ISO-22301-Lead-Auditor PECB Certified ISO 22301 Lead Auditor Exam Question and Answers

The Plan-Do-Check-Act (PDCA) paradigm ensures that organizations can effectively complete the full cycle of the management system, thereby achieving its intended outcomes. The PDCA cycle is a four-step iterative process that helps organizations to establish, implement, maintain, and continually improve their management systems. The PDCA cycle consists of the following phases:

• Plan: Establish the objectives and processes necessary to deliver the desired results.
• Do: Implement the processes as planned.
• Check: Monitor and measure the processes and results against the objectives and report the outcomes.
• Act: Take actions to improve the performance of the processes, if necessary. The PDCA cycle is also known as the Deming cycle, after its creator, W. Edwards Deming. The PDCA cycle is widely used in various management system standards, including ISO 22301, as it provides a structured approach to achieve continual improvement and customer satisfaction. References: ISO 22301 Auditing eBook, page 10 1; ISO 22301:2019, clause 0.3 2

Process-oriented objectives are the objectives that focus on the BCM activities that support the achievement of people-and performance-oriented objectives, as defined by ISO 22301. Process-oriented objectives are derived from the business continuity policy and the results of the business impact analysis (BIA) and risk assessment (RA). Process-oriented objectives are measurable, consistent, and relevant to the organization’s business continuity requirements and strategies. Process-oriented objectives are also aligned with the organization’s strategic direction and communicated to all relevant parties. Process-oriented objectives are one of the key requirements of ISO 22301, as they provide the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 28 1; ISO 22301:2019, clause 6.2 2

A time-based objective is an objective that should be attainable within a given timeframe. Time-based objectives help to ensure that the organization is taking timely and realistic actions to achieve its desired outcomes and performance. Time-based objectives also help to monitor and measure the progress and results of the actions, as well as to identify and address any delays or deviations. Time-based objectives are one of the characteristics of the S.M.A.R.T. concept, which stands for Specific, Measurable, Achievable, Relevant, and Time-based. The S.M.A.R.T. concept is a useful tool for setting effective objectives that are clear, realistic, and meaningful. The S.M.A.R.T. concept is applicable to various types of objectives, such as business continuity objectives, recovery time objectives, recovery point objectives, minimum business continuity objectives, etc. According to the ISO 22301 Auditing eBook, "Time-bound: BCOs [Business Continuity Objectives] should be time-bound, with clear deadlines and timelines for achieving the objectives. This ensures that the organization is taking timely action to protect critical business functions during a disruptive incident."1 References:

• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.3: Business Impact Analysis2
• How to set ISO 22301 Business Continuity Objectives - Advisera1
• What is the Plan-Do-Check-Act (PDCA) Cycle?3

 Document control is a process that ensures that documented information related to the BCMS is current, accurate, and available to relevant parties. It also ensures that the confidentiality of business continuity materials is safeguarded from unauthorized access, disclosure, or misuse. Document control covers the creation, approval, distribution, use, storage, preservation, retrieval, control of changes, retention, and disposition of documented information. Document control is required by clause 7.5.3 of ISO 22301:2019. References: ISO 22301:2019, clause 7.5.3; ISO 22301 Auditing eBook, page 56.

Business continuity programs should be a part of the governance process of the organization, which is the system by which the organization is directed and controlled. The governance process involves setting the strategic direction, establishing the policies and objectives, allocating the resources, monitoring the performance, and ensuring the accountability and transparency of the organization. Business continuity programs support the governance process by ensuring the continuity of the organization’s critical functions and processes in the event of a disruptive incident, and by enhancing the organization’s resilience and reputation. References: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.1: Governance, page 8.

Stakeholders are individuals or groups that have an interest in the organization’s performance. According to the ISO 22301 Auditing eBook, "Stakeholders are persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. Stakeholders can be internal or external to the organization. Examples of internal stakeholders are employees, managers, owners, and board members. Examples of external stakeholders are customers, suppliers, regulators, investors, competitors, media, and the public."1 Stakeholders have different needs and expectations regarding the organization’s business continuity management system (BCMS) and its ability to respond to and recover from disruptive incidents. Therefore, the organization needs to identify its relevant stakeholders and understand their requirements and expectations, as well as communicate with them effectively and appropriately. This is one of the requirements of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to determine the interested parties that are relevant to its BCMS and the requirements of these interested parties2. Interested parties are a subset of stakeholders that have a direct or indirect influence on the BCMS or a stake in its outcome3. The organization also needs to monitor and review the information about these interested parties and their requirements, as they may change over time2. References:

• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.1: Stakeholders1
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 4.2: Understanding the needs and expectations of interested parties2
• Interested parties in ISO 27001 and ISO 22301 | Who are they?3

 All outsourced functions or processes that are part of the organization’s delivery system should be included in the scoping analysis, as they can have a significantimpact on the organization’s ability to deliver its products or services in the event of a disruption. The organization should also consider the dependencies and interdependencies between its internal and external functions or processes, and the potential consequences of their failure or disruption. The organization should define the scope of its business continuity management system (BCMS) based on the results of the scoping analysis and document it in the BCMS policy. References: ISO 22301 Auditing eBook, page 29; ISO 22301:2019 standard, clause 4.3

 Deliverables are the specific tasks, products, or outcomes that are required in order to complete the project. They are the tangible and measurable results of the project activities, and they should be aligned with the project objectives and scope. Deliverables can be classified into two types: project deliverables and process deliverables. Project deliverables are the outputs that directly contribute to the achievement of the project goals, such as reports, plans, documents, software, hardware, etc. Process deliverables are the outputs that support the management and execution of the project, such as schedules, budgets, risk assessments, audits, etc. Deliverables should be clearly defined, agreed upon, and accepted by the project stakeholders, and they should be monitored and controlled throughout the project lifecycle. According to ISO 22301, some of the deliverables for implementing a business continuity management system (BCMS) are: business continuity policy, business continuity objectives, business impact analysis, risk assessment and treatment, business continuity strategy, business continuity plans, business continuity procedures, performance indicators, audit reports, corrective actions, etc. References: ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.1: Project Management, page 39. ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.2: Project Deliverables, page 40.

 The scope of the business continuity management system (BCMS) is the statement that defines the boundaries and applicability of the BCMS. It specifies which products, services, processes, locations, and organizational units are covered by the BCMS, as well as any exclusions or limitations. The scope should document and explain any exclusions, which are the products, services, or processes that are not within the scope of the BCMS. Exclusions may be justified for various reasons, such as:

• The products, services, or processes are not critical to the organization’s operations and objectives.
• The products, services, or processes are already covered by other management systems or plans.
• The products, services, or processes are outside the organization’s control or influence.
• The products, services, or processes are not relevant or applicable to the organization’s context or needs.

However, the exclusions should not affect the organization’s ability to provide products and services that meet the requirements and expectations of its interested parties. The exclusions should also not compromise the conformity of the BCMS with the requirements of ISO 22301, the international standard for business continuity management systems. The scope and the exclusions should be documented in a clear and concise manner, and communicated to all relevant stakeholders. The scope and the exclusions should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization. References:

• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 4.3: Determining the scope of the business continuity management system1
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels2
• ISO 22301 Clause 4.3 Determining the Scope of the Business Continuity Management System3

Suppliers are the role associated with specialist services offered by third parties, such as consultants, trainers, auditors, or certification bodies. Suppliers can provide external support and expertise to the organization in developing, implementing, maintaining, and improving its BCMS. Suppliers can also help the organization to demonstrate its conformance and competence to interested parties, such as customers, regulators, or investors. Suppliers are one of the key stakeholders of the BCMS, as they can influence or be influenced by the organization’s business continuity performance and objectives. References: ISO 22301 Auditing eBook, page 12 1; ISO 22301:2019, clause 4.2 2

 According to ISO 22301:2019, Clause 7.2, the organization must determine the necessary competence of persons doing work under its control that affects its business continuity performance. The organization must ensure that these persons are competent on the basis of appropriate education, training, or experience, and where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. The organization must also retain appropriate documented information as evidence of competence. Therefore, people are the ones who have determined roles and responsibilities based on knowledge and skills profiles, as they are the key resources for implementing and maintaining the business continuity management system (BCMS). References: ISO 22301:2019, Clause 7.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

The Act phase of the PDCA cycle consists of improvement. The Act phase is the fourth and final phase of the PDCA cycle, following the Check phase. In the Act phase, the organization takes action based on what it learned from the Check phase, where it monitored and evaluated the results of the Do phase, where it implemented the plan developed in the Plan phase. The action can be one of the following options1:

• If the change was successful, the organization can standardize and stabilize the change, and communicate and document the results and the lessons learned. The organization can also identify opportunities for further improvement and start a new PDCA cycle with a different plan.
• If the change was not successful, the organization can identify the root causes of the failure and revise the plan accordingly. The organization can also start a new PDCA cycle with the revised plan or a different plan. The Act phase is the phase where the organization improves its processes and performance by incorporating the learning from the previous phases. The Act phase also helps the organization to sustain the improvement and prevent the recurrence ofproblems. The Act phase is aligned with the clause 10 of ISO 22301, the international standard for business continuity management systems, which requires the organization to improve its business continuity management system by taking corrective actions, addressing nonconformities, and enhancing customer satisfaction2. References:
• ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.3: PDCA Cycle1
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 10: Improvement2

Supporting functions are the functions that provide support to the critical functions of an organization, such as human resources, finance, IT, or facilities management. Supporting functions are essential for the continuity of the critical functions, but they are not directly involved in delivering the products or services to the customers. Supporting functions are also part of the scope of the business continuity management system (BCMS) and need to be identified, analyzed, and protected by the organization. Supporting functions are one of the key concepts of ISO 22301, as they help the organization to determine its business continuity requirements and strategies. References: ISO 22301 Auditing eBook, page 23 1; ISO 22301:2019, clause 8.2.2 2

 The document that is owned by executive management and sets the purpose of BCM in an organization is the Business Continuity Policy. The Business Continuity Policy is a high-level document that defines the scope, objectives, principles, and roles and responsibilities for business continuity management within the organization. It also demonstrates the commitment of top management to support and continually improve the BCMS. The Business Continuity Policy is one of the mandatory documents required by ISO 22301, the international standard for BCMS12.

The other options are not correct because they are not documents that are owned by executive management and set the purpose of BCM in an organization. A Business Process Policy is a document that describes the procedures and rules for performing a specific business process, such as procurement, sales, or accounting. A Register is a document that records and tracks the status of certain items, such as risks, incidents, or assets. A Worksheet is a document that contains data and calculations, such as a spreadsheet or a form.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 5.3 2: ISO 22301 Auditing eBook, Chapter 2.2.2

 A risk assessment is a review that uncovers the vulnerability and exposure of the organizational activities to specific types or risk. A risk assessment helps to identify, analyze, and evaluate the potential threats and impacts that could affect the organization’s ability to achieve its objectives and maintain its continuity. A risk assessment also helps to determine the appropriate risk treatment options and controls to reduce the likelihood and/or consequences of the risks. A risk assessment is an essential part of the business continuity management system (BCMS) as it enables the organization to prioritize its business continuity requirements and resources based on the level of risk. References:

• ISO 22301 Auditing eBook, page 25
• ISO 22301:2019, clause 6.1.2

The clarify and confirm step is the first step of the audit planning process, where the auditor clarifies the requirements with the business leads, such as the audit client, the auditee, and the audit team. The purpose of this step is to ensure that the audit objectives, scope, criteria, and deliverables are clearly defined, understood, and agreed upon by all the parties involved. The clarify and confirm step also involves the identification of the audit risks, opportunities, and resources, as well as the establishment of the audit communication channels and protocols. The clarify and confirm step is essential to ensure that the audit is aligned with the expectations and needs of the stakeholders, and that the audit is feasible, effective, and efficient. References:

• PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 4: Preparation of an ISO 22301 audit, Lesson 4.1: Audit planning, Slide 5: Audit planning process
• ISO 22301 Auditing eBook2, Chapter 4: Preparation of an ISO 22301 audit, Section 4.1: Audit planning, Subsection 4.1.1: Clarify and confirm

According to ISO 22301:2019, Clause 6.1.2, the organization must establish, implement, and maintain a documented process to manage risks related to the continuity of its critical functions and the achievement of its business continuity objectives. The risk management process should include the identification, analysis, and evaluation of the risks that may cause disruption to the organization’s operations, products, and services. The level of risk for an organization should be determined by combining the consequence and likelihood of the events that may lead to disruption, as well as the organization’s risk criteria, risk appetite, and risk tolerance. The consequence of an event is the impact or effect that it may have on the organization’s objectives, reputation, stakeholders, and resources. The likelihood of an event is the probability or frequency that it may occur, based on historical data, statistical analysis, expert judgment, or other methods. The organization should use appropriate tools and techniques to assess the level of risk, such as risk matrices, risk registers, risk maps, or risk software. The organization should also document the results of the risk assessment and communicate them to relevant interested parties. The purpose of risk management for business continuity is to find out what problems an organization may face, and to take appropriate actions to prevent, mitigate, or transfer the risks, or to accept them if they are within the organization’s riskcriteria. References: ISO 22301:2019, Clause 6.1.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

Business continuity objectives are the objectives that take the form of targets to enhance organizational resilience, as defined by ISO 22301. Business continuity objectives are derived from the business continuity policy and the results of the business impact analysis (BIA) and risk assessment (RA). Business continuity objectives are measurable, consistent, and relevant to the organization’s business continuity requirements and strategies. Business continuity objectives are also aligned with the organization’s strategic direction and communicated to all relevant parties. Business continuity objectives are one of the key requirements of ISO 22301, as they provide the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 28 1; ISO 22301:2019, clause 6.2 2

The PDCA paradigm cycle is widely recognized as a process-centric approach. The PDCA cycle, also known as the Deming cycle or the Shewhart cycle, is a four-step model for carrying out change and improvement in a systematic and consistent way. The PDCA cycle consists of the following phases: Plan, Do, Check, and Act. The Plan phase involves identifying the problem, setting the objectives, and developing the plan for improvement. The Do phase involves implementing the plan and carrying out the actions. The Check phase involves monitoring and measuring the results and comparing them with the objectives. The Act phase involves taking corrective actions, standardizing the improvement, and reviewing the process. The PDCA cycle is a process-centric approach because it focuses on the processes and their interactions that deliver the desired outcomes and performance. The PDCA cycle helps to ensure that the processes are planned, executed, evaluated, and improved in a continuous and consistent manner. The PDCA cycle is also aligned with the process approach principle of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to apply the PDCA cycle to its business continuity management system, as well as to its individual processes and activities. The PDCA cycle helps the organization to establish, implement, operate, monitor, review, maintain, and continually improve its business continuity management system and its ability to respond to and recover from disruptive incidents. References:

• ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.3: PDCA Cycle1
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 0.3: The Plan-Do-Check-Act cycle2
• What is the Plan-Do-Check-Act (PDCA) Cycle?3

A formal management system is a type of management system that provides the means for organizations to improve internal controls and management competence. A formal management system is a documented system that defines the policies, objectives, processes, procedures, roles, responsibilities, and resources for managing a specific aspect of the organization’s performance. A formal management system is based on a recognized standard or framework that specifies the requirements and best practices for achieving the desired outcomes and performance. A formal management system also includes mechanisms for monitoring, measuring, reviewing, and improving the system’s effectiveness and efficiency. A formal management system helps the organization to demonstrate its commitment and capability to meet the expectations and needs of its stakeholders, such as customers, regulators, employees, suppliers, etc. A formal management system also helps the organization to identify and manage the risks and opportunities that may affect its performance and continuity. Examples of formal management systems are ISO 22301 for business continuity management, ISO 9001 for quality management, ISO 14001 for environmental management, ISO 27001 for information security management, etc. References:

• ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.1: Management System Concepts1
• What is a management system?2
• ISO - Management system standards3

The Statement of Applicability (SOA) is a document that identifies the applicable requirements of ISO 22301 and explains how they are addressed by the organization’s Business Continuity Management System (BCMS). The SOA is prepared during the planning phase of the PDCA cycle, as part of the process of establishing the BCMS scope, objectives, and policy. The SOA is based on the results of the business impact analysis, risk assessment, and risk treatment, and it provides a rationale for the inclusion or exclusion of each requirement. The SOA also helps to demonstrate the conformity of the BCMS with the standard and to communicate the BCMS scope and objectives to interested parties. References: ISO 22301:2019, Clause 6.1.3; ISO 22301 Auditing eBook, Chapter 4.2.2.

Corporate structure outlines the management hierarchy of the organization, such as the board of directors, the executive management, the business units, the departments, the teams, and the individuals. It defines the roles, responsibilities, authorities, and accountabilities of the organizational members, as well as the reporting and communication lines. Corporate structure also reflects the organization’s culture, values, vision, mission, and strategic objectives. It is importantfor the organization to have a clear and effective corporate structure that supports the implementation and operation of the business continuity management system (BCMS) and ensures the alignment of the business continuity objectives with the strategic direction of the organization. References: ISO 22301 Auditing eBook, Chapter 2: Business Continuity Management System (BCMS), Section 2.1: Scope and Objectives, page 23.

The collection of corporate information provides evidence on the state of organizational preparedness, as it allows the organization to assess its currentcapabilities, resources, and performance in relation to its business continuity objectives and requirements. Corporate information includes documents, records, data, and other types of information that are relevant to the organization’s business continuity management system (BCMS). By collecting and analyzing corporate information, the organization can identify its strengths, weaknesses, opportunities, and threats, and determine the gaps and areas for improvement in its BCMS. Corporate information also helps the organization to monitor and measure the effectiveness and efficiency of its BCMS, and to demonstrate its compliance with the ISO 22301 standard and other applicable regulations and standards. References: ISO 22301 Auditing eBook, page 34; ISO 22301:2019 standard, clause 9.1

The resources that are involved in business continuity to continue critical operations at an acceptable level are premises, information, technology, and supplies. These are the four types of resources that are defined by ISO 22301, the international standard for business continuity management systems (BCMS). According to ISO 22301, a resource is anything that can be used to achieve an objective1. The standard specifies the following types of resources and their definitions2:

• Premises: The physical location where an organization operates or stores its assets.
• Information: The data and knowledge that are necessary for an organization to function or provide its products and services.
• Technology: The equipment, software, and systems that are used to process, store, transmit, or receive information, or to support the delivery of products and services.
• Supplies: The materials, goods, or services that are required for an organization to operate or produce its products and services.

These resources are essential for business continuity because they enable an organization to perform its critical activities, which are the activities that have to be performed to deliver the key products and services that meet the minimum acceptable level of service and the needs of the interested parties3. Therefore, an organization needs to identify, prioritize, protect, and restore these resources in the event of a disruption, as part of its BCMS.

The other options are not correct because they are not types of resources that are involved in business continuity to continue critical operations at an acceptable level, according to ISO 22301. Data is a subset of information, and it is not a separate type of resource. Knowledge is also a part of information, and it is not a distinct type of resource.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.33 2: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.34-3.37 3: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.7 : ISO 22301 Auditing eBook, Chapter 2.2.2 : ISO 22301 Auditing eBook, Chapter 2.2.3 : ISO 22301 Auditing eBook, Chapter 2.2.4

Leadership prepares the organization before and during an incident by establishing the business continuity policy, objectives, and roles and responsibilities, ensuring the alignment of the business continuity management system (BCMS) with the organization’s strategic direction, providing the necessary resources and support for the BCMS, communicating the importance of effective business continuity management to all interested parties, and promoting continual improvement of the BCMS. Leadership also demonstrates commitment and accountability for the BCMS performance, ensures the integration of the BCMS requirements into the organization’s processes, reviews and evaluates the BCMS suitability, adequacy, and effectiveness, and ensures that the organization’s business continuity needs and exp

Business continuity can be integrated into two levels of the organization’s activities: management and processes. According to the ISO 22301 Auditing eBook, "Business continuity integration is the process of embedding business continuity principles and practices into the organization’s culture, values, and operations. Business continuity integration aims to ensure that business continuity is not seen as a separate function or project, but as an integral part of the organization’s management and processes."1

Business continuity integration at the management level involves the following aspects1:

• Leadership and commitment: The top management of the organization should demonstrate leadership and commitment to the business continuity management system (BCMS) by establishing the business continuity policy, objectives, and roles, as well as providing the necessary resources and support for the BCMS.
• Planning and strategy: The organization should plan and develop its business continuity strategy and objectives based on the results of the business impact analysis and risk assessment, as well as the needs and expectations of the interested parties. The organization should also plan the actions to address the risks and opportunities related to the BCMS, as well as the changes that may affect the BCMS.
• Monitoring and evaluation: The organization should monitor and measure the performance and effectiveness of the BCMS, as well as the compliance with the requirements and expectations of the interested parties. The organization should also conduct internal and external audits, management reviews, and corrective actions to evaluate and improve the BCMS.
• Continual improvement: The organization should continually improve the suitability, adequacy, and effectiveness of the BCMS by identifying and implementing opportunities for enhancement and innovation.

Business continuity integration at the process level involves the following aspects1:

• Process identification and analysis: The organization should identify and analyze its processes and their interactions, as well as their criticality, dependencies, and recovery priorities. The organization should also determine the minimum business continuity objectives (MBCOs), recovery time objectives (RTOs), and recovery point objectives (RPOs) for each process.
• Process design and implementation: The organization should design and implement its processes in accordance with the business continuity strategy and objectives, as well as the requirements and expectations of the interested parties. The organization should also establish and maintain the business continuity plans and procedures that specify the actions and responsibilities for responding to and recovering from disruptive incidents.
• Process control and operation: The organization should control and operate its processes in a consistent and effective manner, as well as ensure the availability and reliability of the resources and assets that support the processes. The organization should also conduct exercises and tests to verify and validate the functionality and operability of the processes and the business continuity plans and procedures.
• Process improvement and optimization: The organization should improve and optimize its processes by applying the PDCA cycle and the process approach principles. The organization should also seek to enhance the resilience and adaptability of its processes to cope with changing circumstances and needs.

References:

• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels1
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements2

The key areas of exercise are organisation and plans. According to the ISO 22301 Auditing eBook1, an exercise is a process to train for, assess, practice, and improve performance in an organization. The purpose of an exercise is to evaluate the organization’s capability to respond to a disruptive incident and implement its business continuity plans. Therefore, the key areas of exercise are the organization itself, which includes its structure, roles, responsibilities, resources, and culture, and the plans that define the objectives, scope, scenarios, procedures, and evaluation criteria of the exercise. These two areas are essential to ensure that the exercise is realistic, relevant, effective, and aligned with the organization’s business continuity objectives and expectations. References:

• ISO 22301 Auditing eBook, page 71
• ISO 22301:2019, clause 8.5