Ensuring tolerance to downtime is a part of the BIA

Status: Live

The organization will ensure that the BIA identifies tolerance to downtime, as well as cost and recovery time objectives, including reputational and compliance tolerance. [UCF ID 01172]

Supporting and supported controls

This control directly supports:

Conducting a Business Impact Analysis [UCF Control ID 01147]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 9, Pg F-1, Exam Tier I Obj 3.3; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.1 Process, Stage 1.2 Process; The Standard of Good Practice for Information Security, CB1.3.5, SD3.4.6; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 58

Banking and Finance Guidance

The Business Impact Analysis (BIA) should estimate how long critical functions and processes can be down and the acceptable levels of data loss. [Pg 9, Pg F-1, Exam Tier I Obj 3.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

General Guidance

1.1 Process says an organization should decide the maximum extent of an interruption that they want to and need to plan for in order to survive. Different aspects of an interruption to consider include:
Geographical extent (or market/customer area)
Regulatory or statutory requirements
Products, market sectors or specific customers
Specific interruption scenarios - such as a computer failure or denial of access
1.2 Process BIA states that the time scale within which an interruption of each business function becomes unacceptable should be determined. [Stage 1.1 Process, Stage 1.2 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The business requirements of the organization should take into account the amount of time beyond which an outage is unacceptable. [CB1.3.5, SD3.4.6, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Requires an organization to determine how long different business processes can be down for and how long it takes to recover them. This checklist includes items that will help in establishing guidelines to estimate the duration of an outage:
Are the people involved in the disaster assessment process clearly identified?
Are notification procedures for those involved in the disaster assessment process clearly identified?
Are timeframes for the disaster assessment clearly identified?
Are safety procedures for disaster assessment identified in line with Occupational Health and Safety Standards?
Do outside parties need to be part of the disaster assessment?
If yes, are they all identified?
Are all relevant insurance companies appropriately informed of the incident before disaster assessment takes place (some insurance is void if certain disaster assessments are carried out without the insurance company present or without their knowledge)? [Pg 58, Australia Better Practice Guide - Business Continuity Management, January 2000]