Which of the following steps comes first in a business impact analysis?
A.
Calculate the risk for each different business function.
B.
Identify critical business functions.
C.
Create data-gathering techniques.
D.
Identify vulnerabilities and threats to business functions.
Explanation:
C: Of the steps listed, the first step in a business impact analysis (BIA) is creating data-gathering techniques. The BCP committee can use surveys, questionnaires, and interviews to
gather information from key personnel about how different tasks get accomplished within the organization, whether it’s a process, transaction, or service, along with any relevant
dependencies. Process flow diagrams should be built from this data, which will be used throughout the BIA and plan development stages.
A is incorrect because calculating the risk of each business function occurs after business functions have been identified. And before that can happen, the BCP team must gather
data from key personnel. To calculate the risk of each business function, qualitative and quantitative impact information should be gathered and properly analyzed and interpreted.
Upon completion of the data analysis, it should be reviewed with the most knowledgeable people within the company to ensure that the findings are appropriate and describe the real
risks and impacts the organization faces. This will help flush out any additional data points not originally obtained and will give a fuller understanding of all the possible business
impacts.
B is incorrect because identifying critical business functions takes place after the BCP committee has learned about the business functions that exist by interviewing and surveying
key personnel. Upon completion of the data collection phase, the BCP committee conducts an analysis to establish which processes, devices, or operational activities are critical. If a
system stands on its own, doesn’t affect other systems, and is of low criticality, then it can be classified as a tier two or three recovery step. This means these resources will not be
dealt with during the recovery stages until the most critical (tier one) resources are up and running.
D is incorrect because identifying vulnerabilities and threats to business functions takes place toward the end of a business impact analysis. Of the steps listed in the answers, it is
the last one. Threats can be manmade, natural, or technical. It is important to identify all possible threats and estimate the probability of them happening. Some issues may not
immediately come to mind when developing these plans. These issues are often best addressed in a group with scenario-based exercises. This ensures that if a threat becomes a
reality, the plan includes the ramifications on all business tasks, departments, and critical operations. The more issues that are thought of and planned for, the better prepared a
company will be if and when these events occur.
Create data-gathering techniques.
0
0
BIA 7 Steps:
1. Select individual to interview
2. Create data gathering method
3. Identify business critical function
4. Identify resources
5. Calculate how long company can surivie without resources
6. Identify vulnerability
7. Calculate risk in each different function
8. Document finding & reports them to management
0
0
this steps thing is bullshit , if you goggle for steps of BIA or BCP or RDP etc everybody is telling their own story one say BIA has 8 steps other says it has 6 steps then another source says there are 10 steps , actually its like everyboady is telling its side of story without any interaction or co ordination
0
0
The CISSP is a load of crap – It takes all the info and in some instances it is very opinionated with its logic.
We treat this test black and white but in a lot of instances, this is not reality – I get it – But we treat this like a text book answer when we know in the real world people are not thinking Step1 , Step2, Step3… Its questions like this that make the ISC2 board a bunch of complete morons!
0
0
There are no such questions on real exam.
The questions like this one – which is the first, what are the steps, what is not part of etc. are just for reference to check how do you remember the topic.
The real question are based on understanding and logical conclusions which make them even harder. Do not expect any of these on real exam.
0
0