Approved November 2014
Amended April 2015
Version 2.1

© Commonwealth of Australia 2013
All material presented in this publication is provided under a Creative Commons Attribution 3.0
Australia licence (www.creativecommons.org/licenses).
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website
(www.itsanhonour.gov.au).
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Commercial and Administrative Law Branch
Attorney-General’s Department
3–5 National Cct
BARTON ACT 2600
Call: 02 6141 6666
Document details
Security classification
Dissemination limiting marking
Date of security classification review
Authority
Author
Document status
Unclassified
Publicly available
Not applicable
Protective Security Policy Committee
Attorney-General’s Department
Version 2.0 – approved 1 November 2014
Replaces Version 1.1 Approved 21 June 2011 amended October 2013
Amended April 2015

1. Introduction ......................................................................................................................... 1
1.1 Purpose ................................................................................................................................... 1
1.2 Audience ................................................................................................................................. 1
1.3 Scope ....................................................................................................................................... 1
1.3.1 Use of specific terms in these guidelines ......................................................................... 1
2. Background .......................................................................................................................... 2
2.1 Why the guidelines were developed ...................................................................................... 2
2.2 Relationship to other documents ........................................................................................... 2
2.3 How the guidelines are structured ......................................................................................... 2
3. Using business impact levels ................................................................................................. 3
3.1 Impacts to confidentiality and security classifications ........................................................... 3
3.2 Terminology ............................................................................................................................ 3
3.3 Benefit to agency collaboration .............................................................................................. 3
3.4 Relationship to security risk management ............................................................................. 4
Annex A: Australian Government business impact levels guidance ................................................ 5

No. Date
1. April 2015
2.
3.
Location
Throughout Update PSPF hyperlinks
Amendment

1.
The Australian Government protective security governance guidelines—Business impact levels provide guidance to agencies so they can apply a consistent approach to assessing business impact from an Australian Government perspective. The guidelines give clear, understandable definitions of business impact and examples of the types of impacts to the Australian
Government.
2.
These guidelines are aimed at those within the Australian Government who are responsible for defining the business impact levels (BILs) for government assets, including information and ICT systems.
3.
These guidelines relate to protective security within the Australian Government.
4.
In these guidelines the terms:

‘should’ – refers to better practice; agencies are expected to apply better practice unless there is a reason based on their risk assessment to apply alternative controls.

‘National interest’ – a matter which has or could have impact on Australia, including:
— national security
— international relations
— law and governance, including:
 inter-state/ territory relations
 law enforcement operations where compromise could hamper or prevent national crime prevention strategies or investigations, or endanger personal safety
— economic wellbeing
— heritage or culture.
5.
For details on policy exceptions see the Australian Government information security management protocol .

6.
Without a broadly consistent impact assessment tool, agencies will not be able to effectively share the implications of a particular information risk with their business partners. With such a tool it becomes possible to communicate in a manner that allows the collaborative management of information risks.
7.
Furthermore, automating the processes for managing risk is not straightforward if the impact is not commonly understood.
8.
Collaborating agencies need more clarity over the controls that apply in their relationships.
9.
With the increased significance of collaboration it is becoming more important to be able to share the implications of a risk about the potential business impact. Agencies need to do so in a manner that is generally understood. There is no commonly agreed method available to communicate, with enough detail, the impact of information risk on agencies.
10.
The Australian Government needs reasonably consistent and scalable BILs that would be associated with assets of different sensitivity, suitable asset controls, and trust levels.
11.
The Attorney-General’s Department issues the guidelines, in support of mandatory requirements and protocols named in the Protective Security Policy Framework (PSPF). All publicly available PSPF documents are listed in the PSPF Document Map .
12.
These guidelines explain the purpose of BILs and describe their use. They include Annex A:
Australian Government business impact levels guidance.

13.
The table at Ошибка! Источник ссылки не найден.
provides a framework that allows agencies to assess the BILs for compromises to the confidentiality, integrity or availability of individual or aggregated information, ICT systems and assets.
14.
The BILs scale ranges from 1 (Low/Medium) impact to 5 (Catastrophic) impact.
15.
The business impacts of a loss of confidentiality, integrity and availability should be assessed separately for any given asset or aggregation of assets.
16.
The highest impact from the compromise of confidentiality, integrity or availability should be the BIL assigned to a resource or aggregation of resources.
17.
Where a security classification is applied to an asset there is an indicative correlation that
should be considered when classifying or categorising. The security classifications of
PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET directly match to business impact levels 2,
3, 4, and 5 respectively for confidentiality of individual documents or files.
18.
It is not the case that an aggregation of assets with a business impact level of 4 for confidentiality necessarily will be marked individually at SECRET. The Australian Government information security management guidelines—Management of aggregated information , provides further guidance on managing data aggregation.
19.
While the protective markings of PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET relate to confidentiality, there is no equivalent set of protective markings for integrity or availability.
20.
Many BILs examples come with a descriptive adjective, for example ‘minor’ or ‘major’. They are simply portraying a level of importance to the impact in a particular government business environment.
21.
There are some relative terms used within the table and their use is not precisely defined; rather it is apt to the business function in question. For example, ‘medium term’ in one case may mean two to five days, but in another case may mean up to three years. Agencies should consider these terms in the context of the operation requirements.
22.
BILs will vary greatly between agencies, based on their functions and size.

23.
One important difference to understand with BILs is that they do not measure the size of the risk event; a given information risk would not necessarily have the same business impact on each party in a collaboration. The ability to clearly communicate the potential impact on both parties facilitates proper negotiation between them over the risk controls or mitigation measures that should be employed.
24.
Similarly, the financial implications of an event will not always be the same for each agency.
Losing $10,000 would have a very different effect on a small agency than it would on a large department. It is important to ensure the BIL used tells the true implications of a risk event for each agency.
25.
The successful exploitation of a vulnerability by a threat vector will have an impact on an asset’s availability, confidentiality or integrity.
26.
These BILs provide agencies with a common understanding of the resulting consequences for the National interest, organisations and the individuals, to aid them in performing effective risk assessments and analysis.
27.
Agencies should consider all threat sources and potential consequences on an asset before determining the overall business impact from the asset’s compromise or loss—for example, the impact on national security from harm to an individual may be negligible while the impact on the individual may be extreme. Conversely minor harm to a key officer involved in a critical operation may have a high impact.

The examples given below are indicative to assist agencies in developing their own business impact level guides.
1 (Low-medium)
Could be expected to cause limited damage to the National interest, organisations or individuals by:
Impacts on National Security
 causing limited damage to national security
2 (High)
Could be expected to cause damage to the
National interest, organisations or individuals by:
 causing minor damage to national security
3 (Very High)
Could be expected to cause significant
damage to the National interest, organisations or individuals by:
4 (Extreme)
Could be expected to cause serious damage to the National interest, organisations or individuals by:
5 (Catastrophic)
Could be expected to cause exceptionally
grave damage to the National interest, by:
 causing damage to national security
 causing serious damage to national security
 causing exceptionally grave damage to national security
Impacts on Agency Operations
—Operational capacity
 causing a significant degradation in organisational capability to an extent and duration that, while the agency can perform its primary functions, the effectiveness of the functions is noticeably reduced
—Agency Assets
 resulting in damage to agency assets
 causing a severe degradation in, or loss of, organisational capability to an extent and duration that the agency cannot perform one or more of its primary functions
 resulting in major harm to agency assets
 causing a severe degradation in, or loss of, organisational capability to an extent and duration that the agency cannot perform one or more of its functions for an extended time
 causing a severe degradation in, or loss of, organisational capability to an extent and duration that the agency cannot perform any of its functions
 resulting in major long term harm to agency assets
—Agency Finances
 resulting in moderate financial loss to an agency
Australian Financial and Economic Impacts
 undermining the financial viability of one or more individuals, minor Australia-based or
Australian-owned organisations or companies, or disadvantaging a major Australian organisation or company
 resulting in loss to Australian Government / public sector of $10 to $100 million
 causing limited damage to international trade or commerce, with the potential to reduce economic growth in Australia
 resulting in substantial financial loss to an agency
 undermining the financial viability of, or causing substantial financial damage to, a major Australia-based or Australian-owned organisation or company, or disadvantaging a number of major Australian organisations or companies
 resulting in short-term material damage to national finances or economic interests to an estimated total of $100 million to $10 billion
 causing material damage to international trade or commerce, with the potential to directly and noticeably reducing economic growth in
Australia
 undermining the financial viability of, or causing substantial financial damage to, a number of major Australia-based or Australianowned organisations or companies
 causing long-term damage to the Australian economy to an estimated total of $10 to $20 billion
 causing major, short-term damage to global trade or commerce, leading to short term recession or hyperinflation in Australia
 undermining the financial viability of a number of major Australia-based or Australian-owned organisations or companies in the same sector
 causing major, long-term damage to the
Australian economy to an estimated total in excess of $20 billion
 causing major, long-term damage to global trade or commerce, leading to prolonged recession or hyperinflation in Australia
Impacts on Government Policies
 impedes the development of government policies
 resulting in minor loss of confidence in government
 seriously impedes the development or operation of major government policies
 disadvantaging Australia in international negotiations or strategy
 resulting in a major loss of confidence in government
 significantly disadvantaging Australia in international negotiations or strategy
 temporarily damaging the internal stability of
Australia or friendly countries
 severely disadvantaging Australia in major international negotiations or strategy
 threatening directly the internal stability of
Australia or friendly countries leading to widespread instability
 resulting in the collapse of internal political stability of Australia or friendly countries
5

 causing embarrassment to diplomatic relations
 causing short term damage or disruption to diplomatic relations
 causing significant damage or disruption to diplomatic relations including resulting in formal protest or retaliatory action
Impacts on Personal Safety
 limited harm to individuals – could cause harm to individuals including injuries that are not serious or life threatening
Impacts on Intelligence Operations
 endangering individuals - the compromise of information could lead to serious harm or potentially life threatening injury to an individual
 endangering small groups of individuals - the compromise of information could lead to serious harm or potentially life threatening injuries to a small group of individuals
Impacts on Crime Prevention
 hindering the detection, impeding the investigation, or facilitating the commission of low-level crime or hindering the detection of a serious offence, i.e. an offence resulting in 2 or more years imprisonment
Impacts on Defence Operations
 causing limited damage to the non-operational effectiveness or security of Australian or allied forces without causing risk to life
 impeding the investigation of, or facilitating the commission of a serious offence, i.e. an offence resulting in 2 or more years imprisonment
 causing major, long-term impairment to the ability to investigate serious offences, i.e. offences resulting in 2 or more years imprisonment
 causing damage to the non-operational effectiveness or security of Australian or allied forces causing re-supply problems that could result in risk to life
 causing damage to the operational effectiveness or security of Australian or allied forces that could result in risk to life
 causing damage to Australian or allied intelligence capability
 raising international tension, or causing severe damage or disruption, to diplomatic relations
 directly provoking international conflict or causing exceptionally grave damage to relations with friendly governments
 threatening life directly – the compromise of information could reasonably be expected to lead to loss of life of an individual or small group
 causing major, long-term impairment to the ability to investigate serious organised crime undertaken by an organised crime group as defined in the Convention Against
Transnational Organised Crime
 resulting in severe damage to the operational effectiveness or security of Australian or allied forces
 causing severe damage to Australian or allied intelligence capability
 leading directly to widespread loss of life – the compromise of information could reasonably be expected to lead to the death of a large number of people
 causing exceptionally grave damage to the operational effectiveness or security of
Australian or allied forces
 causing exceptionally grave damage to the effectiveness of extremely valuable security or intelligence operations
Impacts on National Infrastructure
 damaging or disrupting significant State or
Territory infrastructure
 damaging or disrupting significant national infrastructure
 shutting down or substantially disrupting significant national infrastructure
6