Information gathering is critical to accurately assess a company’s risks.
Although it is not necessary to use all four methods to gather information, it is necessary to figure out which methods will be most beneficial to the assessment. Four methods of information gathering include:
Questionnaires: Standardized questionnaires can discover data from specific groups or individuals. They help limit input and feedback to areas that will be most useful.
Interviews: Interviews can yield more information as opposed to the other methods. Interviews with subject matter experts can be extremely helpful in revealing needed information. It is also particularly helpful when subject matter experts cannot participate on the BC/DR team but whose input is still vital.
Document Reviews: Reviewing corporate and organizational documents can help identify threats, threat sources, and vulnerabilities. They can also be beneficial for understanding the company’s current critical processes/functions in an effort to properly prioritize later in the process.
Research: Research can be collected internally and externally. It can be extremely helpful and is often necessary to round out collected data.
The four listed methods should return the data needed to use as input to a company’s assessment.
However, it is necessary to choose the method(s) that will be most beneficial as too much data can off put useless or off-target results.