Certified Information Security Manager (CISM) — Question 1056

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

Answer options

• A. To define security roles and responsibilities
• B. To determine the criticality of information assets
• C. To establish incident severity levels
• D. To determine return on investment (ROI)

Correct answer: B

Explanation

The correct answer is B, as the primary function of a BIA is to assess the importance of information assets to the business. Options A, C, and D, while relevant to security and business operations, do not directly address the focus of a BIA, which is centered on understanding the critical nature of assets.