Which of the following is least likely to be an output of business impact analysis? (Wentz QOTD)
A. A list of identified risks or threats
B. Critical processes or prioritized activities
C. Capacity of operations
D. Recovery Time Objective (RTO)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. A list of identified risks or threats.
A list of identified risks or threats is the output of risk identification, part of risk assessment. According to the CISSP CBK 5th edition, risk identification is not part of BIA. So, the following are typical outputs of BIA, which don’t include a list of identified risks or threats. Per ISO 22301, risk assessment can be done before or after BIA.
- Critical process or prioritized activities
- The capacity of operations (or SDO, service delivery objective)
- Recovery Time Objective (RTO)
BIA in OSG
However, BIA introduced in the Sybex ISC2 official study guide does include the step, risk identification. If you are aware of the differences between BIA approaches and choose A as your answer, you have a strong justification.
以下哪一項最不可能是業務衝擊分析(business impact analysis)的輸出？ (Wentz QOTD)
D. 恢復時間目標 (RTO)