|
This part of the IMS deals with business continuity risk. The process starts with what the standard refers to as a business impact analysis. In reality this is a disruption-effect analysis as it seeks to determine the resumption requirements (both in terms of time and required resources) for the critical activities that support our products and associated services. The result is that we know:
Say what that process is, e.g. manufacturing cars<<>>
What the business impact/disruption-effect analysis does not address is the nature of the threats (i.e. the cause(s) of the disruptions) or the vulnerabilities (i.e. the susceptibility of an activity to disruption). This aspect of the overall analysis is the province of the risk assessment/risk treatment process. This process, as used in the context of BS 25999, is a modified form of the methodology that we used for ISO/IEC 27001. As in that case, the approach taken is based on the methodology presented by Brewer and List in their paper on "Measuring the effectiveness of an internal control system" (the "time" theory) . However, Time Theory assets are synonymous with BS 25999 critical activities. Thus, in the BS 25999 context, an event describes how a threat agent might exploit some vulnerability to disrupt a ...
Explain the method that you use to perform the BIA. If appropriate refer out to a white paper or a procedure. Note that whatever method is used it must permit the following sections, which follow the order given in BS 25999, to be populated. <<>> Describe your key products and associated services that are within scope of the BCMS <<>>Risk Assessment/Risk Treatment In the "threat agent ID" column, use some simple descriptive identifier. Use it also it as an anchor. You will refer to it from elsewhere. In the "description" column, describe briefly what the threat agent is. If the threat agent is common to other risk assessments use the same identifier. There will be just one definition in the Glossary page. Note that there is a special threat (suppliers and outsource partners) that is identified by IBS 25999. It is labelled TA-out. Use the label T- (i.e. drop the A) for the threat agents that you define so that the list may still be put into alphabetic order (should you so wish).
In the "vulnerability ID" column, use some simple descriptive identifier. Use it also it as an anchor. You will refer to it from elsewhere. In the "description" column, describe briefly what the vulnerability is. If the vulnerability is common to other risk assessments use the same identifier. There will be just one definition in the Glossary page.
|
||||||||||||||||||||||||||||