Threat Assessment, BIA & Business Continuity Standards
Key Takeaways
- CPP threat assessment uses an all-hazards approach, evaluating type, likelihood, and consequence together rather than planning hazard-by-hazard.
- CBRNE threats — chemical, biological, radiological, nuclear, and explosive — are low-frequency, high-consequence events requiring specialized detection and response capability.
- RTO (Recovery Time Objective) sets the maximum acceptable downtime for a process, while RPO (Recovery Point Objective) sets the maximum acceptable data loss measured in time.
- A recovery plan is only viable when the RTO is less than or equal to the MTD/MAO, the absolute outer limit before disruption causes irreversible organizational harm.
- ASIS ORM.1 (2017), ISO 22301:2019, and NFPA 1600 (2019 edition) are the three benchmark standards for organizational resilience and business continuity referenced in the CPP body of knowledge.
Threats, Business Impact Analysis & Continuity Standards
Domain 7 of the CPP Body of Knowledge asks security managers to protect the enterprise when normal operations break down. The starting point is disciplined threat identification: sorting potential events by type, estimating their likelihood, and quantifying their consequences. This threat/likelihood/consequence triad drives every downstream decision in crisis management — which risks get a written plan, how much budget mitigation receives, and how aggressively recovery time targets are set.
Classifying Threats: The All-Hazards Approach
CPP candidates are expected to apply an all-hazards approach rather than build a separate program for every conceivable event. All-hazards planning develops core capabilities — command structure, communications, resource management, continuity — that apply regardless of the specific trigger, then layers hazard-specific annexes on top only where a threat genuinely requires unique procedures.
| Threat category | Representative examples | Planning implication |
|---|---|---|
| Natural | Hurricane, earthquake, flood, pandemic | Often has warning lead time; geographic clustering |
| Human-caused, intentional | Terrorism, workplace violence, sabotage, cyberattack | Requires threat/vulnerability assessment; adversarial and adaptive |
| Human-caused, unintentional | Industrial accident, fire, human error | Root-cause analysis and procedural controls |
| Technological | IT/system failure, utility outage, supply-chain disruption | Dependency mapping is essential |
A subset of intentional threats gets its own designation on the exam: CBRNE — Chemical, Biological, Radiological, Nuclear, and Explosive events. These are low-frequency but high-consequence hazards that demand specialized detection equipment, personal protective equipment, decontamination procedures, and coordination with hazmat and public-health authorities. Because CBRNE events can be catastrophic and simultaneously degrade the responders' own capability to respond, they receive disproportionate planning attention relative to their statistical likelihood.
Once threats are classified by type, security managers commonly plot them on a risk matrix that combines likelihood (rare to near-certain) against consequence (negligible to catastrophic), producing a heat map that visually prioritizes the highest-likelihood, highest-consequence threats for immediate mitigation investment. This same likelihood-times-consequence logic underlies the cost-benefit calculation used to select a risk-treatment strategy in the next step of the assessment.
Cost-Benefit Analysis and Mitigation Strategies
Once threats are ranked, the security manager applies the same risk-treatment menu used elsewhere in the BoK: avoid, accept/assume, transfer (e.g., insurance), spread, or mitigate. The choice is driven by cost-benefit analysis — comparing the cost of a mitigation measure against the expected loss it prevents (probability multiplied by consequence), while accounting for the residual risk that remains after treatment. Common mitigation techniques include technology (detection, redundancy, hardening), personnel (training, staffing depth), process (redundant procedures, cross-training), and facility design (structural resilience, backup utilities).
Business Impact Analysis (BIA)
The Business Impact Analysis is the formal process that determines which business functions are critical, how quickly they must be restored, and what resources recovery requires. A BIA is typically built through structured interviews, workshops, or questionnaires with process owners, then validated against dependency mapping, since a function cannot recover faster than the systems, suppliers, and staff it depends on.
The BIA produces a small set of standardized recovery metrics that every CPP candidate must be able to distinguish:
| Metric | Definition |
|---|---|
| RTO (Recovery Time Objective) | The maximum acceptable time a process or system may remain down before the interruption causes unacceptable consequences |
| RPO (Recovery Point Objective) | The maximum acceptable amount of data loss, measured in time — how far back the last usable backup or checkpoint must reach |
| MTD / MAO (Maximum Tolerable Downtime / Maximum Acceptable Outage) | The absolute outer limit a function can be unavailable before the organization suffers severe or irreversible harm; the two terms are used largely interchangeably in practice |
The relationship between these terms matters more than the definitions in isolation: a recovery plan is only viable if the RTO is less than or equal to the MTD/MAO. If a process cannot realistically be restored within its maximum tolerable downtime, the organization must invest in faster recovery capability or accept the consequence of exceeding it.
The BIA also ranks functions by criticality, distinguishing processes that must resume within hours from lower-priority functions that can remain suspended for days. That ranking — not an arbitrary standard set during the event itself — is what should drive both mitigation investment before a crisis and recovery sequencing after one.
Business Continuity Standards
Three standards anchor Domain 7 and appear repeatedly on the exam:
- ASIS ORM.1 (Security and Resilience in Organizations and Their Supply Chains — Requirements with Guidance, 2017) replaced the legacy SPC.1 and BCM.1 standards with a single, risk-based organizational resilience management system (ORMS). It takes a country-neutral, holistic view spanning prevention, protection, preparedness, mitigation, response, continuity, and recovery, with explicit attention to supply-chain risk.
- ISO 22301:2019 is the international, certifiable standard for a Business Continuity Management System (BCMS). It follows the Plan-Do-Check-Act model, and its core requirements (clauses 4-10) mandate a documented BIA and risk assessment, business continuity strategies and plans, and regular exercising and management review.
- NFPA 1600 (2019 edition) is the Standard on Continuity, Emergency, and Crisis Management — adopted by the U.S. Department of Homeland Security as a voluntary consensus standard and recognized by the 9/11 Commission as the National Preparedness Standard. The 2019 edition reorganized around the Plan-Do-Check-Act cycle and added a new requirement that organizations establish and maintain crisis management capability, not just emergency response and continuity.
For the exam, remember the distinguishing feature of each: ORM.1 is ASIS's own resilience/supply-chain standard; ISO 22301 is the internationally certifiable BCMS; NFPA 1600 is the U.S. all-hazards national preparedness benchmark.
A company's disaster recovery plan specifies that backup data can be restored to a point no older than four hours prior to an outage. Which Business Impact Analysis metric does this describe?
Which ASIS standard replaced the legacy SPC.1 and BCM.1 standards with a single, risk-based organizational resilience management system?