Cyber Security

CIR RAR-BIA Business Impact Analysis Guidelines Related to Cybersecurity Incident Response (CIR)

Written by Moh Heng Goh | Nov 10, 2022 11:48:24 AM

Business Impact Analysis Guidelines Related to Cybersecurity Incident Response (CIR)


This blog discusses the importance of knowing what information assets within an organisation require protection against cyber security threats. It is the continuation of the previous implementation phase, the Risk Analysis and Review phase. This includes the understanding of the types of cyber security threats and the assets that are affected. It also provides an understanding of the cyber criminals' techniques utilized to exploit vulnerabilities within the organization that sabotaged the assets, acting the smooth continuity of business functions.

Guidelines are provided on how organizations can plan for appropriate response and mitigation strategies through the following processes to recover CBFs quickly and efficiently during CIR. The business function categorisation and its impact as a result of a cyber security incident are further discussed in the Business Impact Analysis phase.

Identification of Critical Business Functions (CBFs)


Critical Business Functions (CBFs) are business activities that organizations must have in operation to carry out production/provide services upon any disruptive incident. Every organization is unique, so each organization will have its own set of CBFs. Suppose the CBFs become inoperable over a predetermined set of time.

In that case, the organization is at risk of losing its business due to significant impacts suffered both financially and non-financially. The organization's mission determines which of the many functions within an organization is critical to ensure the business can continue operating. If a business function is essential to carry out production/provide service, it is a CBF.

In the context of a cyber security incident, the BCM team must collaborate with the cyber security team to continue the CBF.

1. Method of Identifying CBFs

Every organization has some departments that perform business functions that align with the organization's business mission and objectives. The number of departments and business functions (Goh, 2008b) will depend on the organization's size and nature. Hence, the organization has to identify the business functions of the respective departments that they have first.

From the list of business functions, the next question would be “what is critical” so that appropriate and sufficient effort and resources are dedicated to recovering them during an incident. All business functions have to be analyzed in the following areas to determine if it is a CBF:

  • What is the purpose of the business function?
  • How often is the business function performed?
  • Does the downtime of the business function affect the business?
  • What is the severity of the financial and non-financial impact on the organization when the business function is down?
  • Will the stakeholders of the organization be affected?
  • Will the organization’s image/reputation be tarnished?

Financial and non-financial impacts can be retrieved from the Risk Management process.

2. Interdependencies

While identifying CBF, not all business functions are labelled as critical. From the identified CBF, some require the non-CBFs to be operational (Goh, 2008b) before they can be performed. For example, business functions A and B. B have been labelled as CBF as it is involved directly with the organization’s ability to provide products/services to customers. However, for B to function, A has to be operational.

This means that although A was previously a non-CBF, it has escalated into a CBF due to A and B being interdependent. This applies to both upstream and downstream of the CBF and non-CBF.

Therefore, this process initially categorises all business functions as non-critical or critical. Then from the non-CBFs, the organizations identify those that have relations with the CBF and label them as CBF.

Recovery Prioritization

A risk value threat will be of higher priority for the organization to mitigate or respond to. This is because either the threat occurs too frequently, the organization has a lot of loopholes for the cybercriminal to exploit, or the cyber security attack will cause the organization to suffer significant impacts. Therefore, measures must be developed and implemented to reduce the likelihood or impact. Prioritizing the risk values also allows the organization to decide which risk treatment strategy they want to adopt.

At the same time, although they are labelled as CBFs, within them, some are more critical than others. Hence, those CBFs that have more of a role in providing products/services to customers are higher on the priority list. Then, since the information assets to these CBFs have been identified, although the risk value to the cyber security threats that attack these information assets may be low, it will be higher in priority because of the importance of recovering the CBF.

More resources can be allocated for developing and implementing security controls to tackle high-priority risks. It does not mean that those of low priority are to be neglected. It means that those low-priority risks are secondary but require proper controls.

1. Minimum Business Continuity Objective (MBCO)
Minimum Business Continuity Objective or MBCO is the minimum level of services/products that have to be provided that is acceptable to the organization during an incident, crisis, or disaster. It is subject to change depending on the regulatory requirements and organizational practices.

2. Recovery Time Objective (RTO)
Recovery Time Objective or RTO (as shown pictorially below) refers to the maximum tolerable amount of time allocated to recovering a CBF to its MBCO.

3. Recovery Point Objective (RPO)
Recovery Point Objective or RPO (as shown pictorially below) refers to when data must be recovered for IT infrastructures that utilize data to perform its functions.

Recovery Prioritisation and Timeline

Related Topics to CIR RAR and BIA
RAR and BIA process for Cybersecurity Incident Response (CIR) Guidelines for CIR Risk Analysis and Review (RAR) Guidelines for CIR Business Impact Analysis (BIA) Risk Treatment Strategy Back To: Overview of RAR and BIA

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 6Risk Analysis and Review and Business Impact Analysis 6.7 Identification of Critical Business Functions (CBFs)

Note: This version was the draft 2nd Edition being updated by 2023. The numeric in the square bracket [X.X] cross-refers to the actual chapter and section in the 1st Edition.