PECB ISO-22301-Lead-Auditor Exam Questions

The scope of the business continuity management system (BCMS) is the statement that defines the boundaries and applicability of the BCMS. It specifies which products, services, processes, locations, and organizational units are covered by the BCMS, as well as any exclusions or limitations. The scope should document and explain any exclusions, which are the products, services, or processes that are not within the scope of the BCMS. Exclusions may be justified for various reasons, such as:

The products, services, or processes are not critical to the organization's operations and objectives.

The products, services, or processes are already covered by other management systems or plans.

The products, services, or processes are outside the organization's control or influence.

The products, services, or processes are not relevant or applicable to the organization's context or needs.

However, the exclusions should not affect the organization's ability to provide products and services that meet the requirements and expectations of its interested parties. The exclusions should also not compromise the conformity of the BCMS with the requirements of ISO 22301, the international standard for business continuity management systems. The scope and the exclusions should be documented in a clear and concise manner, and communicated to all relevant stakeholders. The scope and the exclusions should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization.Reference:

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements, Clause 4.3: Determining the scope of the business continuity management system1

ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels2

ISO 22301 Clause 4.3 Determining the Scope of the Business Continuity Management System3

The Incident Management Structure (IMS) is a framework for organizing and managing the response to a disruptive incident. The IMS defines three levels of management activities: strategic, tactical, and operational. The strategic level is responsible for setting the overall direction and objectives of the response, as well as allocating resources and coordinating with external stakeholders. The tactical level is responsible for implementing the strategic decisions and managing the operational teams. The tactical level also monitors the situation and reports to the strategic level. The operational level is responsible for executing the specific tasks and actions required to achieve the objectives of the response. The operational level also provides feedback to the tactical level on the progress and issues encountered.Reference:

ISO 22301 Auditing eBook, Chapter 4: Incident Response and Recovery, Section 4.2: Incident Management Structure1

ISO 22320:2018(en), Security and resilience --- Emergency management --- Guidelines for incident management2

One of the purposes of the business impact analysis (BIA) is to determine the minimal acceptable outage (MAO) for each critical function or process of the organization. The MAO is the maximum amount of time that a function or process can be disrupted before it causes unacceptable consequences for the organization. The MAO is used to define the recovery time objective (RTO) and the recovery point objective (RPO) for each function or process. The RTO is the time within which a function or process must be restored after a disruption, and the RPO is the point in time to which the data and information must be recovered. The BIA helps the organization to prioritize its recovery efforts and allocate the necessary resources for business continuity.Reference: ISO 22301 Auditing eBook, page 38; ISO 22301:2019 standard, clause 8.2.2

The media and press have a profound impact on the long-term performance, or in some cases, the survival of an organization, especially in the aftermath of a disruptive incident. The media and press can influence the perception and reputation of the organization, as well as the expectations and satisfaction of its stakeholders, such as customers, suppliers, regulators, employees, and the general public. Therefore, it is important for the organization to establish and maintain a positive relationship with the media and press, and to communicate effectively and transparently during and after a crisis. ISO 22301:2019, Clause 8.4.3, requires the organization to establish, implement, and maintain a documented procedure to manage communications with relevant interested parties during a disruptive incident. The procedure should include the identification of the spokesperson(s) who will communicate with the media and press, the preparation of key messages and statements, the approval and distribution of information, and the monitoring and evaluation of the effectiveness of the communications. The organization should also consider the potential legal and ethical implications of its communications, and ensure that the information provided is accurate, consistent, and timely.Reference: ISO 22301:2019, Clause 8.4.3; ISO 22301 Auditing eBook, Chapter 4.3.3.

Support does not lay out the foundation of planning and managing the BCMS, but rather provides the necessary resources and arrangements to enable the effective operation of the BCMS. Support includes aspects such as competence, awareness, communication, documented information, and organizational knowledge.The foundation of planning and managing the BCMS is laid out by the leadership and planning clauses of ISO 22301, which define the roles and responsibilities, policies, objectives, and actions to address risks and opportunities for the BCMS.Reference: ISO 22301 Auditing eBook, page 151; ISO 22301:2019, clauses 5, 6, and 72