First to under stand BIA, (CISM Prep Guide, Mc Graw Hill)
Business Impact Analysis
Business impact analysis (BIA) is the study of business processes in an organization to
understand their relative criticality, their dependencies upon resources, and how they are
affected when interruptions occur. The objective of the BIA is to identify the impact that
different business disruption scenarios will have on ongoing business operations. The
results of the BIA drive subsequent activities—namely, BCP and DRP. The BIA is one of
several steps of critical, detailed analysis that must be carried out before the development
of continuity or recovery plans and procedures.
The question is
"Information security controls should be designed PRIMARILY based on"
Information Security Control Design and Selection
The procedures, mechanisms, systems, and other measures designed to reduce risk
through compliance to policies are known as controls. An organization develops controls
to ensure that its business objectives will be met, risks will be reduced, and errors will be
prevented or corrected.
Controls are created to ensure desired outcomes and to avoid unwanted outcomes.
They are created for several reasons, including the following:
• Regulation A regulation on cybersecurity or privacy may emphasize certain
outcomes, some of which may compel an organization to develop controls.
• Risk assessment A recent risk assessment or targeted risk analysis may indicate
a higher than acceptable risk. The chosen risk treatment may be mitigation in the
form of a new control.
• Audit result The results of a recent audit may indicate a trouble spot warranting
additional attention and care.
Information security controls should be designed primarily based on business risk scenarios because they ensure that an organization's most important assets and processes are protected. A business risk scenario is a hypothetical situation that could potentially cause harm to the organization's assets or operations. By identifying and understanding these scenarios, an organization can prioritize its efforts and resources to mitigate the most significant risks to the business. Additionally, this approach allows the organization to align its security controls with its overall risk management strategy and business objectives.
ISC follows Security Strategy, and security strategy (approved by security steering commiitee) follows business objectives, always. stakeholders do not care some risks at all if the risk is USD 100,000.00, but the likelyhood is 0.001%.
A BIA will show you where you should be putting your efforts at.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
03allen
1 year ago03allen
1 year agoThavee
1 year, 3 months agoThavee
1 year, 3 months agoxcjxcj
1 year, 4 months agoPOWNED
1 year, 5 months agorichck102
2 years agomeelaan
2 years, 3 months agoCarlLimps
2 years, 4 months agoBroesweelies
2 years, 5 months agoThavee
1 year, 3 months agoaokisan
2 years, 6 months agoManzer
2 years, 6 months ago