The correct answer is C. Involving process owners from various departments.
A business impact analysis is a business-driven activity, not only an IT exercise. The purpose of a BIA is to evaluate the impact of losing business processes, information assets, resources, and supporting systems. Process owners from different departments are best positioned to explain business criticality, operational dependencies, financial impact, legal/regulatory impact, customer impact, reputational impact, and minimum recovery requirements.
ISACA defines BIA as the process of evaluating the criticality and sensitivity of information assets by determining the impact of losing support of any resource. It also establishes loss escalation over time, identifies minimum resources needed to recover, and prioritizes recovery of processes and supporting systems. ISACA also notes that BIA captures income loss, unexpected expense, legal issues, interdependent processes, and loss of public confidence.
Option A is incorrect because BIA should not focus only on technological risks. It must consider business impacts from many types of disruptions, including people, facilities, suppliers, applications, infrastructure, data, and external events.
Option B is incorrect because RTOs should not simply be “set by IT management.” Recovery objectives must be driven by business needs and validated with business/process owners. ISACA’s contingency planning guidance states that the BIA helps prioritize recovery activities and define metrics such as MTD, RTO, and RPO.
Option D is too narrow. Hardware may be important, but BIA is broader than identifying critical hardware; it identifies business process impacts, dependencies, recovery priorities, and minimum recovery resources.
[References: ISACA CISA Exam Content Outline, Domain 4; ISACA Interactive Glossary, “Business impact analysis”; ISACA Journal, Information System Contingency Planning Guidance., ===================, ]