Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Complete a business impact assessment

Author: Local Digital

Complete a business impact assessment

A business impact assessment or business impact analysis (BIA) exercise can help you identify and prioritise critical systems, which can be used for your CAF for local government assessment.

Business impact assessments (BIAs) are conducted to support processes such as disaster recovery, business continuity planning, risk assessment and mitigation planning.

Using a business impact assessment

You can use a BIA to evaluate potential consequences of cyber incidents or other disruptions on your business operations.

By conducting a comprehensive and appropriately scoped BIA, your council can identify and prioritise critical business functions and dependencies.

We recommend completing a business impact assessment, equivalent exercise, or using a previously completed and approved BIA when setting your scope. This will help you identify and prioritise:

  • essential services
  • critical systems
  • the impact of any disruptions to your essential services
  • how you can mitigate these risks to ensure continuity

They also help your assurer to better interpret risks within your council and which recommendations could be most effective.

How you might approach a business impact assessment

A BIA is not a trivial exercise. It needs to be planned and undertaken by suitably skilled personnel, following an established process to get the desired output and benefits.

First, check if your council has completed a BIA, or an equivalent exercise, that covers your services or systems. Use this as a starting point.

If your council does not have a previous BIA, these steps show a top level view of how you could approach one. They are based on an approach from ISO/TS 22317 – Guidelines for business impact analysis (fee applies to download).

A business impact assessment should be a collaborative activity, with input from stakeholders across the organisation. This includes service leads, system owners, IT and cyber security teams and other relevant roles.

Document your organisational context

This includes your organisation’s mission, threat landscape and risk appetite.

Document your key services and systems

These are the services and systems that support your organisation’s mission. These should cover the scope intended for CAF assurance.

Consider the potential impact to these services

Discuss how your council could be impacted if there is a disruption to the service. With service stakeholders, identify a maximum tolerable downtime (MTD) threshold based on the type of impact.

Document the thresholds for each service

Identify the maximum tolerable downtime (MTD), recovery time objective (RTO) and recovery point objective (RPO) for each service. You should prioritise these based on your MTD. This could be used to support service and system prioritisation.

Document contingency, disaster recovery and business continuity plans

Include details of stakeholders and any plans you have in place in the event of a disruption to the service. Document any testing that has taken place.

Identify your critical systems

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now