Back to Checklists

Business Impact Assessment Checklist

SOC 2ISO 27001Business Continuity

Business Impact Assessment (BIA) Checklist

Use this checklist to document the potential consequences of outages or compromises to your critical systems and processes. For each system/application, identify its business role, criticality, impacts, and tolerance for disruption. This document can serve as audit evidence for SOC 2, ISO 27001, or other frameworks.

Section 1: BIA Overview

  • Define the scope (infrastructure, core services, supporting business applications).
  • Document the methodology (qualitative ratings, impact categories, tolerance levels).
  • Identify review frequency (e.g., annually, or after significant changes).
  • Assign ownership (executive or security lead responsible for maintenance).

Section 2: System-Level BIA Template

Example table below, add rows for each of your systems, tools, and applications.

System / Application

Business Function Supported

Criticality (High / Medium / Low)

Impact if Unavailable

Business Consequences

Tolerance for Disruption

[Example: Customer Database]

Stores customer & application data

High

Customers cannot log in; data unavailable

Lost revenue, SLA breaches, compliance reporting

Low - must be restored quickly

[Example: Email / Collaboration Suite]

Internal & external communication

High

No ability to send/receive email; docs inaccessible

Business communication halted; delayed customer response

Moderate - can use manual fallback temporarily

[Example: CRM]

Manages customer pipeline & relationships

Medium

Sales team blocked from tracking leads

Missed opportunities; delayed revenue

Moderate - tolerated briefly

[Example: Video Conferencing]

Internal & external meetings

Low

Meetings must be rescheduled

Minor delays, no direct financial impact

High - disruption acceptable short-term

Section 3: Impact Categories

For each system, consider impacts in these categories:

  • Operational Impact (How does this affect day-to-day business?)
  • Financial Impact (Lost revenue, penalties, delayed invoicing?)
  • Compliance Impact (Regulatory or contractual obligations?)
  • Reputational Impact (Customer trust, brand damage?)

Section 4: Tolerance for Disruption

Define acceptable downtime in qualitative terms (instead of RTO/RPO unless you actively measure them):

  • Low Tolerance - disruption has immediate, severe impact (e.g., production database, payment systems).
  • Moderate Tolerance - disruption acceptable for short periods (e.g., Jira, CRM).
  • High Tolerance - disruption acceptable for longer periods without major impact (e.g., marketing dashboards).

Section 5: Management Sign-Off

Reviewed by: ________________________

Date of Review: _____________________

Next Review Date: ___________________

Executive Approval: _________________

Back to Checklists