Business Impact Analysis (BIA) identifies critical business processes and determines the impact of their disruption over time. Unlike risk assessment which considers threats, BIA focuses on consequences. It answers: if this process stops, what happens after one hour, one day, one week? What are the financial, operational, regulatory, and reputational impacts?
BIA results define recovery time objectives (how quickly processes must resume) and recovery point objectives (how much data loss is acceptable). These metrics drive disaster recovery planning and technology investments.
CISSP Relevance
BIA appears in Domain 1 (Security and Risk Management) as the foundation for business continuity and disaster recovery planning. Understand BIA methodology, how it determines criticality, and how results drive recovery requirements. Know the relationship between BIA findings and RTO/RPO objectives.
FEMA provides BIA guidance at Ready.gov Business Impact Analysis.
Related terms: Business Continuity, Recovery Time Objective