PECB ISO 22301 Lead Auditor ISO-22301-Lead-Auditor Exam Questions

Answer : D

ISO 22301 is the system/standard that brings together all existing standards and a collection of good practices to develop a universal approach to Business Continuity Management (BCM). ISO 22301 is the international standard for Security and resilience --- Business continuity management systems --- Requirements. It specifies the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. ISO 22301 is based on the high-level structure (HLS) that provides a common framework for all management system standards. This helps to ensure consistency and alignment with other standards, such as ISO 9001 (quality management), ISO 14001 (environmental management), ISO 27001 (information security management), etc. ISO 22301 also incorporates the best practices and guidance from other sources, such as ISO 22313 (guidelines for business continuity management systems), ISO 22317 (guidelines for business impact analysis), ISO 22318 (guidelines for supply chain continuity), ISO 22320 (guidelines for incident management), ISO 22398 (guidelines for exercises and testing), etc. ISO 22301 aims to provide a universal approach to BCM that is applicable to all types and sizes of organizations, regardless of their nature, sector, or location.Reference:

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements1

ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.2: ISO 22301 Standard2

ISO 22301 - Business Continuity2

Answer : B, D

The key areas of exercise are organisation and plans.According to the ISO 22301 Auditing eBook1, an exercise is a process to train for, assess, practice, and improve performance in an organization. The purpose of an exercise is to evaluate the organization's capability to respond to a disruptive incident and implement its business continuity plans. Therefore, the key areas of exercise are the organization itself, which includes its structure, roles, responsibilities, resources, and culture, and the plans that define the objectives, scope, scenarios, procedures, and evaluation criteria of the exercise. These two areas are essential to ensure that the exercise is realistic, relevant, effective, and aligned with the organization's business continuity objectives and expectations.Reference:

ISO 22301 Auditing eBook, page 71

ISO 22301:2019, clause 8.5

Answer : B

One of the purposes of the business impact analysis (BIA) is to determine the minimal acceptable outage (MAO) for each critical function or process of the organization. The MAO is the maximum amount of time that a function or process can be disrupted before it causes unacceptable consequences for the organization. The MAO is used to define the recovery time objective (RTO) and the recovery point objective (RPO) for each function or process. The RTO is the time within which a function or process must be restored after a disruption, and the RPO is the point in time to which the data and information must be recovered. The BIA helps the organization to prioritize its recovery efforts and allocate the necessary resources for business continuity.Reference: ISO 22301 Auditing eBook, page 38; ISO 22301:2019 standard, clause 8.2.2

Answer : C

Governance is the initiative of Business Continuity Management that is a regulatory system that controls an organization and its activities. Governance refers to the set of policies, processes, roles, and responsibilities that define how an organization is directed and managed. Governance ensures that the organization's objectives, strategies, and operations are aligned with the expectations and needs of its stakeholders, such as customers, employees, regulators, and shareholders. Governance also provides oversight and accountability for the organization's performance, risks, compliance, and continuity.

Business Continuity Management (BCM) is a key component of governance, as it enables the organization to protect its critical assets and functions, and to respond and recover from disruptive incidents. BCM helps the organization to maintain its reputation, resilience, and value in the face of uncertainty and crisis. BCM also supports the organization's compliance with relevant laws, regulations, standards, and best practices, such as ISO 22301, the international standard for business continuity management systems.

Therefore, governance is the initiative of Business Continuity Management that is a regulatory system that controls an organization and its activities, by providing direction, oversight, and accountability for the organization's continuity and resilience.Reference:

ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management, Section 1.1: What is Business Continuity Management?, Page 4

ISO 22301 Auditing eBook, Chapter 2: Introduction to ISO 22301, Section 2.1: What is ISO 22301?, Page 9

ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.1: Context of the Organization, Page 13

ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.2: Leadership, Page 16

Answer : A

An unambiguous objective is one that is concise and unequivocal, meaning that it is clear, precise, and leaves no room for doubt or confusion. An unambiguous objective is important for business continuity management, as it helps to ensure that the organization and its stakeholders have a common understanding of what is expected and how to measure the progress and achievement of the objective. An unambiguous objective also helps to avoid misunderstandings, conflicts, or disputes that may arise from vague or ambiguous objectives. According to ISO 22301, business continuity objectives should be consistent with the business continuity policy, measurable, monitored, communicated, and updated as appropriate. They should also be SMART: Specific, Measurable, Achievable, Relevant, and Time-based. These criteria help to ensure that the objectives are unambiguous and effective.Reference: ISO 22301 Auditing eBook, Chapter 2: Business Continuity Management System (BCMS), Section 2.2: Business Continuity Policy, page 25. ISO 22301 Auditing eBook, Chapter 2: Business Continuity Management System (BCMS), Section 2.3: Business Continuity Objectives, page 26.

Answer : A, B

Business Impact Analysis (BIA) is a process of identifying and evaluating the potential impacts of disruptions to critical business processes, systems, and resources. One of the objectives of BIA is to validate the dependencies of the organization's essential functions and operations. Dependencies are the relationships or interconnections between the organization and its internal or external stakeholders, such as suppliers, customers, partners, regulators, etc. Dependencies can affect the organization's ability to deliver its products and services, and therefore, they need to be considered in the BIA process.According to ISO/TS 22317:2021, there are two types of dependencies that are validated by BIA: internal dependencies and external dependencies1. Internal dependencies are the dependencies within the organization, such as between different functions, processes, activities, resources, or locations. For example, a production function may depend on the supply of raw materials from a warehouse, or a finance function may depend on the availability of an accounting system. Internal dependencies can be identified by analyzing the inputs and outputs of each function or process, and the resources required to support them. External dependencies are the dependencies outside the organization, such as with suppliers, customers, partners, regulators, or other stakeholders. For example, a retail company may depend on the delivery of goods from its suppliers, or a bank may depend on the compliance with regulatory requirements. External dependencies can be identified by analyzing the contracts, agreements, or expectations with the external parties, and the potential impacts of their failure or disruption.Reference:

ISO/TS 22317:2021, clause 6.3.2

Answer : B

ISO 22301:2019 is the international standard for business continuity management systems (BCMS). It specifies the requirements for establishing, implementing, maintaining, and improving a BCMS that enables an organization to prepare for, respond to, and recover from disruptive incidents. ISO 22301:2019 consists of 13 sections and 2 supporting sections. The 13 sections are:

Scope: This section defines the scope and applicability of the standard and its intended outcomes.

Normative references: This section lists the normative references that are indispensable for the application of the standard, such as ISO 31000 and ISO/IEC 27000.

Terms and definitions: This section provides the definitions of the terms used in the standard, such as business continuity, incident, and risk.

Context of the organization: This section requires the organization to determine its internal and external issues, the needs and expectations of its interested parties, and the scope and boundaries of its BCMS.

Leadership: This section requires the top management to demonstrate leadership and commitment, establish the business continuity policy and objectives, assign roles and responsibilities, and support the BCMS.

Planning: This section requires the organization to plan actions to address risks and opportunities, achieve the business continuity objectives, and integrate the BCMS into its business processes.

Support: This section requires the organization to provide the necessary resources, competence, awareness, communication, and documented information to support the BCMS.

Operation: This section requires the organization to implement the operational planning and control, conduct the business impact analysis and risk assessment, determine the business continuity strategy and solutions, establish and implement the business continuity procedures, and exercise and test the BCMS.

Performance evaluation: This section requires the organization to monitor, measure, analyze, and evaluate the performance and effectiveness of the BCMS, conduct internal audits, and review the BCMS at planned intervals.

Improvement: This section requires the organization to identify and implement opportunities for improvement, address nonconformities and take corrective actions, and continually improve the BCMS.

Annex A: This section provides informative guidance on the relationship between the clauses of ISO 22301:2019 and ISO 22313:2020, which is the international standard for business continuity management systems - guidance on the use of ISO 22301.

Annex B: This section provides informative guidance on the relationship between the clauses of ISO 22301:2019 and ISO 31000: