International Organization for Standardization (ISO) states that the standard, called "Societal security -- Business continuity management systems (BCMS) -- Guidelines for business impact analysis (BIA)," and referred to as a Technical Specification, "provides guidance for an organization to establish, implement and maintain a formal and documented business impact analysis process." It does not specify a uniform process for performing a BIA, but assists an organization in designing a BIA procedure appropriate to its needs.
Released in September 2015, ISO 22317 aligns with the global business continuity standard, ISO 22301, which describes the framework for a BCMS. ISO 22317 advocates performing BIAs that link to the scope of the overall BCMS, which can include all areas of the organization. Typically the most effective way to use BIAs is to conduct them for all mission-critical business functions.
The standard recommends identifying the products and services produced by the business; the functions that make them possible; the resources that support them; and the impact if those functions were rendered unavailable over time. The standard also advocates updating all BIAs periodically to ensure they accurately reflect the organization. BIAs should provide an accurate view of the business when they are conducted, and can also identify opportunities for improving business processes and activities.
BIAs determine the consequences of a disruptive event to an organization. They present their findings in a format (such as financial impact or resources needed) that management can understand and use.
Who uses ISO 22317
If an organization performs dozens of BIAs annually, it may be worthwhile to buy the standard and use it to help identify ways to improve the BIA process. The ISO offers the 27-page standard for purchase on its website and it is available in hard copy and downloadable versions. ISO publications are subject to a customer license agreement. ISO 22317 is intended for use by employees responsible for the BIA process.
If an organization is subject to regular audits, it may be important to demonstrate that BIAs are conducted in compliance with a global standard. This is also important if an organization has adopted ISO 22301 as its BCMS standard.
If an organization conducts only a few BIAs during the year, it's advisable to maintain the current process, if possible.
The ISO states that the standard is applicable to all organizations regardless of type, size and nature, whether in the private, public or not-for-profit sectors.
Sections of the BIA standard
ISO 22317 sets the stage for a business impact analysis by identifying how BIAs fit into an overall business continuity program or BCMS. The first major section in the BIA standard, "Prerequisites," underscores the importance of senior management support for the BIA process and offers direction for setting the BIA scope, content, participants, resources and objectives.
The next major section, "Performing the business impact analysis," breaks down the BIA process into its component parts and activities, which include project planning and management, product and service prioritization, process prioritization, activity prioritization, analysis and consolidation, and obtaining top management endorsement of BIA results.
The final primary section of ISO 22317, "BIA process monitoring and review," underscores the importance of BIAs in the overall BCMS, their relevance to the business, the need to integrate BIA concepts with business activities, and the importance of periodic BIA reviews and updates.