PECB ISO-22301-Lead-Auditor ISO 22301 Lead Auditor Exam Practice Test

Answer : A

The clarify and confirm step is the first step of the audit planning process, where the auditor clarifies the requirements with the business leads, such as the audit client, the auditee, and the audit team. The purpose of this step is to ensure that the audit objectives, scope, criteria, and deliverables are clearly defined, understood, and agreed upon by all the parties involved. The clarify and confirm step also involves the identification of the audit risks, opportunities, and resources, as well as the establishment of the audit communication channels and protocols. The clarify and confirm step is essential to ensure that the audit is aligned with the expectations and needs of the stakeholders, and that the audit is feasible, effective, and efficient.Reference:

PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 4: Preparation of an ISO 22301 audit, Lesson 4.1: Audit planning, Slide 5: Audit planning process

ISO 22301 Auditing eBook2, Chapter 4: Preparation of an ISO 22301 audit, Section 4.1: Audit planning, Subsection 4.1.1: Clarify and confirm

Answer : A

According to ISO 22301 Auditing eBook, Chapter 3.2.1, people-oriented objectives are the objectives that are related to shaping the attitudes, behaviours, and skills of individuals within the organization. These objectives aim to enhance the awareness, competence, and commitment of the personnel involved in the business continuity management system (BCMS). Some examples of people-oriented objectives are:

To increase the level of business continuity awareness among all employees by conducting regular training and awareness sessions.

To ensure that all business continuity roles and responsibilities are clearly defined and communicated to the relevant personnel.

To develop and maintain the necessary skills and knowledge for performing business continuity tasks and activities.

To foster a culture of business continuity within the organization that encourages participation, collaboration, and continuous improvement.

People-oriented objectives are important for ensuring that the organization has the human resources required for implementing and maintaining the BCMS, and for achieving the desired business continuity performance and results.Reference: ISO 22301 Auditing eBook, Chapter 3.2.1.

Answer : B

One of the purposes of the business impact analysis (BIA) is to determine the minimal acceptable outage (MAO) for each critical function or process of the organization. The MAO is the maximum amount of time that a function or process can be disrupted before it causes unacceptable consequences for the organization. The MAO is used to define the recovery time objective (RTO) and the recovery point objective (RPO) for each function or process. The RTO is the time within which a function or process must be restored after a disruption, and the RPO is the point in time to which the data and information must be recovered. The BIA helps the organization to prioritize its recovery efforts and allocate the necessary resources for business continuity.Reference: ISO 22301 Auditing eBook, page 38; ISO 22301:2019 standard, clause 8.2.2

Answer : C

The scope of the business continuity management system (BCMS) is the statement that defines the boundaries and applicability of the BCMS. It specifies which products, services, processes, locations, and organizational units are covered by the BCMS, as well as any exclusions or limitations. The scope should document and explain any exclusions, which are the products, services, or processes that are not within the scope of the BCMS. Exclusions may be justified for various reasons, such as:

The products, services, or processes are not critical to the organization's operations and objectives.

The products, services, or processes are already covered by other management systems or plans.

The products, services, or processes are outside the organization's control or influence.

The products, services, or processes are not relevant or applicable to the organization's context or needs.

However, the exclusions should not affect the organization's ability to provide products and services that meet the requirements and expectations of its interested parties. The exclusions should also not compromise the conformity of the BCMS with the requirements of ISO 22301, the international standard for business continuity management systems. The scope and the exclusions should be documented in a clear and concise manner, and communicated to all relevant stakeholders. The scope and the exclusions should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization.Reference:

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements, Clause 4.3: Determining the scope of the business continuity management system1

ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels2

ISO 22301 Clause 4.3 Determining the Scope of the Business Continuity Management System3

Answer : C

Business continuity programs should be a part of the governance process of the organization, which is the system by which the organization is directed and controlled. The governance process involves setting the strategic direction, establishing the policies and objectives, allocating the resources, monitoring the performance, and ensuring the accountability and transparency of the organization. Business continuity programs support the governance process by ensuring the continuity of the organization's critical functions and processes in the event of a disruptive incident, and by enhancing the organization's resilience and reputation.Reference: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.1: Governance, page 8.

Answer : B

Regulatory compliance is the adherence to laws, regulations, guidelines and specifications relevant to an organization's business processes. It has always been a challenge to organizations since it has a significant influence on corporate planning, such as strategic objectives, policies, procedures, risk management, performance measurement and improvement. Regulatory compliance can also affect the organization's reputation, customer satisfaction, stakeholder confidence and legal liability. Therefore, organizations need to establish, implement, maintain and improve a business continuity management system (BCMS) that meets the requirements of ISO 22301 and other applicable regulations.Reference: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.2: Regulatory Compliance, page 9.

Answer : A

Most government policies have direct influences on how organizations shape their business strategies and plans, as they affect the legal, regulatory, economic, and social environment in which the organizations operate. Government policies can create opportunities or threats for the organizations, depending on their nature and impact. For example, government policies can affect the taxation, trade, security, environmental, and human rights aspects of the organizations' activities. Therefore, organizations need to monitor and analyze the government policies that are relevant to their business objectives and interests, and adapt their business strategies and plans accordingly.This is also important for the business continuity management system (BCMS), as it helps the organizations to identify and address the risks and opportunities related to the government policies, and to ensure the compliance and resilience of their BCMS.Reference: ISO 22301 Auditing eBook, page 131; ISO 22301:2019, clause 4.12