Re: Risk Assessment

Nitesh · ‎11-17-2020

Dear Team

I am preparing for upcoming CISSP exam and currently doing self study.

Need you advice for below question

Q. What assesses potential loss that could be caused by a disaster

A. The Business Assessment (BA)
B. The Business Impact Analysis (BIA)
C. The Risk Assessment (RA)
D. The Business Continuity Plan (BCP)

As per the online material, the correct answer should be B.

but as per me the a risk assessment does assess the potential loss of a disaster (Quantitative or Qualitative) .The correct answer should be C.

Appreciate your advice on the correct answer.

Thanks

Nitesh

Steve-Wilme · ‎11-18-2020

A BIA would be broader than your typical InfoSec risk assessment.

If you think about it a BIA needs to consider things like loss of water supply to site, flooding in an area, severe weather etc. So imagine staff cannot get to site due to damage to their home or property due to a severe weather event, the impact is likely to be a reduction in staff being available, despite the fact remote access to info is still in place.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

dcontesti · ‎11-18-2020

I like this definition:

Risk assessments analyze potential threats and their likelihood of happening, a business impact analysis explains the effects of particular disasters and their severity.

So the question asks:

>>> What assesses potential loss that could be caused by a disaster

Based on this definition, I would choose BIA and not the Risk assessment.

This article might help:

https://searchdisasterrecovery.techtarget.com/answer/How-do-a-business-impact-analysis-and-risk-asse....

regards

d

Steve-Wilme · ‎11-19-2020

It's fairly common to look at a BIA from a value chain perspective. Take a single business function and determine the impact of its unavailability over a number of time horizons. Consider what the impact is on upstream supplier and downstream customers.

It's typical to turn those impacts into consequences, financial, legal, regulatory, reputational etc. You'd also need to consider support functions as well and most probably health and safety, HR/payroll, Finance, Procurement, business risk/insurance as they are likely to be part of the recovery effort for many disruption scenarios.

To give a practical example, the Ford motor company decided in the late 60s not to entertain an equal pay claim, so the women doing the upholstery machining, went out on strike. Consequence was that car production stopped once the stocks of finished car seats ran out, as the seats were critical to the finished product.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Nitesh · ‎11-21-2020

Thanks for your reply.

Much appreciated.

BrianF · ‎11-25-2020

Great question.

A risk assessment should identify / assess the scenarios and likelihood that may occur and the hazards to the assets.

A BIA will dig a little deeper into assessing the consequences/loss (aka "the impact") to the assets.

Until_then · ‎12-04-2020

Yes, the answer is B as the online study material states. The likelihood of an event occurring ("potential loss") multiplied by impact equates to "risk". The "potential loss" is the impact or outcome of an event. An impact analysis would be used, not a risk assessment. Potential or probable Impact determines risk, not the other way around.