Which of the following is not the output of business impact analysis?
A. A list of identified risks or threats
B. Critical process or prioritized activities
C. Capacity of operations
D. Recovery Time Objective (RTO)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. A list of identified risks or threats.
A list of identified risks or threats is the output of risk identification, part of risk assessment.
According to the CISSP CBK 5th edition or ISO 22301, risk identification is not part of BIA. So, the following are typical outputs of BIA, which don’t include a list of identified risks or threats.
- Critical process or prioritized activities
- The capacity of operations (or SDO, service delivery objective)
- Recovery Time Objective (RTO)
However, BIA introduced in the Sybex ISC2 official study guide does include a step, risk identification. If you are aware of the differences between BIA approaches and choose A as your answer, you have a strong justification.