Master {PECB} {ISO 22301 Lead Auditor}: Your Gateway to BCMS Excellence

Correct : A

Supporting functions are the functions that provide support to the critical functions of an organization, such as human resources, finance, IT, or facilities management. Supporting functions are essential for the continuity of the critical functions, but they are not directly involved in delivering the products or services to the customers. Supporting functions are also part of the scope of the business continuity management system (BCMS) and need to be identified, analyzed, and protected by the organization.Supporting functions are one of the key concepts of ISO 22301, as they help the organization to determine its business continuity requirements and strategies.Reference: ISO 22301 Auditing eBook, page 231; ISO 22301:2019, clause 8.2.22

Correct : A

Corporate Services and Information Technology are the functions that provide a range of physical and technological infrastructure services to all other functions, such as human resources, finance, legal, procurement, facilities, security, IT systems, networks, applications, databases, etc. These functions are essential for the continuity of the organization's operations, as they support the delivery of products and services to customers and stakeholders. Therefore, they need to be included in the scope and objectives of the business continuity management system (BCMS), and their roles and responsibilities need to be defined and communicated.Reference: ISO 22301 Auditing eBook, Chapter 2: Business Continuity Management System (BCMS), Section 2.1: Scope and Objectives, page 23.

Correct : A, D

Business continuity can be integrated into two levels of the organization's activities: management and processes. According to the ISO 22301 Auditing eBook, 'Business continuity integration is the process of embedding business continuity principles and practices into the organization's culture, values, and operations.Business continuity integration aims to ensure that business continuity is not seen as a separate function or project, but as an integral part of the organization's management and processes.'1

Business continuity integration at the management level involves the following aspects1:

Leadership and commitment: The top management of the organization should demonstrate leadership and commitment to the business continuity management system (BCMS) by establishing the business continuity policy, objectives, and roles, as well as providing the necessary resources and support for the BCMS.

Planning and strategy: The organization should plan and develop its business continuity strategy and objectives based on the results of the business impact analysis and risk assessment, as well as the needs and expectations of the interested parties. The organization should also plan the actions to address the risks and opportunities related to the BCMS, as well as the changes that may affect the BCMS.

Monitoring and evaluation: The organization should monitor and measure the performance and effectiveness of the BCMS, as well as the compliance with the requirements and expectations of the interested parties. The organization should also conduct internal and external audits, management reviews, and corrective actions to evaluate and improve the BCMS.

Continual improvement: The organization should continually improve the suitability, adequacy, and effectiveness of the BCMS by identifying and implementing opportunities for enhancement and innovation.

Business continuity integration at the process level involves the following aspects1:

Process identification and analysis: The organization should identify and analyze its processes and their interactions, as well as their criticality, dependencies, and recovery priorities. The organization should also determine the minimum business continuity objectives (MBCOs), recovery time objectives (RTOs), and recovery point objectives (RPOs) for each process.

Process design and implementation: The organization should design and implement its processes in accordance with the business continuity strategy and objectives, as well as the requirements and expectations of the interested parties. The organization should also establish and maintain the business continuity plans and procedures that specify the actions and responsibilities for responding to and recovering from disruptive incidents.

Process control and operation: The organization should control and operate its processes in a consistent and effective manner, as well as ensure the availability and reliability of the resources and assets that support the processes. The organization should also conduct exercises and tests to verify and validate the functionality and operability of the processes and the business continuity plans and procedures.

Process improvement and optimization: The organization should improve and optimize its processes by applying the PDCA cycle and the process approach principles. The organization should also seek to enhance the resilience and adaptability of its processes to cope with changing circumstances and needs.

ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels1

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements2

Correct : A

The outgoing commitment from executive management helps to embed a positive business continuity culture within the organization by demonstrating leadership and support for the business continuity management system (BCMS) and its objectives. Executive management is responsible for establishing the BCMS policy, ensuring the alignment of the BCMS with the organization's strategic direction, providing the necessary resources for the BCMS, communicating the importance of the BCMS, and promoting continual improvement of the BCMS. Executive management also sets an example for the rest of the organization by being actively involved in the BCMS activities and ensuring accountability and responsibility for the BCMS performance.Reference: ISO 22301 Auditing eBook, page 27; ISO 22301:2019 standard, clause 5.1

Correct : D

The team that is responsible for determining how the impact of the incident is managed within the policy guidelines set by the strategic team is thetactical team. The tactical team is composed of managers or experts who have the authority and competence to make decisions and allocate resources to implement the business continuity plans and strategies.The tactical team coordinates and communicates with the operational team, which is responsible for executing the recovery and restoration activities, and reports to the strategic team, which is responsible for setting the overall direction and objectives of the incident response1.