BCR-02: Risk Assessment and Impact Analysis

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Determine the impact of business disruptions and risks to establish criteria for developing business continuity and operational resilience strategies and capabilities.

Implementation Guidance

The business impact analysis (BIA) should incorporate the following components:

  1. Identification of critical products and services with their inherent risks.
  2. The likelihood and impact of each risk.
  3. The organization's risk appetite and tolerance.
  4. The identification of risk dependencies.
  5. The identification of appropriate and relevant countermeasures to prevent, detect, and react to the identified risks.

The impact analysis should incorporate the following elements:

  1. The immediate and ongoing impacts resulting from disruptions.
  2. A recovery time objective (RTO) and recovery point objective (RPO).
  3. The estimated internal and external resources required for recovery and resumption.

Auditing Guidance

  1. Examine the policy to determine business impact and the criteria for developing business continuity.
  2. Evaluate the process to review and approve the policy.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.