The Commonwealth of Virginia requires each agency to perform a business impact analysis and risk assessment. This requirement is stated as part of a larger standard on Information Technology Security (SEC2001-01.1).

Current Standard

A.1.d) Each Agency must conduct a business impact analysis and risk assessment throughout the Agency (to include relevant business partners) to identify various levels of sensitivity associated with the information resources as defined; to identify the potential security threats to those resources; and to determine the appropriate level of security to be implemented to safeguard those resources. The business impact analysis and risk assessment can be reviewed and updated as needed, but at a minimum must be reviewed and updated every three years.