According to the CISSP For Dummies3, the goal of a Business Impact Analysis (BIA) is to determine the resource priorities for recovery and Maximum Tolerable Downtime (MTD) for each business process and function. This means that the BIA should identify the criticality and dependencies of each business process and function, and the maximum amount of time that they can be disrupted without causing unacceptable consequences to the organization. The BIA should also determine the recovery point objectives (RPOs) and recovery time objectives (RTOs) for each business process and function, which are the acceptable levels of data loss and downtime respectively. The BIA should not focus on the cost effectiveness of business recovery or installing software security patches, as these are not the primary objectives of the BIA. The BIA should also not determine which security measures should be implemented, as this is the role of the risk assessment and risk management processes. References: 3