In the previous episode, we explored a hospital hit by ransomware and examined the difference between Business Continuity (BCP) and Disaster Recovery (DR).
But here’s the critical question:
Before you define recovery steps… before you configure backups… before you even write a continuity plan — how do you know what to prioritise?
That answer comes from Business Impact Analysis (BIA).
In CISSP Domain 1 – Security & Risk Management, BIA is not an IT task. It is a business decision framework.
Rewinding the Scenario: Before the Crisis
Let’s step back to the hospital example — before ransomware ever happens.
Leadership asks:
- Which services are mission-critical?
- What happens if patient records are unavailable?
- What if surgery scheduling systems fail?
- What if billing systems go offline?
Clearly:
- Emergency care is critical.
- ICU monitoring systems are critical.
- Pharmacy systems are critical.
- Billing is important — but not life-threatening.
This process of identifying and ranking impact is Business Impact Analysis.
What Business Impact Analysis Actually Does
BIA identifies:
- Critical business processes
- Impact of disruption over time
- Dependencies between systems and services
- Acceptable downtime
- Acceptable data loss
It asks structured questions such as:
- If this system stops for 30 minutes, what happens?
- If it stops for 4 hours?
- If it stops for 24 hours?
And here is the powerful truth:
If you don’t prioritise before the crisis, the crisis will prioritise for you.
CISSP perspective:
BIA measures impact, not probability.
It does not ask, “Will ransomware happen?”
It asks, “If disruption happens, what is the consequence?”
Types of Impact CISSP Expects You to Consider
Domain 1 focuses on business consequences across multiple dimensions:
1. Financial Impact
Revenue loss, penalties, contractual breaches.
2. Operational Impact
Service interruption, workflow breakdown, supply chain disruption.
3. Legal and Regulatory Impact
Non-compliance exposure, reporting obligations, potential litigation.
4. Reputational Impact
Loss of public trust and stakeholder confidence.
5. Safety Impact
Risk to human life or physical well-being.
In healthcare, safety impact dominates. In banking, regulatory and financial impact may take priority.
BIA is contextual. It aligns recovery priorities with what truly matters to that specific organisation.
How BIA Drives RTO and RPO
Once impact is understood, leadership defines recovery objectives.
Recovery Time Objective (RTO)
How long can a business process be unavailable before damage becomes unacceptable?
In a hospital, RTO for emergency systems may be measured in minutes.
Recovery Point Objective (RPO)
How much data loss is acceptable?
For patient records, the answer may be near zero.
Critical CISSP principle:
The business defines RTO and RPO.
IT designs solutions to meet them.
When IT defines acceptable downtime without business input, that is not strategy — it is guesswork.
Ownership: Who Conducts BIA?
This is a high-value exam concept.
BIA is owned by:
- Senior leadership
- Business process owners
IT provides data and technical input, but management owns prioritisation.
In CISSP:
Risk ownership always sits with the business.
How BIA Appears in the CISSP Exam
CISSP rarely asks for definitions directly.
Instead, it will ask:
- What should be done first before developing a BCP?
- Who determines acceptable downtime?
- What drives recovery priority?
Correct sequence:
- Conduct Business Impact Analysis
- Identify critical processes
- Define RTO and RPO
- Develop BCP and DR plans
If you jump straight to technical recovery steps, you are thinking operationally — not strategically
Why BIA Belongs in Domain 1
BCP and DR are response plans.
BIA is pre-crisis leadership.
Without BIA:
- Recovery priorities are arbitrary
- Resources are misallocated
- Decision-making becomes reactive
In a crisis, confusion is expensive. Clarity — defined beforehand — is leadership.
That is why CISSP places Business Impact Analysis inside Security & Risk Management.
Final Takeaway
Business Impact Analysis tells the organisation what truly matters.
Everything else — RTO, RPO, BCP, DR — flows from that clarity.
If you internalise this concept, you are not just preparing for CISSP. You are learning to think like a risk-aware security leader.
🎧 Listen to the Podcast
This article is part of the CISSP Blog and Podcast Series – PK’s Chronicles.
The companion podcast episode walks through this healthcare scenario in a structured 10-minute discussion focused on governance, prioritisation, and decision-making.
Search on Spotify for:
PK’s Chronicles
Think like a CISSP, not like a technician.
