Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


BIA Questionnaire Construction

Exhibit 1 features an example of a BIA questionnaire. Basically, the BIA questionnaire is made up of the following types of questions:

  Quantitative Questions — These are the questions the interviewee is asked to consider to describe the economic or financial impacts of a potential disruption. Measured in monetary terms, an estimation of these impacts will aid the organization in understanding loss potential, in terms of lost income as well as in an increase in extraordinary expense. The typical qualitative impact categories might include: revenue or sales loss, lost trade discounts, interest paid on borrowed money, interest lost on float, penalties for late payment to vendors or lost discounts, contractual fines or penalties, unavailability of funds, canceled orders due to late delivery, etc. Extraordinary expense categories might include: acquisition of outside services, temporary employees, emergency purchases, rental/lease equipment, wages paid to idle staff, and temporary relocation of employees.
  Qualitative Questions — While the economic impacts can be stated in terms of dollar loss, the qualitative questions ask the participants to estimate potential loss impact in terms of their emotional understanding or feelings. It is surprising how often the qualitative measurements are used to put forth a convincing argument for a shorter recovery window. The typical qualitative impact categories might include loss of customer services capability, loss of confidence, etc.
  Specialized Questions — Make sure that the questionnaire is customized to the organization. It is especially important to make sure that both the economic and operational impact categories (lost sales, interest paid on borrowed funds, business interruption, customer inconvenience, etc.) are stated in such a way that each interviewee will understand the intent of the measurement. Simple is better here.


Exhibit 1.  Sample BIA Questionnaire

Using an automated tool? If an automated tool is being used to collect and correlate the BIA interview information, then make sure that the questions in the data base and questions on the questionnaire are synchronized to avoid duplication of effort or going back to interviewees with questions that might have been handled initially. A word of warning here, however. We have seen people pick up a BIA questionnaire off the Internet or from a book or periodical (like this one) and use it without regard to the culture and practices of their own organization. Never, ever, use a noncustomized BIA questionnaire. The qualitative and quantitative questions must be structured to the environment and style of the organization. There is opportunity for failure should this point be dismissed.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.