Which paradigm ensures that organizations can effectively complete the fully cycle of the management system, thereby achieving its intended outcomes?
Plan-Do-Check-Act (PDCA)
Kanban Model
Agile / Scrum Model
Six Sigma and Lean Process
The Plan-Do-Check-Act (PDCA) paradigm ensures that organizations can effectively complete the full cycle of the management system, thereby achieving its intended outcomes. The PDCA cycle is a four-step iterative process that helps organizations to establish, implement, maintain, and continually improve their management systems. The PDCA cycle consists of the following phases:
Which objective(s) focus on the BCM activities that support the achievement of people-and performance-oriented objectives?
Process-oriented
Performance-oriented
People-oriented
Process-oriented objectives are the objectives that focus on the BCM activities that support the achievement of people-and performance-oriented objectives, as defined by ISO 22301. Process-oriented objectives are derived from the business continuity policy and the results of the business impact analysis (BIA) and risk assessment (RA). Process-oriented objectives are measurable, consistent, and relevant to the organization’s business continuity requirements and strategies. Process-oriented objectives are also aligned with the organization’s strategic direction and communicated to all relevant parties. Process-oriented objectives are one of the key requirements of ISO 22301, as they provide the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 28 1; ISO 22301:2019, clause 6.2 2
Which objective should be attainable within a given timeframe?
Time-based
Measurable
Practicality
Relevant
A time-based objective is an objective that should be attainable within a given timeframe. Time-based objectives help to ensure that the organization is taking timely and realistic actions to achieve its desired outcomes and performance. Time-based objectives also help to monitor and measure the progress and results of the actions, as well as to identify and address any delays or deviations. Time-based objectives are one of the characteristics of the S.M.A.R.T. concept, which stands for Specific, Measurable, Achievable, Relevant, and Time-based. The S.M.A.R.T. concept is a useful tool for setting effective objectives that are clear, realistic, and meaningful. The S.M.A.R.T. concept is applicable to various types of objectives, such as business continuity objectives, recovery time objectives, recovery point objectives, minimum business continuity objectives, etc. According to the ISO 22301 Auditing eBook, "Time-bound: BCOs [Business Continuity Objectives] should be time-bound, with clear deadlines and timelines for achieving the objectives. This ensures that the organization is taking timely action to protect critical business functions during a disruptive incident."1 References:
The purpose of document control is to ensure that documentary information is current and the confidentiality of business continuity materials is safeguarded.
True
False
 Document control is a process that ensures that documented information related to the BCMS is current, accurate, and available to relevant parties. It also ensures that the confidentiality of business continuity materials is safeguarded from unauthorized access, disclosure, or misuse. Document control covers the creation, approval, distribution, use, storage, preservation, retrieval, control of changes, retention, and disposition of documented information. Document control is required by clause 7.5.3 of ISO 22301:2019. References: ISO 22301:2019, clause 7.5.3; ISO 22301 Auditing eBook, page 56.
Of which process should Business Continuity programs be a part?
Incident Management process Â
Compliance process Â
Governance process
Problem Management process Â
Business continuity programs should be a part of the governance process of the organization, which is the system by which the organization is directed and controlled. The governance process involves setting the strategic direction, establishing the policies and objectives, allocating the resources, monitoring the performance, and ensuring the accountability and transparency of the organization. Business continuity programs support the governance process by ensuring the continuity of the organization’s critical functions and processes in the event of a disruptive incident, and by enhancing the organization’s resilience and reputation. References: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.1: Governance, page 8.
______________ are individuals or groups that have an interest in the organization's performance.
Individuals
Customers
Stakeholders
Competitor
Stakeholders are individuals or groups that have an interest in the organization’s performance. According to the ISO 22301 Auditing eBook, "Stakeholders are persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. Stakeholders can be internal or external to the organization. Examples of internal stakeholders are employees, managers, owners, and board members. Examples of external stakeholders are customers, suppliers, regulators, investors, competitors, media, and the public."1 Stakeholders have different needs and expectations regarding the organization’s business continuity management system (BCMS) and its ability to respond to and recover from disruptive incidents. Therefore, the organization needs to identify its relevant stakeholders and understand their requirements and expectations, as well as communicate with them effectively and appropriately. This is one of the requirements of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to determine the interested parties that are relevant to its BCMS and the requirements of these interested parties2. Interested parties are a subset of stakeholders that have a direct or indirect influence on the BCMS or a stake in its outcome3. The organization also needs to monitor and review the information about these interested parties and their requirements, as they may change over time2. References:
All outsourced functions of processes that are part of the organization's delivery system should be included in the scoping analysis.
True
False
 All outsourced functions or processes that are part of the organization’s delivery system should be included in the scoping analysis, as they can have a significantimpact on the organization’s ability to deliver its products or services in the event of a disruption. The organization should also consider the dependencies and interdependencies between its internal and external functions or processes, and the potential consequences of their failure or disruption. The organization should define the scope of its business continuity management system (BCMS) based on the results of the scoping analysis and document it in the BCMS policy. References: ISO 22301 Auditing eBook, page 29; ISO 22301:2019 standard, clause 4.3
Which of the following refers to a specific task products or outcomes that are required in order to complete the project?
Timescale
Deliverables
Function
Task
 Deliverables are the specific tasks, products, or outcomes that are required in order to complete the project. They are the tangible and measurable results of the project activities, and they should be aligned with the project objectives and scope. Deliverables can be classified into two types: project deliverables and process deliverables. Project deliverables are the outputs that directly contribute to the achievement of the project goals, such as reports, plans, documents, software, hardware, etc. Process deliverables are the outputs that support the management and execution of the project, such as schedules, budgets, risk assessments, audits, etc. Deliverables should be clearly defined, agreed upon, and accepted by the project stakeholders, and they should be monitored and controlled throughout the project lifecycle. According to ISO 22301, some of the deliverables for implementing a business continuity management system (BCMS) are: business continuity policy, business continuity objectives, business impact analysis, risk assessment and treatment, business continuity strategy, business continuity plans, business continuity procedures, performance indicators, audit reports, corrective actions, etc. References: ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.1: Project Management, page 39. ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.2: Project Deliverables, page 40.
When determining the scope of the BCMS, what is true?
The scope only relates to the internal needs of the organization.
The scope should always cover the whole organization
The scope should document and explain any exclusions.
The scope should never be changed.
 The scope of the business continuity management system (BCMS) is the statement that defines the boundaries and applicability of the BCMS. It specifies which products, services, processes, locations, and organizational units are covered by the BCMS, as well as any exclusions or limitations. The scope should document and explain any exclusions, which are the products, services, or processes that are not within the scope of the BCMS. Exclusions may be justified for various reasons, such as:
However, the exclusions should not affect the organization’s ability to provide products and services that meet the requirements and expectations of its interested parties. The exclusions should also not compromise the conformity of the BCMS with the requirements of ISO 22301, the international standard for business continuity management systems. The scope and the exclusions should be documented in a clear and concise manner, and communicated to all relevant stakeholders. The scope and the exclusions should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization. References:
Which role is associated with specialist services offered by third parties?
People
Stakeholders
Reputation
Suppliers
Suppliers are the role associated with specialist services offered by third parties, such as consultants, trainers, auditors, or certification bodies. Suppliers can provide external support and expertise to the organization in developing, implementing, maintaining, and improving its BCMS. Suppliers can also help the organization to demonstrate its conformance and competence to interested parties, such as customers, regulators, or investors. Suppliers are one of the key stakeholders of the BCMS, as they can influence or be influenced by the organization’s business continuity performance and objectives. References: ISO 22301 Auditing eBook, page 12 1; ISO 22301:2019, clause 4.2 2
Which of the following has a determined roles and responsibilities based on knowledge and skills profiles?
People
Premises
Suppliers
Reputation
 According to ISO 22301:2019, Clause 7.2, the organization must determine the necessary competence of persons doing work under its control that affects its business continuity performance. The organization must ensure that these persons are competent on the basis of appropriate education, training, or experience, and where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. The organization must also retain appropriate documented information as evidence of competence. Therefore, people are the ones who have determined roles and responsibilities based on knowledge and skills profiles, as they are the key resources for implementing and maintaining the business continuity management system (BCMS). References: ISO 22301:2019, Clause 7.2; ISO 22301 Auditing eBook, Chapter 4.2.2.
The Act phase of PDCA cycle consists of improvement?
True
False
The Act phase of the PDCA cycle consists of improvement. The Act phase is the fourth and final phase of the PDCA cycle, following the Check phase. In the Act phase, the organization takes action based on what it learned from the Check phase, where it monitored and evaluated the results of the Do phase, where it implemented the plan developed in the Plan phase. The action can be one of the following options1:
Which function(s) provide support to the critical functions?
Supporting functions
Procedural functions
Supporting functions are the functions that provide support to the critical functions of an organization, such as human resources, finance, IT, or facilities management. Supporting functions are essential for the continuity of the critical functions, but they are not directly involved in delivering the products or services to the customers. Supporting functions are also part of the scope of the business continuity management system (BCMS) and need to be identified, analyzed, and protected by the organization. Supporting functions are one of the key concepts of ISO 22301, as they help the organization to determine its business continuity requirements and strategies. References: ISO 22301 Auditing eBook, page 23 1; ISO 22301:2019, clause 8.2.2 2
Which of the following document is owned by executive management and sets the purpose of BCM in an organisation?
Business Continuity Policy
Business Process Policy
Register
Worksheet
 The document that is owned by executive management and sets the purpose of BCM in an organization is the Business Continuity Policy. The Business Continuity Policy is a high-level document that defines the scope, objectives, principles, and roles and responsibilities for business continuity management within the organization. It also demonstrates the commitment of top management to support and continually improve the BCMS. The Business Continuity Policy is one of the mandatory documents required by ISO 22301, the international standard for BCMS12.
The other options are not correct because they are not documents that are owned by executive management and set the purpose of BCM in an organization. A Business Process Policy is a document that describes the procedures and rules for performing a specific business process, such as procurement, sales, or accounting. A Register is a document that records and tracks the status of certain items, such as risks, incidents, or assets. A Worksheet is a document that contains data and calculations, such as a spreadsheet or a form.
References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 5.3 2: ISO 22301 Auditing eBook, Chapter 2.2.2
Which review uncover's vulnerability and exposure of the organizational activities to specific types or risk?
Crisis Assessment
Continuity Assessment
Critical Assessment
Risk Assessment
 A risk assessment is a review that uncovers the vulnerability and exposure of the organizational activities to specific types or risk. A risk assessment helps to identify, analyze, and evaluate the potential threats and impacts that could affect the organization’s ability to achieve its objectives and maintain its continuity. A risk assessment also helps to determine the appropriate risk treatment options and controls to reduce the likelihood and/or consequences of the risks. A risk assessment is an essential part of the business continuity management system (BCMS) as it enables the organization to prioritize its business continuity requirements and resources based on the level of risk. References:
Which step clarifies the requirements with business leads?
Clarify and confirm
Commit
Check
Compile
The clarify and confirm step is the first step of the audit planning process, where the auditor clarifies the requirements with the business leads, such as the audit client, the auditee, and the audit team. The purpose of this step is to ensure that the audit objectives, scope, criteria, and deliverables are clearly defined, understood, and agreed upon by all the parties involved. The clarify and confirm step also involves the identification of the audit risks, opportunities, and resources, as well as the establishment of the audit communication channels and protocols. The clarify and confirm step is essential to ensure that the audit is aligned with the expectations and needs of the stakeholders, and that the audit is feasible, effective, and efficient. References:
The purpose of risk management for business continuity is to find out what problems an organization may face. Â
How should the level of risk for an organization be determined?
Combining consequence and likelihood of events
Combining importance and acceptance of events Â
Combining acceptable and tolerable events Â
Combining profitability and analysis of events
According to ISO 22301:2019, Clause 6.1.2, the organization must establish, implement, and maintain a documented process to manage risks related to the continuity of its critical functions and the achievement of its business continuity objectives. The risk management process should include the identification, analysis, and evaluation of the risks that may cause disruption to the organization’s operations, products, and services. The level of risk for an organization should be determined by combining the consequence and likelihood of the events that may lead to disruption, as well as the organization’s risk criteria, risk appetite, and risk tolerance. The consequence of an event is the impact or effect that it may have on the organization’s objectives, reputation, stakeholders, and resources. The likelihood of an event is the probability or frequency that it may occur, based on historical data, statistical analysis, expert judgment, or other methods. The organization should use appropriate tools and techniques to assess the level of risk, such as risk matrices, risk registers, risk maps, or risk software. The organization should also document the results of the risk assessment and communicate them to relevant interested parties. The purpose of risk management for business continuity is to find out what problems an organization may face, and to take appropriate actions to prevent, mitigate, or transfer the risks, or to accept them if they are within the organization’s riskcriteria. References: ISO 22301:2019, Clause 6.1.2; ISO 22301 Auditing eBook, Chapter 4.2.2.
Which objectives take the form of targets to enhance organizational resilience?
Business Continuity
Business Service
Business Strategy
Business Process
Business continuity objectives are the objectives that take the form of targets to enhance organizational resilience, as defined by ISO 22301. Business continuity objectives are derived from the business continuity policy and the results of the business impact analysis (BIA) and risk assessment (RA). Business continuity objectives are measurable, consistent, and relevant to the organization’s business continuity requirements and strategies. Business continuity objectives are also aligned with the organization’s strategic direction and communicated to all relevant parties. Business continuity objectives are one of the key requirements of ISO 22301, as they provide the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 28 1; ISO 22301:2019, clause 6.2 2
The PDCA paradigm cycle is widely recognized as a process-centric approact?
True
False
The PDCA paradigm cycle is widely recognized as a process-centric approach. The PDCA cycle, also known as the Deming cycle or the Shewhart cycle, is a four-step model for carrying out change and improvement in a systematic and consistent way. The PDCA cycle consists of the following phases: Plan, Do, Check, and Act. The Plan phase involves identifying the problem, setting the objectives, and developing the plan for improvement. The Do phase involves implementing the plan and carrying out the actions. The Check phase involves monitoring and measuring the results and comparing them with the objectives. The Act phase involves taking corrective actions, standardizing the improvement, and reviewing the process. The PDCA cycle is a process-centric approach because it focuses on the processes and their interactions that deliver the desired outcomes and performance. The PDCA cycle helps to ensure that the processes are planned, executed, evaluated, and improved in a continuous and consistent manner. The PDCA cycle is also aligned with the process approach principle of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to apply the PDCA cycle to its business continuity management system, as well as to its individual processes and activities. The PDCA cycle helps the organization to establish, implement, operate, monitor, review, maintain, and continually improve its business continuity management system and its ability to respond to and recover from disruptive incidents. References:
Which type of management system provide the means for organizations to improve internal controls and management competence?
Formal
Executional
Organizational
Functional
A formal management system is a type of management system that provides the means for organizations to improve internal controls and management competence. A formal management system is a documented system that defines the policies, objectives, processes, procedures, roles, responsibilities, and resources for managing a specific aspect of the organization’s performance. A formal management system is based on a recognized standard or framework that specifies the requirements and best practices for achieving the desired outcomes and performance. A formal management system also includes mechanisms for monitoring, measuring, reviewing, and improving the system’s effectiveness and efficiency. A formal management system helps the organization to demonstrate its commitment and capability to meet the expectations and needs of its stakeholders, such as customers, regulators, employees, suppliers, etc. A formal management system also helps the organization to identify and manage the risks and opportunities that may affect its performance and continuity. Examples of formal management systems are ISO 22301 for business continuity management, ISO 9001 for quality management, ISO 14001 for environmental management, ISO 27001 for information security management, etc. References:
Which step of PDCA Cycle is associated with preparing the Statement of Applicability (SOA)?
Plan
Do
Check
Act
The Statement of Applicability (SOA) is a document that identifies the applicable requirements of ISO 22301 and explains how they are addressed by the organization’s Business Continuity Management System (BCMS). The SOA is prepared during the planning phase of the PDCA cycle, as part of the process of establishing the BCMS scope, objectives, and policy. The SOA is based on the results of the business impact analysis, risk assessment, and risk treatment, and it provides a rationale for the inclusion or exclusion of each requirement. The SOA also helps to demonstrate the conformity of the BCMS with the standard and to communicate the BCMS scope and objectives to interested parties. References: ISO 22301:2019, Clause 6.1.3; ISO 22301 Auditing eBook, Chapter 4.2.2.
Which of the following outlines the management hierarchy of the organization?
Corporate Structure
Corporate Service
Corporate Improvement
Corporate Defences
Corporate structure outlines the management hierarchy of the organization, such as the board of directors, the executive management, the business units, the departments, the teams, and the individuals. It defines the roles, responsibilities, authorities, and accountabilities of the organizational members, as well as the reporting and communication lines. Corporate structure also reflects the organization’s culture, values, vision, mission, and strategic objectives. It is importantfor the organization to have a clear and effective corporate structure that supports the implementation and operation of the business continuity management system (BCMS) and ensures the alignment of the business continuity objectives with the strategic direction of the organization. References: ISO 22301 Auditing eBook, Chapter 2: Business Continuity Management System (BCMS), Section 2.1: Scope and Objectives, page 23.
The collection of corporate information provides evidence on the state of organizational preparedness.
True
False
The collection of corporate information provides evidence on the state of organizational preparedness, as it allows the organization to assess its currentcapabilities, resources, and performance in relation to its business continuity objectives and requirements. Corporate information includes documents, records, data, and other types of information that are relevant to the organization’s business continuity management system (BCMS). By collecting and analyzing corporate information, the organization can identify its strengths, weaknesses, opportunities, and threats, and determine the gaps and areas for improvement in its BCMS. Corporate information also helps the organization to monitor and measure the effectiveness and efficiency of its BCMS, and to demonstrate its compliance with the ISO 22301 standard and other applicable regulations and standards. References: ISO 22301 Auditing eBook, page 34; ISO 22301:2019 standard, clause 9.1
Which Resources are involved in Business Continuity to continue critical operations at an acceptable level? (Choose four)
Premises
Information
Technology
Supplies
Data
Knowledge
The resources that are involved in business continuity to continue critical operations at an acceptable level are premises, information, technology, and supplies. These are the four types of resources that are defined by ISO 22301, the international standard for business continuity management systems (BCMS). According to ISO 22301, a resource is anything that can be used to achieve an objective1. The standard specifies the following types of resources and their definitions2:
These resources are essential for business continuity because they enable an organization to perform its critical activities, which are the activities that have to be performed to deliver the key products and services that meet the minimum acceptable level of service and the needs of the interested parties3. Therefore, an organization needs to identify, prioritize, protect, and restore these resources in the event of a disruption, as part of its BCMS.
The other options are not correct because they are not types of resources that are involved in business continuity to continue critical operations at an acceptable level, according to ISO 22301. Data is a subset of information, and it is not a separate type of resource. Knowledge is also a part of information, and it is not a distinct type of resource.
References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.33 2: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.34-3.37 3: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.7 : ISO 22301 Auditing eBook, Chapter 2.2.2 : ISO 22301 Auditing eBook, Chapter 2.2.3 : ISO 22301 Auditing eBook, Chapter 2.2.4
Leadership prepares the organization before and during an incident.
True
False
Leadership prepares the organization before and during an incident by establishing the business continuity policy, objectives, and roles and responsibilities, ensuring the alignment of the business continuity management system (BCMS) with the organization’s strategic direction, providing the necessary resources and support for the BCMS, communicating the importance of effective business continuity management to all interested parties, and promoting continual improvement of the BCMS. Leadership also demonstrates commitment and accountability for the BCMS performance, ensures the integration of the BCMS requirements into the organization’s processes, reviews and evaluates the BCMS suitability, adequacy, and effectiveness, and ensures that the organization’s business continuity needs and exp
Which two levels of organizations activities does business continuity can be integrated?
Management
Structural
Operations
Processes
Business continuity can be integrated into two levels of the organization’s activities: management and processes. According to the ISO 22301 Auditing eBook, "Business continuity integration is the process of embedding business continuity principles and practices into the organization’s culture, values, and operations. Business continuity integration aims to ensure that business continuity is not seen as a separate function or project, but as an integral part of the organization’s management and processes."1
Business continuity integration at the management level involves the following aspects1:
Business continuity integration at the process level involves the following aspects1:
References:
Which two (2) are the key areas of Exercise?
Staff
Organisation
Stakeholder
Plans
The key areas of exercise are organisation and plans. According to the ISO 22301 Auditing eBook1, an exercise is a process to train for, assess, practice, and improve performance in an organization. The purpose of an exercise is to evaluate the organization’s capability to respond to a disruptive incident and implement its business continuity plans. Therefore, the key areas of exercise are the organization itself, which includes its structure, roles, responsibilities, resources, and culture, and the plans that define the objectives, scope, scenarios, procedures, and evaluation criteria of the exercise. These two areas are essential to ensure that the exercise is realistic, relevant, effective, and aligned with the organization’s business continuity objectives and expectations. References:
TESTED 04 Dec 2024