--- title: "ISO 22301 Business Impact Analysis FAQ" canonical_url: "https://www.sorena.io/artifacts/global/iso-22301/faq/business-impact-analysis" source_url: "https://www.sorena.io/artifacts/global/iso-22301/faq/business-impact-analysis" author: "Sorena AI" description: "Practical ISO 22301 BIA FAQ covering prioritized activities, impact criteria, MTPD, RTO, RPO, dependencies, resources, strategy handoff, evidence, and review triggers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ISO 22301 BIA" - "business impact analysis ISO 22301" - "MTPD" - "RTO" - "RPO" - "prioritized activities" - "recovery objectives" - "business continuity evidence" - "ISO 22301" - "business impact analysis" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO 22301 Business Impact Analysis FAQ Practical ISO 22301 BIA FAQ covering prioritized activities, impact criteria, MTPD, RTO, RPO, dependencies, resources, strategy handoff, evidence, and review triggers. *FAQ* *Global* *ISO 22301* ## ISO 22301 FAQ Business Impact Analysis What should a business impact analysis do in an ISO 22301 business continuity management system? Use this as implementation guidance for turning activity impact, recovery time, resource, dependency, and strategy decisions into evidence. A useful ISO 22301 business impact analysis is not a generic risk survey. It identifies the activities that keep products and services running, assesses disruption impacts over time, sets recovery priorities, and hands clear requirements to continuity strategy, plans, exercises, audits, and management review. ## What is a BIA for under ISO 22301? Under ISO 22301, the BIA is the process that turns business disruption into concrete continuity priorities and requirements. It should start from the BCMS scope and the products or services the organization has decided to protect. The output should tell a visitor, auditor, or internal owner which activities are prioritized, why they matter, when disruption becomes unacceptable, what minimum capacity is needed, and which resources and dependencies must be available for recovery. - Define impact types and assessment criteria that fit the organization, such as operational, financial, contractual, legal, safety, customer, and reputational impact. - Identify the activities that support in-scope products and services rather than listing applications or departments with no business context. - Use the BIA result to drive continuity strategy and solutions; do not leave it as a standalone spreadsheet. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies ISO 22301:2019 as the requirements standard for business continuity management systems. - [ISO management system standards overview](https://www.iso.org/management-system-standards.html?ref=sorena.io) - Supports treating ISO 22301 as a management-system discipline with documented processes, review, and improvement. ## What should the BIA record for MTPD, RTO, and RPO? The BIA should assess impacts over time and identify the point where not resuming an activity becomes unacceptable. That point is commonly expressed as the maximum tolerable period of disruption, or MTPD. The recovery time objective should sit inside that maximum tolerable period and state when the disrupted activity must resume at a defined minimum acceptable capacity. For information and ICT-dependent activities, the BIA should also capture recovery point expectations where data loss or transaction loss affects continuity. - For each prioritized activity, record the MTPD, RTO, minimum acceptable capacity, assumptions, and approval owner. - For data-dependent activities, record the RPO or equivalent data-loss tolerance and map it to backup, replication, restoration, and reconciliation evidence. - Flag impossible targets early, such as a one-hour RTO when supplier contracts, staffing, facilities, or data recovery evidence cannot support it. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies the ISO 22301 requirements baseline used for BIA, continuity priorities, and recovery objectives. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Supports the ICT continuity link between BIA outcomes, recovery time expectations, and recovery point expectations for information resources. ## How should dependencies and resources be handled? A BIA is weak if it only ranks activities. It should also identify the resources needed to support prioritized activities and the dependencies and interdependencies that affect recovery. The useful version names the people, facilities, information, data, technology, suppliers, partners, utilities, records, and decision forums needed to continue or recover the activity within the agreed time frame and capacity. - Map each prioritized activity to required resources, including minimum staffing, critical records, systems, facilities, suppliers, and manual workarounds. - Separate internal dependencies from external dependencies so supplier contracts, service levels, and alternate arrangements can be tested. - Connect each dependency to evidence: owner, contract, runbook, backup record, access path, exercise result, or corrective action. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies the ISO 22301 standard used to ground resource and dependency requirements for prioritized activities. - [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports using structured standards-based records rather than informal continuity assumptions. ## How does the BIA hand off to strategy, plans, and exercises? The BIA and risk assessment should feed the selection of business continuity strategies and solutions. If the selected strategy cannot meet the BIA time frames and minimum capacity, the organization should either improve the strategy or formally accept the gap. Business continuity plans, recovery procedures, exercise scenarios, and post-exercise actions should all be traceable back to BIA outputs. Otherwise the organization may test convenient scenarios while leaving the most important recovery assumptions unproven. - Trace each prioritized activity from BIA row to selected strategy, continuity solution, plan step, exercise scenario, and improvement action. - Use exercises and tests to validate whether strategy and solution choices actually meet the BIA recovery targets. - After incidents, activations, exercises, supplier changes, or technology changes, update the BIA and related plans together. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies ISO 22301 as the BCMS requirements source for linking BIA outputs to strategies, solutions, plans, and exercises. - [ISO management system standards overview](https://www.iso.org/management-system-standards.html?ref=sorena.io) - Supports the plan-do-check-act style of evidence, evaluation, and improvement across the BCMS. ## What evidence proves the BIA is current? Good BIA evidence shows both the analysis and the operating process around it. Keep the approved BIA, criteria, assumptions, owner approvals, dependency records, resource decisions, strategy links, exercise results, audit findings, corrective actions, and management-review inputs together. Review the BIA at planned intervals and when significant changes affect the organization or its context. Practical triggers include a new product, site, supplier, system, legal obligation, customer commitment, incident lesson, exercise failure, major staffing model change, or recovery target change. - Use versioned BIA records with owner, reviewer, approval date, change summary, assumptions, and next review trigger. - Keep unresolved recovery gaps visible as risk acceptance, funded improvement work, supplier remediation, or management-review action. - Avoid audit-day screenshots with no business owner, no activity scope, no time-based impact logic, and no link to continuity strategy. Sources for this answer: - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Identifies the ISO 22301 requirements standard used for periodic review, documented information, evaluation, and improvement of the BCMS. - [ISO standards overview](https://www.iso.org/standards.html?ref=sorena.io) - Supports the practical use of ISO standards as repeatable records and operating practices. ## Primary sources - [ISO 22301:2019 standard page](https://www.iso.org/standard/75106.html?ref=sorena.io) - Primary public ISO listing for the business continuity management system requirements standard. - Quote: "Business continuity management systems - Requirements" - [ISO management system standards overview](https://www.iso.org/management-system-standards.html?ref=sorena.io) - Explains the management-system model used for documented processes, evaluation, and continual improvement. - Quote: "continual improvement cycle" - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Public ISO listing for information security controls, used here only for the ICT continuity link to recovery point expectations. - Quote: "Information security controls" ## Topic Guides - [ISO 22301 Audit Readiness and Certification Evidence](/artifacts/global/iso-22301/audit-readiness-and-certification-evidence.md): Prepare ISO 22301 BCMS audit evidence for scope, BIA, risk assessment, objectives, exercises, internal audit, management review, corrective actions, and retained documented information. - [ISO 22301 BCMS Requirements: Clauses 4-10](/artifacts/global/iso-22301/requirements.md): A practical ISO 22301 requirements guide for BCMS scope, leadership, planning, support, operation, BIA, risk assessment, continuity strategies, plans, exercises, audits, management review, corrective action, and evidence. - [ISO 22301 BCMS Scope and Boundaries](/artifacts/global/iso-22301/bcms-scope-and-boundaries.md): Define an ISO 22301 BCMS scope that names the organization, products and services, sites, dependencies, outsourced processes, exclusions, interfaces, evidence, and review triggers. - [ISO 22301 BIA to Recovery Strategy Workflow](/artifacts/global/iso-22301/bia-to-recovery-strategy-workflow.md): Turn ISO 22301 business impact analysis into recovery priorities, continuity strategies, solutions, exercises, and audit-ready evidence. - [ISO 22301 Business Continuity Strategy and Solutions](/artifacts/global/iso-22301/business-continuity-strategy-and-solutions.md): Build ISO 22301 business continuity strategies and solutions from BIA outputs, recovery objectives, resource needs, supplier dependencies, exercises, and evidence records. - [ISO 22301 Business Impact Analysis Template](/artifacts/global/iso-22301/business-impact-analysis-template.md): Build an ISO 22301 business impact analysis template that captures activities, impacts over time, MTPD, RTO, dependencies, resource needs, evidence, review cadence, and continuity-strategy handoff. - [ISO 22301 Certification Evidence Checklist](/artifacts/global/iso-22301/certification-evidence-checklist.md): A practical ISO 22301 certification evidence checklist for BCMS scope, BIA, risk assessment, continuity plans, exercises, audits, management review, and corrective actions. - [ISO 22301 Certification Evidence FAQ](/artifacts/global/iso-22301/faq/certification-evidence.md): FAQ guidance on ISO 22301 certification evidence: BCMS scope, documented information, BIA, risk assessment, exercises, internal audit, management review, and corrective action. - [ISO 22301 Compliance Guide | BCMS Requirements](/artifacts/global/iso-22301/compliance.md): Build ISO 22301 compliance evidence across BCMS scope, leadership, BIA, risk assessment, continuity strategies, plans, exercises, audit, management review, and corrective action. - [ISO 22301 FAQ: BCMS, BIA, MTPD, RTO and Audit Evidence](/artifacts/global/iso-22301/faq.md): Practical ISO 22301 FAQ for business continuity teams: BCMS scope, BIA, MTPD, RTO, RPO, strategies, exercises, audits, management review, and certification evidence. - [ISO 22301 Management Review FAQ](/artifacts/global/iso-22301/faq/management-review.md): What ISO 22301 management review should cover: inputs, outputs, decisions, evidence, improvement actions, and ownership for BCMS leadership reviews. - [ISO 22301 MTPD FAQ](/artifacts/global/iso-22301/faq/mtpd.md): How ISO 22301 teams should define MTPD in the business impact analysis, separate it from RTO and RPO, and keep recovery evidence current. - [ISO 22301 Recovery Strategies FAQ](/artifacts/global/iso-22301/faq/recovery-strategies.md): Practical ISO 22301 FAQ on selecting recovery strategies from BIA, risk assessment, prioritized activities, resource needs, exercises, and review evidence. - [ISO 22301 RPO FAQ: Recovery Point Objectives](/artifacts/global/iso-22301/faq/rpo.md): How to set, evidence, test, and review recovery point objectives in an ISO 22301 business continuity management system. - [ISO 22301 RTO FAQ: Recovery Time Objectives](/artifacts/global/iso-22301/faq/rto.md): Plain-language ISO 22301 guidance for setting recovery time objectives from BIA evidence, MTPD limits, resources, dependencies, exercises, and review triggers. - [ISO 22301 Testing and Exercises Guide](/artifacts/global/iso-22301/testing-and-exercises.md): Plan, run, evidence, and improve ISO 22301 business continuity exercises that validate strategies, plans, RTOs, MTPDs, communication procedures, and corrective actions. - [ISO 22301 Testing Exercises FAQ](/artifacts/global/iso-22301/faq/testing-exercises.md): How ISO 22301 teams should plan, run, evidence, and improve business continuity exercises and tests. - [ISO 22301 vs DORA: BCMS And Digital Operational Resilience](/artifacts/global/iso-22301/iso-22301-vs-dora.md): Compare ISO 22301 business continuity management with DORA digital operational resilience for financial entities, ICT risk, incidents, testing, third-party risk, and reusable evidence. - [ISO 22301 vs ISO/IEC 27001: BCMS and ISMS Comparison](/artifacts/global/iso-22301/iso-22301-vs-iso-27001.md): Compare ISO 22301 business continuity management with ISO/IEC 27001 information security management: scope, risk work, evidence, certification boundaries, overlap, and common mistakes. *Recommended next step* *Placement: after implementation guidance* ## Operationalize ISO 22301 business impact analysis Use this ISO 22301 BIA FAQ to convert activity impact, MTPD, RTO, RPO, resource, dependency, and strategy decisions into owned evidence and reviewable recovery work. - [Open Assessment Autopilot for ISO 22301](/solutions/assessment.md): Track BIA owners, recovery targets, supplier dependencies, evidence requests, and review triggers in one workflow. - [Talk through implementation](/contact.md): Review your current BIA structure, recovery target gaps, dependency evidence, and next implementation steps. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-22301/faq/business-impact-analysis