I am starting the process for Business continuity planning (BCP) and Disaster recovery planning (DRP); I wanted to know whether we can calculate the BIA (Business impact analysis) without conducting the quantitative risk assessment for our critical assets? If so how and what will be the credibility of that BIA.
Actually when I started the information security process in our organization we did not conducted the quantitative risk analysis instead we list downs the critical assets and made a list of any possible threat to these assets once we identified those threats we selected the appropriate control to reduce risks. Now when designing the BCP and DRP I am thinking how to conduct the BIA? I mean is it possible to find out the business impact without finding any monetary value?
Moreover who else will be involved in the BIA process? Management, IT and Information Security Manager?? Or anyone else as well?
Can anyone help me especially if someone has design a BCP and DRP??? Moreover quantitative if the risk analysis is necessary then how I will calculate it? I mean I know the cost of the server machine but I cannot say for sure what will be cost of setting up the server in the working condition i.e. installing the necessary softwares + configurations etc? Will it be an estimated value that will be used for configuration and software installations?