cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer I

Risk Assessment

Dear Team

 

I am preparing for upcoming CISSP exam and currently doing self study.

Need you advice for below question

 

Q. What assesses potential loss that could be caused by a disaster

 

  • A. The Business Assessment (BA)
  • B. The Business Impact Analysis (BIA)
  • C. The Risk Assessment (RA)
  • D. The Business Continuity Plan (BCP)

As per the online material, the correct answer should be B.

but as per me the a risk assessment does assess the potential loss of a disaster (Quantitative or Qualitative) .The correct answer should be C.

 

 

Appreciate your advice on the correct answer.

 

 

Thanks

Nitesh

5 Replies
Highlighted
Advocate I

Re: Risk Assessment

A BIA would be broader than your typical InfoSec risk assessment.  

 

If you think about it a BIA needs to consider things like loss of water supply to site, flooding in an area, severe weather etc.  So imagine staff cannot get to site due to damage to their home or property due to a severe weather event, the impact is likely to be a reduction in staff being available, despite the fact remote access to info is still in place.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Highlighted
Community Champion

Re: Risk Assessment

I like this definition:

 

Risk assessments analyze potential threats and their likelihood of happening, a business impact analysis explains the effects of particular disasters and their severity.

 

So the question asks:

 

>>> What assesses potential loss that could be caused by a disaster

 

Based on this definition, I would choose BIA and not the Risk assessment.

 

This article might help:

 

https://searchdisasterrecovery.techtarget.com/answer/How-do-a-business-impact-analysis-and-risk-asse....

 

regards

 

d

 

Highlighted
Advocate I

Re: Risk Assessment

It's fairly common to look at a BIA from a value chain perspective.  Take a single business function and determine the impact of its unavailability over a number of time horizons.  Consider what the impact is on upstream supplier and downstream customers.

 

It's typical to turn those impacts into consequences, financial, legal, regulatory, reputational etc.  You'd also need to consider support functions as well and most probably health and safety, HR/payroll, Finance, Procurement, business risk/insurance as they are likely to be part of the recovery effort for many disruption scenarios.

 

To give a practical example, the Ford motor company decided in the late 60s not to entertain an equal pay claim, so the women doing the upholstery machining, went out on strike.  Consequence was that car production stopped once the stocks of finished car seats ran out, as the seats were critical to the finished product.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Highlighted
Newcomer I

Re: Risk Assessment

Thanks for your reply.

 

Much appreciated.

Highlighted
Newcomer II

Re: Risk Assessment

Great question. 

 

A risk assessment should identify / assess the scenarios and likelihood that may occur and the hazards to the assets. 

 

A BIA will dig a little deeper into assessing the consequences/loss (aka "the impact") to the assets.