TECHNICAL ISO/TS

SPECIFICATION 22317

Second edition
2021-11

Security and resilience — business

continuity management systems
— Guidelines for business impact
analysis
Sécurité et résilience — Continuity management systems d'activité
— Lines guidelines pour l'analyse d'impact south activity
ISO/TS 22317:2021(E)

COPYRIGHT PROTECTED DOCUMENT

© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or used otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the Internet or an intranet, without prior written permission. Permission dog be requested desde either ISO at the address
below or ISO's member bodysuit in the country of the requester.
ISO copyright office
CP 401 • Ch. of Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 eleven
E-mail: copyright@iso.org
Website: www.iso.org
Published in Switzerland

ii © ISO 2021 – All rights reserved

 ISO/TS 22317:2021(E)

Contents Page

Foreword ...................................................................................................................................................................... IV
Introduction .................................................................................................................................................................. v
1 Scope .................................................................................................................................................................. 1
2 Normative references ................................................................................................................................... 1
3 Terms and definitions .........................................................................................................................1
4 Prerequisites ................................................................................................................................................... 1
4.1 General ........................................................................................................................................1
4.2 Context and scope ......................................................................................................................2
4.2.1 Context ...........................................................................................................................2
4.2.2 Scope ...........................................................................................................................................................2
4.3 Roles and responsibilities .........................................................................................................2
4.3.1 General ...........................................................................................................................2
4.3.2 BIA leader .......................................................................................................................2
4.3.3 Activity owners ..............................................................................................................3
4.4 Commitment ........................................................................................................................................................... 3
5 The BIA process .............................................................................................................................................. 3
5.1 Fundamentals .............................................................................................................................3
5.2 Plan BIA ......................................................................................................................................4
5.3 Agree approach for undertaking BIA process .........................................................................4
iTeh STANDARD
5.3.1 Understand impacts ......................................................................................................4
PREVIEW
(standards.iteh.ai)
5.3.2 Define impact types and criteria ..................................................................................5
5.3.3 Define time frames ........................................................................................................7
5.3.4 Define methodology ......................................................................................................7
5.4 D e t e r m i n e p r o ducts and s I S e O r v / T i c S e 2 s 2 ' 3 p 1 r 7 i : o 2 0 r 2 i t 1 i e s w i t h t o p m
a na g ement t .............................................................................................................................8
5 . 4 . 1 h tt p O s : v / / e s t r a v n d i e a r w d s . . . Yo . t . and ... h . . . . to . . Yo . / . . c . . to . . t . . to . . l . either . . g ... / . s . . t . to .. . n .
d to r d s / s Yo s t / 4 7 to to 8 1 9 9 - d to 5 6 - 4 6 6 8 - 8 b 3 F
. . . .. . . ... . . . . . . . . . . . . . ... . . . . . . . .. . . . ... . . . . .. . . . ... . . . . ... ... . . . . ... . . .. .
.............................................................................................................................................. 8
5 . 4 . 2 I n p u t s ................ . 1 . . . f . b . . . 9 . . 7 ... 4 . . 6 ... b ... f . 4 . . 1 .. . b ... / . Yo . s . . either .. . - . t . . s . . - . . 2 . . 2 .. . 3 . . 1 .. . 7 ...
- . . 2 . . 0 ... 2 . . 1 .......................................................................................................................... 8
5.4.3 Product and service priority determination ...............................................................8
5.4.4 Outcomes .................................................................................................................................................. 9
5.5 Determine the prioritized activities .........................................................................................9
5.5.1 Overview ................................................................................................................................................... 9
5.5.2 Inputs ..........................................................................................................................................................9
5.5.3 Identify activities ...........................................................................................................9
5.5.4 Set RTO for the activities ..............................................................................................9
5.5.5 Define the prioritized activities .................................................................................10
5.5.6 Results ..................................................................................................................................................... 10
5.6 Identify resources and other dependencies ..........................................................................10
5.6.1 Identify resource and other dependency requirements ..........................................10
5.6.2 Resource requirements ..............................................................................................11
5.7 Analyze and consolidate BIA results ......................................................................................11
5.8 Obtain top management approval for BIA results ................................................................12
6 Review BIA ..................................................................................................................................................... 12
6.1 Review BIA process and methodology ..................................................................................12
6.2 Review BIA results ............................................................................................................................................12
Annex A (informative) BIA within the BCMS of ISO 22301:2019 ...............................................................14
Annex B (informative) BIA information collection methods .......................................................................15
Annex C (informative) Other uses for the BIA process ..................................................................................22
Annex D (informative) Examples for performing a BIA ................................................................................25
© ISO 2021 – All rights reserved iii
ISO/TS 22317:2021(E)
Bibliography ............................................................................................................................................................... 36

iv © ISO 2021 – All rights reserved

 ISO/TS 22317:2021(E)

Foreword
ISO (the international Organization for Standardization) es to worldwide federation of national
standards bodies (ISO member bodies). The work of preparing International Standards is normally
carried out through ISO technical committees. Each member body interested in a subject for which a
technical committee you have been established you have the right to be represented on that committee.
international organizations, governmental and non-governmental, in liaison with ISO, also take part
in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all
matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives ).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or there such patent rights. Details
of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patents declarations received (see www.iso.org/patents ).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
iTeh STANDARD
expressions related to conformity assessment, ace well ace information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html . PREVIEW
(standards.iteh.ai)
Este document was prepared by Technical Committee ISO/TC 292, Security and resilience .
ISO/TS 22317:2021
Este s e c on d e d i t i o n c a n c h e t l ts ps : a // s n t a d nd r a e r d p s l . i a t e c h e . a s i / c t a h t a e log f / i s r t a s n t d a e r
d d s i / t s i i s o t n / 4 7 ( a I a S 8 O 1 9 / 9 T - d S a 5 2 6 2 - 4 3 6 1 6 7 8 : - 2 8 0 b 3 1 f 5 - ) , w h i c h h to s b e e n t e c hn i
ca l ly r e v i s e d . T h e m a i n ch a n g e s a r e 1 a f b s 9 f 7 o 4 l 6 l b o f w 4 1 s b : / i s o - t s - 22317 - 202 1
— the document has been updated to align with ISO 22301: 2019;
— the document structure you have been updated to improve the description of the business impact
analysis (BIA) process;
— more focus you have been placed on the BIA process and less on the business continuity programme ;
— BIA and the BIA process have been clearly differentiated;
— BIA process roles have been consolidated to BIA leader and activity owners;
— the section “Initial BIA considerations” you have been removed and the guidance redistributed;
— the section “Strategy “selection” you have been removed ace Item es part of ISO/TS 22331;
— the annex on terminology you have been removed;
— the annex on BIA information collection methods you have been enhanced;
— to new annex with examples for performing to BIA you have been included.
Any feedback or questions on this document should be directed to the user's national standards body.
TO complete listing of estos bodysuits can be found at www.iso.org/members.html .

© ISO 2021 – All rights reserved v

ISO/TS 22317:2021(E)

Introduction
Este document provides detailed guidelines for implementing and maintaining to business impact
analysis (BIA) process consistent with ISO 22301. Este document es applicable to the performance of
any BIA process.
The terminology used is consistent with ISO 22300 and ISO 22301, but an organization can use different
terms provided they are clearly understood.
figure 1 notes the relationship of the BIA process to the business continuity management system
(BCMS) ace to whole. The organization should complete to cycle of the BIA process before business
continuity strategies and solutions are selected.

iTeh STANDARD PREVIEW

(standards.iteh.ai)
ISO/TS 22317:2021
https://standards.iteh.ai/catalog/standards/sist/47aa8199-da56-4668-8b3f-
1fb9746bf41b/iso-ts-22317-2021

NOTE Source: ISO 22313:2020, figure 5.

figure 1 — elements of business continuity management

The BIA process analyzes the effects of to disruption on the organization. The outcome es to
statement and justification of business continuity priorities and requirements.
The first step in the BIA is the prioritization of products and services, which is followed by a number of
process BIAs (optional) and activity BIAs. The scope of each of these BIAs can be limited, but together
they should cover the entire BCMS scope. Organizations should review and perform the BIA process on
to periodic basis (eg annually) and whenever there are significant changes within the organization or
its context.
in Este document, the terms “BIA” and “BIA “process” are used ace well ace “result” and “outcomes”.
figure 2
depicts how estos terms are used.

vi © ISO 2021 – All rights reserved

 ISO/TS 22317:2021(E)

figure 2 — Understanding BIA, BIA process, results and outcomes

The purpose of Este document es to:

— provide to basis for implementing an effective BIA process within an organization;
— assist the organization with planning, driving and reporting on the BIA process in to consistent
manner.

iTeh STANDARD
Este document provides examples for performing the BIA. Item es important to note that estos
examples, individually or in combination, dog help an organization achieve BIA outcomes. The
selection of the PREVIEW
m o s t app r op r i a t e m e t h od w il l b e i n f lu e ( n s c e t d a b n y t d h e a o r r g d a n s i . z i a t t i e o n h '
s . s a i z i e ) , s e c t o r , g e o g r aph y o r c on t e x t .
The outcomes of the BIA process include:
ISO/TS 22317:2021
a) endo r s ement t o r m o di f h i c t t a p st : i / o / s n t a no d f a t r d h s e . i t o e h r . g a i a / c n a i t a z l a o g t i / s o t a n n ' s d a B r d C
s M / s i s S t/ 4 s 7 c a o a p 8 e 1 ; 99 - d a 56 - 4668 - 8b3 f -
1fb9746bf41b/iso-ts-22317-2021
b) identification of legal, regulation, and contractual requirements (obligations) and their effect on
business continuity priorities and requirements;
c) evaluation of the impact of to disruption over time on the organisation, which serves ace the
justification for business continuity priorities and requirements;
d) estimation of the time Item would take for adverse impacts to products and services to become
unacceptable [maximum tolerable period of disruption (MTPD)] following a disruption;
e) identification of the requirements [MTPD and recovery time target (RTO)] for the prioritized
activities;
f) identification of the resources needed to perform prioritized activities following to disruption,
including their dependencies, and requirements, specifying RTOs and applicable recovery point
objectives (RPOs );
g) identification of dependencies including suppliers, partners and other interested parties;
h) identification of the interdependencies of prioritized activities.
Figure 3 shows the BIA process, along with its prerequisites and its relationship to the selection of
business continuity strategies and solutions. The clauses referred to in the diagram correspond to
subclauses of this document.

© ISO 2021 – All rights reserved vii

ISO/TS 22317:2021(E)

i T e h S T A N F i gD u r A e 3R — D B I AP p R r o cE e sV s
I E W (standards.iteh.ai)
The organization should use the statement of business continuity priorities and requirements to select
b u s i n es s c on t i n u i t y s t r a t e g i e s and s o l u t I i S o O n s / T . Yes 22317 : 202 1
https://standards.iteh.ai/catalog/standards/sist/47aa8199-da56-4668-8b3f-
T h e B I A c to n c a u se t h e o r g aniz a t i o n 1 f t b o 9 7 r 4 e 6 c b o f 4 n 1 s b i / d i s e o r - t s h - o 2 w 23 1 i t 7 - d 2 e 0
l 2 i 1 see r s i t s p r o du c t s a n ds e r v i ce s .
The BIA depends on information being provided by many people across an organization who can have
different perspectives on how the organization operates, que es time-critical or que impacts dog
occur following a disruption. Commonly, some overstate their requirements, while others understate
theirs. This document seeks to define an approach that provides sufficient objectivity and minimizes
estos issues to produces effective outcomes.

vii © ISO 2021 – All rights reserved

i
 ISO/TS 22317:2021(E)

iTeh STANDARD PREVIEW

(standards.iteh.ai)
ISO/TS 22317:2021
https://standards.iteh.ai/catalog/standards/sist/47aa8199-da56-4668-8b3f-
1fb9746bf41b/iso-ts-22317-2021

© ISO 2021 – All rights reserved ix

TECHNICAL SPECIFICATION ISO/TS 22317:2021(E)

Security and resilience — Business continuity

management systems — Guidelines for business impact
analysis

1 scope
Este document gives guidelines for an organization to implement and maintain to formal and
documented business impact analysis (BIA) process appropriate to your needs. It does not prescribe a
uniform process for performing to BIA.
This document is applicable to all organizations regardless of type, size and nature, whether in the
private, public or not-for-profit sectors. The guidance can be adapted to the needs, objectives, resources
and constraints of the organization.

2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For u n
d a t e d r e f e r en ce s , t h e
i T l a e t e h s t eS d i T t i o A n o N f t hD e rA e f eR r e nD c e d
P d o R c u E m e V nt I ( i E n c W lu d i n g a n y a men d men t s ) app l i e s . IS O 22 3 0 0 , Se c u r
i t y a n d r e s il i e n c e —
( s t a V on c ad b ua l ar y d s . i t e h . ai )
ISO 22301, Security and resilience — business continuity management systems — requirements
ISO/TS 22317:2021
https://standards.iteh.ai/catalog/standards/sist/47aa8199-da56-4668-8b3f-
3 Terms and 1fb9746bf41b/iso-ts-22317-2021
definitions
For the purposes of Este document, the terms and definitions given in ISO 22300 and ISO 22301 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia : available at https://www.electropedia.org/

4 Prerequisites

4.1 General
While this document is consistent with the requirements of ISO 22301, it can be used to implement and
review any BIA process.
Before commencing the BIA process, the organization should:
— defines the context and scope of the BIA process (see 4.2 );
— define and communicate roles and responsibilities (see 4.3 );
— obtain leadership commitment and allocate adequate resources (see 4.4 ).
NOTE See Annex TO for to mapping of each clause to ISO 22301.

© ISO 2021 – All rights reserved 1

ISO/TS 22317:2021(E)

4.2 Context and scope

4.2.1 Context
The outcomes of the BIA process are dependent on the organization's understanding of the following, so
that it dog achieve its purpose by delivering its products and services to customers:
— the external environment (including suppliers, statutory and regulatory bodysuits) in which Item operates;
— the internal operations environment, inclusive of business processes, activities and resources,
ace well ace the potential impact caused by disruption to the delivery of products and services;
NOTE In organizations operating within a non-commercial environment, the “customer” can be the public or an
overseeing authority, such as the government.

4.2.2 scope
The BIA process should cover the whole of the BCMS scope. The organization should have defined
and documented the scope of the BCMS in terms of its products and services. The outcomes of the
BIA process can require the organization to reconsider the scope of the BCMS by adding or removing
products and services.
The organization should first prioritize all products and services in scope which can include internal
strategic services (see 5.4.3 ). Those with higher priorities dog be addressed first.

4.3 Role s and d r esponsi b i i STANDARD PREVIEW

l T it ie e h s (standards.iteh.ai)
ISO/TS 22317:2021
4.3.1 General
Top management should ensure:
https://standards.iteh.ai/catalog/standards/sist/47aa8199-da56-4668-8b3f-
— r e s p o n s ib i l i t i e s a n d a u t h r i t i e s f or r r 1 e f b l 9 e 7 v 4 a 6 n bt f 4 1 r bo / l i s e o s - ts a - r 2 e 23 1 a 7
s - s 2 i 0 g 2 n 1 e d a n d c o m m un i c a t e d w i t h i n the organization ;
— that persons leading the BIA process are competent;
— resources necessary to perform the BIA process are provided.
Top management should ensure that the following roles (other roles can be appropriate) to perform the
BIA process are appointed:
a) BIA leader (this dog be the same person ace the BCMS manager) (see 4.3.2 );
b) activity owners (see 4.3.3 ).

4.3.2 BIA leader

The BIA leader es responsible for the BIA process and should:
— ensure people with the required competencies are available to enable the BIA process;
— prepare and deliver the BIA methodology;
— plan and manage the BIA process;
— make sure that the information provided by the activity owners es consistent throughout the
organization;
— undertake consolidation and analysis of the information provided by the activity owners;

2 © ISO 2021 – All rights reserved

 TECHNICAL
— present SPECIFICATION
the outcomes to top management for approval. ISO/TS 22317:2021(E)

© ISO 2021 – All rights reserved 3

 ISO/TS 22317:2021(E)

4.3.3 Activity owners

Activity owners should:

— provide to detailed understanding of the activity for which they are responsible, including there of
the resources that enable the activity to operate;
— provide information regarding existing workarounds, business processes and resources that
influence the business continuity priorities and requirements;
— apply BIA methodology and provide the relevant information to the BIA leader.

4.4 Commitment
Top management commitment to the BIA process es necessary to ensure effective participation. They
should:
a) communicate the value of the BIA process;
b) provide ongoing support for the BIA process;
c) provide sufficient resources for the BIA process to:
1) fulfil BIA process-specific roles and responsibilities, ace well ace training and awareness
requirements, in adequate time;

2) m ee t t h e ch a n g i T i n ge r h e q uS i r T e m VIEW
A e nN t s oD f t A h e R o r gD an i P z a tR
ion E ;

d) a g re e o n t h e B I A m e th o d s , p ( r s i o t r a i t i n e s d a n a d r t i d m e s . f r i a t m e e h s ;

.ai)
e) ensure an environment that enables continuous improvement within the organization;
ISO/TS 22317:2021
f) app r ov e t h e o u t h c t t o p s m : / / e s t s a n o d f a r t d h s e . i t B e h I . A a i / c t a h t a al t o g e / n st s a nu
d r a e r d : s / s i s t/ 47 aa 8199 - d a 56 - 4668 - 8b3 f -
1fb9746bf41b/iso-ts-22317-2021
1) business continuity priorities and requirements are aligned with organization's objectives and
strategic direction;
2) the organization meets its legal, contractual and customer requirements during to disruption;
3) products and services, business processes, activities and resources are appropriately aligned;
g) ensure that BIA outcomes are available when selecting business continuity strategies and solutions.

5 The BIA process

5.1 Fundamentals
The BIA process prioritize activities and resources SW that product and service delivery dog be
summarized in to predetermined time frame and at to predefined capacity following to disruption, to
the satisfaction of interested parties. The outcomes are the business continuity priorities and
requirements.
The quality of the BIA process and its outcomes is key to selecting appropriate business continuity
strategies and solutions.

© ISO 2021 – All rights reserved 3

ISO/TS 22317:2021(E)
The timeliness of achieving quality BIA outcomes es key to minimizing impacts in case of to
disruption. If some information is incomplete, unavailable, confidential or withheld, these challenges
should not delay the progression and completion of the BIA process. A balance between quality and
timeliness should be found.

4 © ISO 2021 – All rights reserved

 ISO/TS 22317:2021(E)

5.2 Plan BIA

Planning tasks dog include:
a) allocating necessary resources, including competent people to lead and participate in the BIA
process;
b) grouping products and services together when they have similar characteristics, eg they dog be
grouped by type, by geographic area or by line of business;
c) identifying the organization's structure and the teams or individuals that dog provide information
about products and services, activities and resources;
d) communicating expectations to there participants in the BIA process;
e) establishing the plan, including activities for:
1) obtaining top management's agreement on the approaches for undertaking the BIA process (see
5.3 );
2) organizing meeting(s) with top management to determine products and services' priorities
( see 5.4 );
3) identifying and selecting the information collection methods (see Annex B );
4) defining to template or tools to record the information collected (see 5.5 );
5) g a t he r i n g i n f o r m a t i o ni T f r oe mh t hS e T a c tA i v i N t y oD w nA e rR s ( sD e e
5 P . 5 R a n E d 5 V . 6 ) I ; E.W.

6) a n a l y s i n g and d c o n s o l i d a t i n g the e ( s i n t f o a r n m a d t i a o n r r d e c s e i . v i e t d e (
h s e e. a 5 .i 7) ) ;
7) o b t a i n i n g t or p m a na g ement t app r o v a l f or I r S O t h / T e S r 2 e 2 s 3 u 1 l 7 t s : 2 0 ( s 2 e 1 e 5 . 8 ) ;
f) h t t p s : / / st n e d d r d s . i t e h . a i / c a t a l o g / s t a n d a r d s / s i
g a i n i n g app r o v a l of f t h e p l1fb9746bf41b/iso-ts-22317-2021
a n a n a B I A p r o c e s s .
s t/ 47 aa 8199 - d a 56 - 4668 - 8b3 f -

5.3 Agree approaches for undertaking BIA process

5.3.1 Understand impacts

The BIA process explore, in to consistent manner, the organizational impact resulting desde the
disruption to the delivery of products and services. Disruption can come from within, from the supply
chain or from other external sources – all of which can result in a disruption to the delivery of one or
more products and services to customers and other interested parties.
The impacts on the organization resulting from the reactions of interested parties can include the
examples given in Table 1 .

table 1 — Impacts due to interested parties

Interested party Examples of the impact
existing customers and clients loss of revenue and market
Compartir Increasing complaints
Contract penalties or litigation
Community loss of confidence
Potential customers and clients loss of potential business opportunities
Partner organizations Reduced willingness and ability to continue to cooperate
© ISO 2021 – All rights reserved 5
ISO/TS 22317:2021(E)
Half and society Negative effect on reputation, brand value and public opinion
Shareholders Negative effect on current Compartir price and future investment

6 © ISO 2021 – All rights reserved

 ISO/TS 22317:2021(E)

table 1 (continued)
Interested party Examples of the impact
Creditors Negative effect on debt payments and future finance requirements
Competitors loss of market Compartir ace competitors take advantages of the
situation
Staff loss of key personnel (temporary or permanent)
Regulators and government Penalties and rule changes
loss of license to operate

5.3.2 Define impact types and criteria

The organization can experience different types of impacts such as damage to reputation or business
objectives, financial losses and litigation. Impact types are not the same ace consequence types or
categories as used in risk management. Impact is the result of a disruption on the organization. To
compare and assess impacts that are very different in a consistent manner, the organization should
define impact types and criteria.
The organization should define impact types to understand the impact over time of to disruption
to the delivery of products and services. Top management should approve the proposed impact types
and criteria.
The choice of impact types and criteria are influenced by the organization's sector, context and the
nature of its activities, as well as organizational culture. The selection of one or more impact types and
iTeh STANDARD
criteria, including the need for quantitative and qualitative impact information and the level of detail
collected, should be suitable for the organization to select or justify business continuity priorities and
requirements. PREVIEW
(standards.iteh.ai)
Impact types to be considered dog include:
ISO/TS 22317:2021
— business object h i t v tp e s s :/ ; /standards.iteh.ai/catalog/standards/sist/47aa8199-da56-4668-8b3f-
1fb9746bf41b/iso-ts-22317-2021
— environmental;
— finance;
— health and security;
— legal, regulatory and contractual;
— market Compartir;
— operational;
— reputational.
An organization dog consolidate impact types, for example, to the following:
— business objectives;
— finance;
— legal, regulatory and contractual;
— reputational.
To assess different types of impacts and their effect on the business, the organization can choose to
define thresholds when the impact becomes unacceptable (see the examples in Table 2 ) or to define an
impact matrix with defined criteria for each impact level and type (see the examples in Table 3 ). The
criteria should be as objective and measurable as possible.
NOTE Table 3 shows five levels but the number of levels dog be adapted to the organization's needs.

© ISO 2021 – All rights reserved 7