Certified Information Security Manager (CISM) — Question 821

Which of the following is the FIRST step in developing a business impact analysis (BIA)?

Answer options

• A. Identifying interdependencies among critical functions within the business
• B. Determining the minimum resources needed for recovery
• C. Identifying which business functions are critical to the organization
• D. Determining the required recovery time objective (RTO) of business operations

Correct answer: C

Explanation

The correct answer is C, as identifying critical business functions is essential before any other steps can be taken in a BIA. Knowing which functions are vital helps in assessing interdependencies, resource needs, and recovery time objectives, which are all dependent on that foundational understanding.