Security Process
Security Governance
03 Business Impact Levels

Applying Business Impact Levels

When assessing security risks, assign Business Impact Levels (BILs) to your organisation. BILs are used to evaluate the potential consequences of security breaches.

By assigning BILs, you can develop and implement security measures that are appropriate for the risks.

The BIL scale ranges from 1 (low) to 6 (catastrophic). The higher the impact, the stronger the security measures must be.

BILs give a structured and consistent approach to categorising security risks and impacts across government, allowing for secure information sharing between organisations and providing a unified understanding of the impacts of breaches.

Use BILs for Every Risk You Face

When applying a BIL to a risk, you are evaluating the potential consequences of a security breach, such as the level of harm, loss, or compromise that could occur.

At Knighthood, we ensure the BILs we assign accurately reflect the implications of your security risks, so they can be managed effectively.

We articulate the impact of a breach of confidentiality, loss of integrity, or unavailability of assets that you possess or generate.

We also take into account what the impact would be if the security of any collections of information you maintain were compromised.

Additionally, we note when impact levels may change, such as when an asset's importance shifts after a project's completion.

Collaborating within Customer Departments and Partners about BILs

BILs can vary greatly depending on the function and size of different customer premises. Even similar assets can have very different impact levels in one location compared to another. We make sure that you understand any differences in BILs between locations we collaborate or co-locate with, so that you can understand the security measures that need to be in place to reduce risks for all parties.

The relationship between BILs and classification levels

At times, there may be a relationship between security classifications for official information and Business Impact Levels (BILs). The security classifications directly correspond to the BILs when considering the confidentiality of individual documents or files. However, this does not necessarily apply to collections of assets. For example, within a collection of assets with an aggregated BIL of 4 – Very High, each individual item may not be marked as CONFIDENTIAL.

Nevertheless, the confidentiality of an asset isn’t the only factor to consider when determining a BIL. All factors affecting an asset’s security will be taken into account. In addition, BILs will also consider the integrity and availability of the asset.

Document markingBIL
Unclassified (may not be marked)1 Low
IN CONFIDENCE2 Medium
SENSITIVE or RESTRICTED3 High
CONFIDENTIAL4 Very high
SECRET5 Extreme
TOP SECRET6 Catastrophic