Criticality Analysis and BIA

  • Criticality is the degree of impact of missing something important, e.g., critical process, activity, resource, or system. Criticality analysis is the process of determining the criticality.
  • Business impact analysis (BIA) that comprising criticality analysis identifies
    1. critical activities that support the delivery of products and services,
    2. supporting activities and dependencies, and
    3. other assets and resources.
  • The more critical an activity is, the shorter its tolerable downtime is. BIA identifies activities and determines their MTDs, RTOs, and RPOs to prioritize them as critical activities. In summary, criticality analysis is part of BIA.


  • A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. (CNSSI 4009-2015 NIST SP 800-60 Vol. 1 Rev. 1)
  • Degree of impact that a requirement, module, error, fault, failure, or other item has on the development or operation of a system. (IEEE 1012-2012 IEEE Standard for System and Software Verification and Validation, 3.1)

Criticality Analysis

  • An end-to-end functional decomposition performed by systems engineers to identify mission critical functions and components. Includes identification of system missions, decomposition into the functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions. Criticality is assessed in terms of the impact of function or component failure on the ability of the component to complete the system missions(s). (CNSSI 4009-2015 DoDI 5200.44)
  • Process designed to systematically identify and evaluate an organization’s assets based on the importance of its mission or function, the group of people at risk, or the significance of an undesirable event or disruption on its ability to meet expectations. (ISO 2300:2018 Security and resilience — Vocabulary)

Leave a Reply