness of software security patches is a vulnerability management or risk management activity, entirely unrelated to the scope of a Business Impact Analysis.

CResource priorities for recovery and Maximum Tolerable Downtime (MTD)Correct

The primary goal of a BIA is to identify and prioritize critical systems and resources required for business continuity, and to establish key recovery metrics such as Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO). These metrics directly inform continuity planning by quantifying how long a business process can be unavailable before causing unacceptable harm. This makes resource prioritization and MTD determination the definitive outputs of a BIA.

DWhich security measures should be implemented

Determining which security measures to implement is the outcome of a risk assessment or risk treatment process, not a BIA, which is specifically concerned with operational impact and recovery priorities.

Concept tested: Business Impact Analysis goals and recovery metrics

Source: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

Topics

#Business Impact Analysis (BIA)#Maximum Tolerable Downtime (MTD)#disaster recovery planning

Community Discussion

No community discussion yet for this question.

Full CISSP Practice