FAQGlobalISO 22301

ISO 22301 FAQ Business Impact Analysis

What should a business impact analysis do in an ISO 22301 business continuity management system?

Use this as implementation guidance for turning activity impact, recovery time, resource, dependency, and strategy decisions into evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A useful ISO 22301 business impact analysis is not a generic risk survey. It identifies the activities that keep products and services running, assesses disruption impacts over time, sets recovery priorities, and hands clear requirements to continuity strategy, plans, exercises, audits, and management review.

Search this module

Find a question or answer quickly

5 of 5 questions
Question 1

What is a BIA for under ISO 22301?

Under ISO 22301, the BIA is the process that turns business disruption into concrete continuity priorities and requirements. It should start from the BCMS scope and the products or services the organization has decided to protect.

The output should tell a visitor, auditor, or internal owner which activities are prioritized, why they matter, when disruption becomes unacceptable, what minimum capacity is needed, and which resources and dependencies must be available for recovery.

  • Define impact types and assessment criteria that fit the organization, such as operational, financial, contractual, legal, safety, customer, and reputational impact.
  • Identify the activities that support in-scope products and services rather than listing applications or departments with no business context.
  • Use the BIA result to drive continuity strategy and solutions; do not leave it as a standalone spreadsheet.
Citations
Question 2

What should the BIA record for MTPD, RTO, and RPO?

The BIA should assess impacts over time and identify the point where not resuming an activity becomes unacceptable. That point is commonly expressed as the maximum tolerable period of disruption, or MTPD.

The recovery time objective should sit inside that maximum tolerable period and state when the disrupted activity must resume at a defined minimum acceptable capacity. For information and ICT-dependent activities, the BIA should also capture recovery point expectations where data loss or transaction loss affects continuity.

  • For each prioritized activity, record the MTPD, RTO, minimum acceptable capacity, assumptions, and approval owner.
  • For data-dependent activities, record the RPO or equivalent data-loss tolerance and map it to backup, replication, restoration, and reconciliation evidence.
  • Flag impossible targets early, such as a one-hour RTO when supplier contracts, staffing, facilities, or data recovery evidence cannot support it.
Citations
ISO/IEC 27002:2022 standard page

Supports the ICT continuity link between BIA outcomes, recovery time expectations, and recovery point expectations for information resources.

Recommended next step

Operationalize ISO 22301 business impact analysis

Use this ISO 22301 BIA FAQ to convert activity impact, MTPD, RTO, RPO, resource, dependency, and strategy decisions into owned evidence and reviewable recovery work.

Assessment workflow
Open Assessment Autopilot for ISO 22301

Track BIA owners, recovery targets, supplier dependencies, evidence requests, and review triggers in one workflow.

Explore next step
Talk to Sorena
Talk through implementation

Review your current BIA structure, recovery target gaps, dependency evidence, and next implementation steps.

Explore next step
Question 3

How should dependencies and resources be handled?

A BIA is weak if it only ranks activities. It should also identify the resources needed to support prioritized activities and the dependencies and interdependencies that affect recovery.

The useful version names the people, facilities, information, data, technology, suppliers, partners, utilities, records, and decision forums needed to continue or recover the activity within the agreed time frame and capacity.

  • Map each prioritized activity to required resources, including minimum staffing, critical records, systems, facilities, suppliers, and manual workarounds.
  • Separate internal dependencies from external dependencies so supplier contracts, service levels, and alternate arrangements can be tested.
  • Connect each dependency to evidence: owner, contract, runbook, backup record, access path, exercise result, or corrective action.
Citations
Question 4

How does the BIA hand off to strategy, plans, and exercises?

The BIA and risk assessment should feed the selection of business continuity strategies and solutions. If the selected strategy cannot meet the BIA time frames and minimum capacity, the organization should either improve the strategy or formally accept the gap.

Business continuity plans, recovery procedures, exercise scenarios, and post-exercise actions should all be traceable back to BIA outputs. Otherwise the organization may test convenient scenarios while leaving the most important recovery assumptions unproven.

  • Trace each prioritized activity from BIA row to selected strategy, continuity solution, plan step, exercise scenario, and improvement action.
  • Use exercises and tests to validate whether strategy and solution choices actually meet the BIA recovery targets.
  • After incidents, activations, exercises, supplier changes, or technology changes, update the BIA and related plans together.
Citations
ISO 22301:2019 standard page

Identifies ISO 22301 as the BCMS requirements source for linking BIA outputs to strategies, solutions, plans, and exercises.

Question 5

What evidence proves the BIA is current?

Good BIA evidence shows both the analysis and the operating process around it. Keep the approved BIA, criteria, assumptions, owner approvals, dependency records, resource decisions, strategy links, exercise results, audit findings, corrective actions, and management-review inputs together.

Review the BIA at planned intervals and when significant changes affect the organization or its context. Practical triggers include a new product, site, supplier, system, legal obligation, customer commitment, incident lesson, exercise failure, major staffing model change, or recovery target change.

  • Use versioned BIA records with owner, reviewer, approval date, change summary, assumptions, and next review trigger.
  • Keep unresolved recovery gaps visible as risk acceptance, funded improvement work, supplier remediation, or management-review action.
  • Avoid audit-day screenshots with no business owner, no activity scope, no time-based impact logic, and no link to continuity strategy.
Citations
ISO 22301:2019 standard page

Identifies the ISO 22301 requirements standard used for periodic review, documented information, evaluation, and improvement of the BCMS.

Primary sources

References and citations

ISO 22301:2019 standard page
iso.org
Referenced sections
  • Identifies the ISO 22301 requirements standard used for periodic review, documented information, evaluation, and improvement of the BCMS.
"Business continuity management systems - Requirements"
ISO standards overview
iso.org
Referenced sections
  • Supports the practical use of ISO standards as repeatable records and operating practices.
"formula that describes the best way"
ISO/IEC 27002:2022 standard page
iso.org
Referenced sections
  • Supports the ICT continuity link between BIA outcomes, recovery time expectations, and recovery point expectations for information resources.
"Information security controls"
Related guides

Explore more topics

ISO 22301 Audit Readiness and Certification Evidence
Prepare ISO 22301 BCMS audit evidence for scope, BIA, risk assessment, objectives, exercises, internal audit, management review, corrective actions, and retained documented information.
ISO 22301 BCMS Requirements: Clauses 4-10
A practical ISO 22301 requirements guide for BCMS scope, leadership, planning, support, operation, BIA, risk assessment, continuity strategies, plans, exercises, audits, management review, corrective action, and evidence.
ISO 22301 BCMS Scope and Boundaries
Define an ISO 22301 BCMS scope that names the organization, products and services, sites, dependencies, outsourced processes, exclusions, interfaces, evidence, and review triggers.
ISO 22301 BIA to Recovery Strategy Workflow
Turn ISO 22301 business impact analysis into recovery priorities, continuity strategies, solutions, exercises, and audit-ready evidence.
ISO 22301 Business Continuity Strategy and Solutions
Build ISO 22301 business continuity strategies and solutions from BIA outputs, recovery objectives, resource needs, supplier dependencies, exercises, and evidence records.
ISO 22301 Business Impact Analysis Template
Build an ISO 22301 business impact analysis template that captures activities, impacts over time, MTPD, RTO, dependencies, resource needs, evidence, review cadence, and continuity-strategy handoff.
ISO 22301 Certification Evidence Checklist
A practical ISO 22301 certification evidence checklist for BCMS scope, BIA, risk assessment, continuity plans, exercises, audits, management review, and corrective actions.
ISO 22301 Certification Evidence FAQ
FAQ guidance on ISO 22301 certification evidence: BCMS scope, documented information, BIA, risk assessment, exercises, internal audit, management review, and corrective action.
ISO 22301 Compliance Guide | BCMS Requirements
Build ISO 22301 compliance evidence across BCMS scope, leadership, BIA, risk assessment, continuity strategies, plans, exercises, audit, management review, and corrective action.
ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence
Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence.
ISO 22301 Management Review FAQ
What ISO 22301 management review should cover: inputs, outputs, decisions, evidence, improvement actions, and ownership for BCMS leadership reviews.
ISO 22301 MTPD FAQ
How ISO 22301 teams should define MTPD in the business impact analysis, separate it from RTO and RPO, and keep recovery evidence current.
ISO 22301 Recovery Strategies FAQ
Practical ISO 22301 FAQ on selecting recovery strategies from BIA, risk assessment, prioritized activities, resource needs, exercises, and review evidence.
ISO 22301 RPO FAQ: Recovery Point Objectives
How to set, evidence, test, and review recovery point objectives in an ISO 22301 business continuity management system.
ISO 22301 RTO FAQ: Recovery Time Objectives
Plain-language ISO 22301 guidance for setting recovery time objectives from BIA evidence, MTPD limits, resources, dependencies, exercises, and review triggers.
ISO 22301 Testing and Exercises Guide
Plan, run, evidence, and improve ISO 22301 business continuity exercises that validate strategies, plans, RTOs, MTPDs, communication procedures, and corrective actions.
ISO 22301 Testing Exercises FAQ
How ISO 22301 teams should plan, run, evidence, and improve business continuity exercises and tests.
ISO 22301 vs DORA: BCMS And Digital Operational Resilience
Compare ISO 22301 business continuity management with DORA digital operational resilience for financial entities, ICT risk, incidents, testing, third-party risk, and reusable evidence.
ISO 22301 vs ISO/IEC 27001: BCMS and ISMS Comparison
Compare ISO 22301 business continuity management with ISO/IEC 27001 information security management: scope, risk work, evidence, certification boundaries, overlap, and common mistakes.