Pass the PECB ISO 22301 ISO-22301-Lead-Auditor Questions and answers with CertsForce

The plan phase in the PDCA cycle establishes the operating framework for the BCMS by defining the scope, objectives, policy, and processes of the BCMS. The plan phase also involves conducting a business impact analysis (BIA) and a risk assessment (RA) to identify the business continuity requirements and strategies. The plan phase is one of the key requirements of ISO 22301, as it provides the foundation and direction for the BCMS implementation and improvement. References: ISO 22301 Auditing eBook, page 10 1; ISO 22301:2019, clause 0.3 2

 The document that is owned by executive management and sets the purpose of BCM in an organization is the Business Continuity Policy. The Business Continuity Policy is a high-level document that defines the scope, objectives, principles, and roles and responsibilities for business continuity management within the organization. It also demonstrates the commitment of top management to support and continually improve the BCMS. The Business Continuity Policy is one of the mandatory documents required by ISO 22301, the international standard for BCMS12.

The other options are not correct because they are not documents that are owned by executive management and set the purpose of BCM in an organization. A Business Process Policy is a document that describes the procedures and rules for performing a specific business process, such as procurement, sales, or accounting. A Register is a document that records and tracks the status of certain items, such as risks, incidents, or assets. A Worksheet is a document that contains data and calculations, such as a spreadsheet or a form.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 5.3 2: ISO 22301 Auditing eBook, Chapter 2.2.2

Reviewing is the stage that helps management to define where focus and resources should be invested. According to ISO 22301, reviewing is the process of evaluating the performance and effectiveness of the business continuity management system (BCMS) and identifying opportunities for improvement. Reviewing can be done through internal audits, management reviews, performance evaluations, and corrective actions. Reviewing can help management to ensure that the BCMS is aligned with the organization’s strategic objectives, meets the needs and expectations of interested parties, complies with the applicable requirements, andcontinually improves its resilience and capability to respond to disruptive incidents. References: ISO 22301 Auditing eBook, page 171; ISO 22301:2019, clause 92

ISO 22301:2019 is the international standard for business continuity management systems (BCMS). It specifies the requirements for establishing, implementing, maintaining, and improving a BCMS that enables an organization to prepare for, respond to, and recover from disruptive incidents. ISO 22301:2019 consists of 13 sections and 2 supporting sections. The 13 sections are:

Scope: This section defines the scope and applicability of the standard and its intended outcomes.

Normative references: This section lists the normative references that are indispensable for the application of the standard, such as ISO 31000 and ISO/IEC 27000.

Terms and definitions: This section provides the definitions of the terms used in the standard, such as business continuity, incident, and risk.

Context of the organization: This section requires the organization to determine its internal and external issues, the needs and expectations of its interested parties, and the scope and boundaries of its BCMS.

Leadership: This section requires the top management to demonstrate leadership and commitment, establish the business continuity policy and objectives, assign roles and responsibilities, and support the BCMS.

Planning: This section requires the organization to plan actions to address risks and opportunities, achieve the business continuity objectives, and integrate the BCMS into its business processes.

Support: This section requires the organization to provide the necessary resources, competence, awareness, communication, and documented information to support the BCMS.

Operation: This section requires the organization to implement the operational planning and control, conduct the business impact analysis and risk assessment, determine the business continuity strategy and solutions, establish and implement the business continuity procedures, and exercise and test the BCMS.

Performance evaluation: This section requires the organization to monitor, measure, analyze, and evaluate the performance and effectiveness of the BCMS, conduct internal audits, and review the BCMS at planned intervals.

Improvement: This section requires the organization to identify and implement opportunities for improvement, address nonconformities and take corrective actions, and continually improve the BCMS.

Annex A: This section provides informative guidance on the relationship between the clauses of ISO 22301:2019 and ISO 22313:2020, which is the international standard for business continuity management systems - guidance on the use of ISO 22301.

Annex B: This section provides informative guidance on the relationship between the clauses of ISO 22301:2019 and ISO 31000:

 A control is a measure that is implemented to reduce or eliminate the risk from occurring, or to mitigate the impact of the risk if it occurs. A control can be preventive, corrective, or detective, depending on the stage of the risk management process. A control can also be administrative, technical, or physical, depending on the nature of the risk and the organization. A control can be designed, implemented, monitored, and evaluated based on the risk assessment and the risk treatment plan. A control can be documented in the business continuity policy, objectives, plans, procedures, and other relevant documents. A control can be audited to verify its effectiveness and efficiency in achieving the intended outcomes. References:

PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 3: Fundamental principles and concepts of a business continuity management system (BCMS), Lesson 3.2: Business continuity management system (BCMS), Slide 15: Risk management

ISO 22301 Auditing eBook2, Chapter 3: Fundamental principles and concepts of a business continuity management system (BCMS), Section 3.2: Business continuity management system (BCMS), Subsection 3.2.4: Risk management

According to ISO 22301 Lead Auditor objectives and content, a qualitative approach is a type of approach that has a straightforward process based on informed judgement supported by appropriate guidance. A qualitative approach is used to assess the impacts and risks of a disruption to the organization’s processes, resources, and objectives. A qualitative approach relies on the subjective evaluation of the likelihood and severity of the disruption, as well as the effectiveness of the existing controls and mitigation measures. A qualitative approach can use descriptive scales, such as low, medium, and high, to rank the impacts and risks. A qualitative approach can also use tools, such as matrices, diagrams, and checklists, to facilitate the analysis and communication of the results. A qualitative approach is suitable for organizations that have limited data, resources, or time to conduct a quantitative approach, which requires more complex and objective calculations and measurements. References: ISO 22301 Auditing eBook, page 401; ISO 22301 Clause 8.2.2 Risk assessment2

The Incident Management Structure (IMS) is a framework for organizing and managing the response to a disruptive incident. The IMS defines three levels of management activities: strategic, tactical, and operational. The strategic level is responsible for setting the overall direction and objectives of the response, as well as allocating resources and coordinating with external stakeholders. The tactical level is responsible for implementing the strategic decisions and managing the operational teams. The tactical level also monitors the situation and reports to the strategic level. The operational level is responsible for executing the specific tasks and actions required to achieve the objectives of the response. The operational level also provides feedback to the tactical level on the progress and issues encountered. References:

ISO 22301 Auditing eBook, Chapter 4: Incident Response and Recovery, Section 4.2: Incident Management Structure1

ISO 22320:2018(en), Security and resilience — Emergency management — Guidelines for incident management2

The Do phase in the PDCA cycle consists of operation, which means implementing and operating the business continuity policy, controls, processes, and procedures that have been planned in the previous phase. The Do phase also involves establishing the necessary resources, competencies, awareness, communication, and documentation to support the effective operation of the business continuity management system (BCMS). The Do phase aims to ensure that the organization is prepared to respond to and recover from disruptive incidents in a timely and effective manner. References: ISO 22301 Auditing eBook, pages 9, 10, 11, 22, 23, and 24.

According to ISO 22301 Auditing eBook, Chapter 3.2.1, people-oriented objectives are the objectives that are related to shaping the attitudes, behaviours, and skills of individuals within the organization. These objectives aim to enhance the awareness, competence, and commitment of the personnel involved in the business continuity management system (BCMS). Some examples of people-oriented objectives are:

To increase the level of business continuity awareness among all employees by conducting regular training and awareness sessions.

To ensure that all business continuity roles and responsibilities are clearly defined and communicated to the relevant personnel.

To develop and maintain the necessary skills and knowledge for performing business continuity tasks and activities.

To foster a culture of business continuity within the organization that encourages participation, collaboration, and continuous improvement.

People-oriented objectives are important for ensuring that the organization has the human resources required for implementing and maintaining the BCMS, and for achieving the desired business continuity performance and results. References: ISO 22301 Auditing eBook, Chapter 3.2.1.

Stakeholders are individuals or groups that have an interest in the organization’s performance. According to the ISO 22301 Auditing eBook, "Stakeholders are persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. Stakeholders can be internal or external to the organization. Examples of internal stakeholders are employees, managers, owners, and board members. Examples of external stakeholders are customers, suppliers, regulators, investors, competitors, media, and the public."1 Stakeholders have different needs and expectations regarding the organization’s business continuity management system (BCMS) and its ability to respond to and recover from disruptive incidents. Therefore, the organization needs to identify its relevant stakeholders and understand their requirements and expectations, as well as communicate with them effectively and appropriately. This is one of the requirements of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to determine the interested parties that are relevant to its BCMS and the requirements of these interested parties2. Interested parties are a subset of stakeholders that have a direct or indirect influence on the BCMS or a stake in its outcome3. The organization also needs to monitor and review the information about these interested parties and their requirements, as they may change over time2. References:

ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.1: Stakeholders1

ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 4.2: Understanding the needs and expectations of interested parties2

Interested parties in ISO 27001 and ISO 22301 | Who are they?3