Governance

GOV006

Applying Business Impact Levels

Assign Business Impact Levels (BILs) to your organisation’s security risks as part of your risk assessment process. BILs are used to consistently assess the likely impacts of security breaches.

Assigning BILs helps you to design and implement security measures that are in line with your risks.

The BIL scale ranges from 1 (low) to 6 (catastrophic) impacts. The higher the impact, the stronger your security measures must be. 

BILs give a consistent and structured approach to categorising security risks and impacts across government. This consistency makes information sharing between organisations more secure and provides a common understanding of the consequences of breached security.

Use BILs for every risk your agency faces

When you apply a BIL to a risk, you are assessing the likely impact of a security breach – the level of harm, loss, or compromise that would result. You need to work out BILs for your people, information, and assets.

Make sure the BILs you assign reflect the true implications of your security risks, so they can be managed well. 

You should be able to articulate the impact resulting from the compromise of confidentiality, loss of integrity, or unavailability of assets you hold or generate.

New Zealand Government Business Impact Levels (BILS) of Protective Security Risks gives you a framework for assessing the BILs for information, ICT systems, and assets.

Remember to consider what the impact would be if the security of your aggregated information (collections of information) was breached.

You should also consider when impact levels might change and note that in your BILs. For example, an asset's importance might change when a project finishes.

Collaborating with other organisations or partners about BILs

BILs can vary greatly between agencies based on their functions and size. Similar assets can have very different impact levels in one agency compared with another. Make sure you understand any differences in BILs between organisations you collaborate or co-locate with, so you can negotiate about the security measures that need to be in place to reduce risks for all parties.

The relationship between BILs and classification levels

At times, there may be a relationship between security classifications for official information and BILs. The security classifications directly match the BILs when considering the confidentiality of individual documents or files. However, this does not necessarily apply to collections of assets. For example, within a collection of assets with an aggregated business impact level of 4 – Very high, each individual item might not be marked as CONFIDENTIAL.

However, a protective marking, or confidentiality, of an asset isn’t the only factor to consider when you work out a BIL. You need to consider all factors affecting the security of an asset before you apply a BIL. BILs also need to consider integrity and availability.

Likely relationship between protective markings and BILs

Document marking BIL
Unclassified (may not be marked) 1 Low
IN CONFIDENCE 2 Medium
SENSITIVE or RESTRICTED 3 High
CONFIDENTIAL 4 Very high
SECRET 5 Extreme
TOP SECRET 6 Catastrophic

 

Page last modified: 20/06/2022

Supporting documents