Ensure the Business Impact Analysis identifies tolerance to downtime.

UCF ID: 01172

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Conduct a Business Impact Analysis. [UCF Control ID 01147]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 9, Pg F-1, Exam Tier I Obj 3.3; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.1 Process, Stage 1.2 Process; The Standard of Good Practice for Information Security, CB1.3.5, SD3.4.6; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 58; BS 25999-1, Business continuity management. Code of practice, 2006, § 6.2.2; Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft), § 3.2.1

Banking and Finance Guidance

The Business Impact Analysis (BIA) should estimate how long critical functions and processes can be down and the acceptable levels of data loss. [Pg 9, Pg F-1, Exam Tier I Obj 3.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

NIST Guidance

The Information System Contingency Plan Coordinator should determine the downtime for business processes in the event service is disrupted or unavailable. Downtime is identified as maximum tolerable downtime (total amount of time managers are willing to accept for a process to be out and includes all impact considerations), recovery time objective (maximum amount of time a resource can be unavailable until there is an unacceptable impact on other resources), and recovery point objective (the point in time process data can be recovered after an outage). [§ 3.2.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft)]

General Guidance

1.1 Process says an organization should decide the maximum extent of an interruption that they want to and need to plan for in order to survive. Different aspects of an interruption to consider include:
Geographical extent (or market/customer area)
Regulatory or statutory requirements
Products, market sectors or specific customers
Specific interruption scenarios - such as a computer failure or denial of access
1.2 Process BIA states that the time scale within which an interruption of each business function becomes unacceptable should be determined. [Stage 1.1 Process, Stage 1.2 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The business requirements of the organization should take into account the amount of time beyond which an outage is unacceptable. [CB1.3.5, SD3.4.6, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

The organization should assess the impacts of activities being disrupted over time; establish the maximum tolerable period of disruption by determining what the maximum amount of time can be before an activity is resumed, the minimum level that an activity needs to be performed at after it is resumed, and the time period within which normal operations need to be resumed; and all interdependencies between activities, resources, supporting infrastructure, and assets that have to be continuously maintained or recovered over time. [§ 6.2.2, BS 25999-1, Business continuity management. Code of practice, 2006]

Asia and Pacific Rim Guidance

Requires an organization to determine how long different business processes can be down for and how long it takes to recover them. This checklist includes items that will help in establishing guidelines to estimate the duration of an outage:
Are the people involved in the disaster assessment process clearly identified?
Are notification procedures for those involved in the disaster assessment process clearly identified?
Are timeframes for the disaster assessment clearly identified?
Are safety procedures for disaster assessment identified in line with Occupational Health and Safety Standards?
Do outside parties need to be part of the disaster assessment?
If yes, are they all identified?
Are all relevant insurance companies appropriately informed of the incident before disaster assessment takes place (some insurance is void if certain disaster assessments are carried out without the insurance company present or without their knowledge)? [Pg 58, Australia Better Practice Guide - Business Continuity Management, January 2000]