Business Impact Analysis

Business Impact Analysis (BIA) is the process of determining the effect of disruptions on business functions to prioritize recovery. CISM uses the BIA to derive recovery objectives such as RTO and RPO.

All CISM Terms

Information Security Governance

Information Security Governance is the system of leadership, structure, and processes that ensures security supports and extends the organization's strategy and objectives.

Security Strategy

Security Strategy is the long-term plan that defines how information security will achieve the organization's desired state and support its objectives.

Risk Appetite

Risk Appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives.

Risk Management

Risk Management is the coordinated process of identifying, assessing, responding to, and monitoring information risk.

Residual Risk

Residual Risk is the risk that remains after controls and other responses have been applied.

Business Impact Analysis

Business Impact Analysis (BIA) is the process of determining the effect of disruptions on business functions to prioritize recovery.

RTO and RPO

RTO and RPO are the two core recovery objectives: Recovery Time Objective is the target time within which a process must be restored after disruption, and Recovery Point Objective is the maximum tolerable data loss measured in time.

KRI

A Key Risk Indicator (KRI) is a metric that provides an early signal of increasing risk exposure.

Security Metrics

Security Metrics are measurements used to gauge the effectiveness and value of the security program.

Security Program

A Security Program is the coordinated set of activities, resources, and controls that executes the security strategy.

Security Controls

Security Controls are the administrative, technical, and physical safeguards used to reduce risk to an acceptable level.

Defense in Depth

Defense in Depth is the practice of layering multiple independent controls so the failure of one does not expose the asset.

Incident Management

Incident Management is the structured process of preparing for, detecting, responding to, and recovering from security incidents.

Incident Response Plan

An Incident Response Plan is the documented set of procedures and responsibilities for handling a security incident.

Third-Party Risk

Third-Party Risk is the risk introduced by vendors, suppliers, and other external service providers.