ISO-22301-Lead-Auditor Sample Questions Answers

 The scope of the business continuity management system (BCMS) is the statement that defines the boundaries and applicability of the BCMS. It specifies which products, services, processes, locations, and organizational units are covered by the BCMS, as well as any exclusions or limitations. The scope should document and explain any exclusions, which are the products, services, or processes that are not within the scope of the BCMS. Exclusions may be justified for various reasons, such as:

• The products, services, or processes are not critical to the organization’s operations and objectives.
• The products, services, or processes are already covered by other management systems or plans.
• The products, services, or processes are outside the organization’s control or influence.
• The products, services, or processes are not relevant or applicable to the organization’s context or needs.

However, the exclusions should not affect the organization’s ability to provide products and services that meet the requirements and expectations of its interested parties. The exclusions should also not compromise the conformity of the BCMS with the requirements of ISO 22301, the international standard for business continuity management systems. The scope and the exclusions should be documented in a clear and concise manner, and communicated to all relevant stakeholders. The scope and the exclusions should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization. References:

• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 4.3: Determining the scope of the business continuity management system1
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels2
• ISO 22301 Clause 4.3 Determining the Scope of the Business Continuity Management System3

The resources that are involved in business continuity to continue critical operations at an acceptable level are premises, information, technology, and supplies. These are the four types of resources that are defined by ISO 22301, the international standard for business continuity management systems (BCMS). According to ISO 22301, a resource is anything that can be used to achieve an objective1. The standard specifies the following types of resources and their definitions2:

• Premises: The physical location where an organization operates or stores its assets.
• Information: The data and knowledge that are necessary for an organization to function or provide its products and services.
• Technology: The equipment, software, and systems that are used to process, store, transmit, or receive information, or to support the delivery of products and services.
• Supplies: The materials, goods, or services that are required for an organization to operate or produce its products and services.

These resources are essential for business continuity because they enable an organization to perform its critical activities, which are the activities that have to be performed to deliver the key products and services that meet the minimum acceptable level of service and the needs of the interested parties3. Therefore, an organization needs to identify, prioritize, protect, and restore these resources in the event of a disruption, as part of its BCMS.

The other options are not correct because they are not types of resources that are involved in business continuity to continue critical operations at an acceptable level, according to ISO 22301. Data is a subset of information, and it is not a separate type of resource. Knowledge is also a part of information, and it is not a distinct type of resource.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.33 2: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.34-3.37 3: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.7 : ISO 22301 Auditing eBook, Chapter 2.2.2 : ISO 22301 Auditing eBook, Chapter 2.2.3 : ISO 22301 Auditing eBook, Chapter 2.2.4

 The media and press have a profound impact on the long-term performance, or in some cases, the survival of an organization, especially in the aftermath of a disruptive incident. The media and press can influence the perception and reputation of the organization, as well as the expectations and satisfaction of its stakeholders, such as customers, suppliers, regulators, employees, and the general public. Therefore, it is important for the organization to establish and maintain a positive relationship with the media and press, and to communicate effectively and transparently during and after a crisis. ISO 22301:2019, Clause 8.4.3, requires the organization to establish, implement, and maintain a documented procedure to manage communications with relevant interested parties during a disruptive incident. The procedure should include the identification of the spokesperson(s) who will communicate with the media and press, the preparation of key messages and statements, the approval and distribution of information, and the monitoring and evaluation of the effectiveness of the communications. The organization should also consider the potential legal andethical implications of its communications, and ensure that the information provided is accurate, consistent, and timely. References: ISO 22301:2019, Clause 8.4.3; ISO 22301 Auditing eBook, Chapter 4.3.3.

Communication is the process of engaging staff and external stakeholders in all aspects of the BCMS. Communication ensures that the BCMS objectives, policies, procedures, roles and responsibilities are understood and accepted by the relevant parties. Communication also facilitates the exchange of information and feedback between the BCMS and its interested parties, such as customers, suppliers, regulators, media, etc. Communication helps to build trust, awareness and commitment to the BCMS, as well as to enhance its performance and effectiveness. References: ISO 22301 Auditing eBook, page 30; ISO 22301:2019, clause 7.4

Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities1. One of the main objectives of BCM is to prepare the entire organization in advance of any major incident, so that it can respond and recover effectively and efficiently. This is achieved by implementing a Business Continuity Management System (BCMS), which is a set of policies, processes, procedures, roles, responsibilities, resources, and plans that enable an organization to manage business continuity2.

According to ISO 22301, the international standard for BCMS, one of the benefits of implementing a BCMS is that it helps an organization to establish a culture of good business practice, which is an initiative that helps in preparing the entire organization in advance of any major incident3. Good business practice means that an organization follows the principles of business continuity, such as customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. By adopting these principles, an organization can enhance its resilience, reduce its risks, improve its performance, and increase its customer satisfaction.

The other options are not correct because they are not initiatives of BCM that help in preparing the entire organization in advance of any major incident. Leadership is a principle of business continuity, but it is not an initiative by itself. It refers to the role of top management in establishing the BCMS, providing direction and support, and ensuring its effectiveness. Governance is a function of the organization that ensures that the BCMS is aligned with the strategic objectives, complies with the legal and regulatory requirements, and meets the expectations of the interested parties. Long range focus is a characteristic of a resilient organization, but it is not an initiative of BCM. It means that an organization anticipates and adapts to the changing environment, and plans for the future.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.4 2: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.5 3: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Introduction : ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 0.2 : ISO 22301 Auditing eBook, Chapter 2.2.2 : ISO 22301 Auditing eBook, Chapter 2.1.1

 All outsourced functions or processes that are part of the organization’s delivery system should be included in the scoping analysis, as they can have a significantimpact on the organization’s ability to deliver its products or services in the event of a disruption. The organization should also consider the dependencies and interdependencies between its internal and external functions or processes, and the potential consequences of their failure or disruption. The organization should define the scope of its business continuity management system (BCMS) based on the results of the scoping analysis and document it in the BCMS policy. References: ISO 22301 Auditing eBook, page 29; ISO 22301:2019 standard, clause 4.3

The top management should demonstrate its commitment to the business continuity management system (BCMS) by conducting effective management reviews of the BCMS and ensuring that the business continuity management (BCM) objectives are aligned to the strategic goals of the business. These are two of the requirements of ISO 22301, the international standard for business continuity management systems, under clause 5.1: Leadership and commitment1.

Management reviews are periodic evaluations of the BCMS by the top management to assess its suitability, adequacy, and effectiveness. Management reviews help to ensure that the BCMS is performing as intended and meeting the requirements and expectations of the interested parties. Management reviews also help to identify and address any issues, gaps, or opportunities for improvement in the BCMS. Management reviews should be conducted at planned intervals, based on the organization’s needs and context. Management reviews should consider various inputs, such as the performance and results of the BCMS, the feedback and satisfaction of the interested parties, the internal and external audits, the corrective actions, the changes that may affect the BCMS, etc. Management reviews should also produce various outputs, such as the decisions and actions related to the improvement and effectiveness of the BCMS, the allocation of resources, the revision of policies and objectives, the communication of the results and outcomes, etc. Management reviews are an important way for the top management to demonstrate its commitment to the BCMS, as they show that the top management is actively involved in overseeing and supporting the BCMS.

BCM objectives are the specific and measurable outcomes that the organization intends to achieve with its BCMS. BCM objectives help to guide and direct the organization’s BCM activities and processes, as well as to evaluate and improve the organization’s BCM performance and capability. BCM objectives should be consistent with the organization’s business continuity policy and aligned with the organization’s strategic goals and vision. BCM objectives should also be relevant and meaningful to the organization’s context and needs, as well as the requirements and expectations of the interested parties. BCM objectives should be established and maintained by the top management, in consultation with the relevant stakeholders. BCM objectives should also be communicated and understood within the organization, as well as reviewed and updated regularly to reflect the changing circumstances and needs of the organization. Ensuring that the BCM objectives are aligned to the strategic goals of the business is an important way for the top management to demonstrate its commitment to the BCMS, as it shows that the top management is integrating BCM into the organization’s overall strategy and direction.

References:

• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 5.1: Leadership and commitment1
• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.6: Business Continuity Objectives2
• ISO 22301 Auditing eBook, Chapter 5: Audit Process, Section 5.3: Audit Criteria3

Succession planning is the type of planning that minimizes impacts due to the unavailability of key staff. Succession planning is a process of identifying and developing potential successors for key positions in an organization. It helps to ensure the continuity of leadership and critical skills in the event of staff turnover, retirement, resignation, illness, death, or any other cause of unavailability. Succession planning is an important component of business continuity management, as it helps to reduce the risk of disruption and loss of performance due to the loss of key staff. Succession planning also helps to retain and motivate high-potential employees, as well as to enhance the organization’s reputation and attractiveness as an employer. Succession planning should be aligned with the organization’sstrategic objectives, culture, and values. It should also be based on a systematic assessment of the current and future needs of the organization, as well as the competencies and potential of the existing and prospective staff. Succession planning should involve the participation and commitment of senior management, human resources, and the relevant staff. It should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization. References:

• ISO/TS 30433:2021 - Human resource management — Succession planning metrics cluster1
• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.4: Business Continuity Strategy2
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 7.2: Competence3

 Non-compliance can often lead to undesirable outcomes. Non-compliance means the failure or refusal to comply with the requirements and expectations of a standard, regulation, contract, policy, or other obligation. Non-compliance can have negative consequences for an organization, such as:

• Legal penalties: Non-compliance can result in fines, sanctions, lawsuits, or criminal charges from the authorities or other parties that have the power to enforce the compliance. For example, non-compliance with data protection laws can lead to hefty fines and reputational damage for the organization.
• Loss of trust: Non-compliance can erode the confidence and trust of the stakeholders, such as customers, suppliers, employees, investors, regulators, etc. This can affect the organization’s reputation, credibility, and competitiveness in the market. For example, non-compliance with quality standards can lead to customer dissatisfaction and defection.
• Loss of business: Non-compliance can cause the organization to lose business opportunities, contracts, or partnerships with other organizations that require or expect compliance. For example, non-compliance with environmental standards can prevent the organization from entering certain markets or sectors that have strict sustainability criteria.
• Loss of continuity: Non-compliance can expose the organization to increased risks and vulnerabilities that can disrupt its operations and performance. For example, non-compliance with business continuity standards can impair the organization’s ability to respond to and recover from disruptive incidents, such as natural disasters, cyberattacks, supply chain failures, etc.

Therefore, non-compliance can often lead to undesirable outcomes that can harm the organization’s interests, objectives, and values. To avoid these outcomes, the organization should establish, implement, and maintain a compliance management system that ensures the organization’s adherence to the relevant standards, regulations, contracts, policies, and other obligations. The compliance management system should also include mechanisms for monitoring, measuring, reviewing, and improving the organization’s compliance performance and effectiveness. References:

• ISO 19600:2014 - Compliance management systems — Guidelines1
• ISO 22301 Auditing eBook, Chapter 5: Audit Process, Section 5.2: Audit Objectives2
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 9.1: Monitoring, measurement, analysis and evaluation3

Scope is the term that defines the area of operation in which the task and its activities should be performed, as described in ISO 22301. Scope is one of the key elements of a business continuity plan (BCP), which is a documented information that specifies the procedures and resources needed to manage a disruptive incident and ensure the continuity of the organization’s critical functions. Scope helps to define the boundaries and applicability of the BCP, as well as the roles and responsibilities of the involved parties. Scope also helps to ensure the consistency and compatibility of the BCP with the organization’s business continuity objectives and strategies. Scope is one of the key requirements of ISO 22301, as it provides the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 36 1; ISO 22301:2019, clause 8.4.2 2

 Deliverables are the specific tasks, products, or outcomes that are required in order to complete the project. They are the tangible and measurable results of the project activities, and they should be aligned with the project objectives and scope. Deliverables can be classified into two types: project deliverables and process deliverables. Project deliverables are the outputs that directly contribute to the achievement of the project goals, such as reports, plans, documents, software, hardware, etc. Process deliverables are the outputs that support the management and execution of the project, such as schedules, budgets, risk assessments, audits, etc. Deliverables should be clearly defined, agreed upon, and accepted by the project stakeholders, and they should be monitored and controlled throughout the project lifecycle. According to ISO 22301, some of the deliverables for implementing a business continuity management system (BCMS) are: business continuity policy, business continuity objectives, business impact analysis, risk assessment and treatment, business continuity strategy, business continuity plans, business continuity procedures, performance indicators, audit reports, corrective actions, etc. References: ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.1: Project Management, page 39. ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.2: Project Deliverables, page 40.

The team that is responsible for determining how the impact of the incident is managed within the policy guidelines set by the strategic team is the tactical team. The tactical team is composed of managers or experts who have the authority and competence to make decisions and allocate resources to implement the business continuity plans and strategies. The tactical team coordinates and communicates with the operational team, which is responsible for executing the recovery and restoration activities, and reports to the strategic team, which is responsible for setting the overall direction and objectives of the incident response1.

References: 1: ISO 22301 Auditing eBook, Chapter 7: Business Continuity Response, Section 7.2: Incident Management Structure, Subsection 7.2.1: Incident Management Teams, Page 103

 According to ISO 22301:2019, Clause 7.2, the organization must determine the necessary competence of persons doing work under its control that affects its business continuity performance. The organization must ensure that these persons are competent on the basis of appropriate education, training, or experience, and where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. The organization must also retain appropriate documented information as evidence of competence. Therefore, people are the ones who have determined roles and responsibilities based on knowledge and skills profiles, as they are the key resources for implementing and maintaining the business continuity management system (BCMS). References: ISO 22301:2019, Clause 7.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

The Statement of Applicability (SOA) is a document that identifies the applicable requirements of ISO 22301 and explains how they are addressed by the organization’s Business Continuity Management System (BCMS). The SOA is prepared during the planning phase of the PDCA cycle, as part of the process of establishing the BCMS scope, objectives, and policy. The SOA is based on the results of the business impact analysis, risk assessment, and risk treatment, and it provides a rationale for the inclusion or exclusion of each requirement. The SOA also helps to demonstrate the conformity of the BCMS with the standard and to communicate the BCMS scope and objectives to interested parties. References: ISO 22301:2019, Clause 6.1.3; ISO 22301 Auditing eBook, Chapter 4.2.2.

A competitor is an organization or individual that operates in the same market as another organization or individual and offers similar products or services that are in direct or indirect competition with each other. Competitors are interested parties that can affect or be affected by the organization’s business continuity objectives, strategies, and performance. Competitors can also pose threats or opportunities for the organization’s business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 18; ISO 22301:2019 standard, clause 3.3.1

The clarify and confirm step is the first step of the audit planning process, where the auditor clarifies the requirements with the business leads, such as the audit client, the auditee, and the audit team. The purpose of this step is to ensure that the audit objectives, scope, criteria, and deliverables are clearly defined, understood, and agreed upon by all the parties involved. The clarify and confirm step also involves the identification of the audit risks, opportunities, and resources, as well as the establishment of the audit communication channels and protocols. The clarify and confirm step is essential to ensure that the audit is aligned with the expectations and needs of the stakeholders, and that the audit is feasible, effective, and efficient. References:

• PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 4: Preparation of an ISO 22301 audit, Lesson 4.1: Audit planning, Slide 5: Audit planning process
• ISO 22301 Auditing eBook2, Chapter 4: Preparation of an ISO 22301 audit, Section 4.1: Audit planning, Subsection 4.1.1: Clarify and confirm

 A risk assessment is a review that uncovers the vulnerability and exposure of the organizational activities to specific types or risk. A risk assessment helps to identify, analyze, and evaluate the potential threats and impacts that could affect the organization’s ability to achieve its objectives and maintain its continuity. A risk assessment also helps to determine the appropriate risk treatment options and controls to reduce the likelihood and/or consequences of the risks. A risk assessment is an essential part of the business continuity management system (BCMS) as it enables the organization to prioritize its business continuity requirements and resources based on the level of risk. References:

• ISO 22301 Auditing eBook, page 25
• ISO 22301:2019, clause 6.1.2

The Check phase of the PDCA cycle is the phase that determines potential issues pertaining to the management of the BCMS. The Check phase involves monitoring and evaluating the performance and effectiveness of the BCMS and identifying any gaps, nonconformities, risks, or opportunities for improvement. The Check phase also involves collecting and analyzing data and information related to the BCMS, such as the results of audits, reviews, tests, exercises, surveys, and feedback. The Check phase provides valuable input for the Act phase, where corrective and preventive actions are taken to address the issues and improve the BCMS. References: : ISO 22301 Auditing eBook, page 11 : ISO 22301:2019, clause 9.1 : Business continuity and ISO 22301 - Qudos : ISO 22313:2020(en), Security and resilience ? Business continuity …

The PDCA paradigm cycle is widely recognized as a process-centric approach. The PDCA cycle, also known as the Deming cycle or the Shewhart cycle, is a four-step model for carrying out change and improvement in a systematic and consistent way. The PDCA cycle consists of the following phases: Plan, Do, Check, and Act. The Plan phase involves identifying the problem, setting the objectives, and developing the plan for improvement. The Do phase involves implementing the plan and carrying out the actions. The Check phase involves monitoring and measuring the results and comparing them with the objectives. The Act phase involves taking corrective actions, standardizing the improvement, and reviewing the process. The PDCA cycle is a process-centric approach because it focuses on the processes and their interactions that deliver the desired outcomes and performance. The PDCA cycle helps to ensure that the processes are planned, executed, evaluated, and improved in a continuous and consistent manner. The PDCA cycle is also aligned with the process approach principle of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to apply the PDCA cycle to its business continuity management system, as well as to its individual processes and activities. The PDCA cycle helps the organization to establish, implement, operate, monitor, review, maintain, and continually improve its business continuity management system and its ability to respond to and recover from disruptive incidents. References:

• ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.3: PDCA Cycle1
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 0.3: The Plan-Do-Check-Act cycle2
• What is the Plan-Do-Check-Act (PDCA) Cycle?3

According to the ISO 22301 Auditing eBook, there are five types of strategies involved in the process-centric approach to business continuity management. They are:

• Business continuity strategy: This is the overall approach that provides a framework for ensuring the continuity of an organization’s critical functions in the event of a disruption. It defines the objectives, scope, principles, and policies of the business continuity management system (BCMS).
• Recovery strategy: This is the specific approach that defines how an organization will restore its critical functions within a predefined time frame after a disruption. It identifies the resources, actions, and procedures required to recover the critical functions and resume normal operations.
• Continuity strategy: This is the specific approach that defines how an organization will maintain its critical functions during a disruption. It identifies the alternative arrangements, methods, and modes of operation that will enable the organization to continue delivering its products or services at an acceptable level of performance.
• Mitigation strategy: This is the specific approach that defines how an organization will reduce the likelihood and/or impact of a disruption. It identifies the preventive and protective measures that will minimize the exposure and vulnerability of the organization to potential threats and risks.
• Response strategy: This is the specific approach that defines how an organization will react to a disruption. It identifies the roles, responsibilities, and authorities of the incident management team, the communication channels and protocols, and the escalation and notification procedures.

References: ISO 22301 Auditing eBook, pages 40-42

Process management is the framework that is a continuous and progressive cycle that requires managerial, operational, administrative and technical support. Process management refers to the design, implementation, monitoring, evaluation, and improvement of the processes that deliver value to the organization and its stakeholders. Process management involves the following steps:

• Define the process: Identify the purpose, scope, objectives, inputs, outputs, activities, roles, and responsibilities of the process.
• Document the process: Create a visual representation of the process flow, such as a flowchart, diagram, or map, that shows the sequence of tasks, decisions, and interactions within the process.
• Implement the process: Execute the process according to the defined and documented specifications, using the appropriate resources, tools, and methods.
• Monitor the process: Measure and analyze the performance of the process, using key performance indicators (KPIs), metrics, and feedback mechanisms, to ensure that the process meets the expected outcomes and quality standards.
• Evaluate the process: Review and assess the effectiveness and efficiency of the process, using audit, review, and evaluation techniques, to identify the strengths, weaknesses, opportunities, and threats of the process.
• Improve the process: Implement corrective and preventive actions, based on the results of the evaluation, to enhance the process and eliminate or reduce the causes of nonconformities, errors, or inefficiencies.

Process management is a continuous and progressive cycle that requires managerial, operational, administrative and technical support, as the process is constantly subject to change and improvement, based on the changing needs and expectations of the organization and its stakeholders. Process management also supports the implementation and maintenance of a business continuity management system (BCMS), as it helps the organization to identify, protect, and optimize its critical business processes and resources, and to ensure their continuity and resilience in the event of a disruption. References:

• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.4: Planning, Page 18
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.6: Performance Evaluation, Page 21
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.7: Improvement, Page 23
• ISO 22301 Auditing eBook, Chapter 4: Business Continuity Management System Audit, Section 4.1: Audit Principles, Page 26
• ISO 22301 Auditing eBook, Chapter 4: Business Continuity Management System Audit, Section 4.3: Audit Process, Page 28

According to ISO 22301:2019, Clause 6.1.2, the organization must establish, implement, and maintain a documented process to manage risks related to the continuity of its critical functions and the achievement of its business continuity objectives. The risk management process should include the identification, analysis, and evaluation of the risks that may cause disruption to the organization’s operations, products, and services. The level of risk for an organization should be determined by combining the consequence and likelihood of the events that may lead to disruption, as well as the organization’s risk criteria, risk appetite, and risk tolerance. The consequence of an event is the impact or effect that it may have on the organization’s objectives, reputation, stakeholders, and resources. The likelihood of an event is the probability or frequency that it may occur, based on historical data, statistical analysis, expert judgment, or other methods. The organization should use appropriate tools and techniques to assess the level of risk, such as risk matrices, risk registers, risk maps, or risk software. The organization should also document the results of the risk assessment and communicate them to relevant interested parties. The purpose of risk management for business continuity is to find out what problems an organization may face, and to take appropriate actions to prevent, mitigate, or transfer the risks, or to accept them if they are within the organization’s riskcriteria. References: ISO 22301:2019, Clause 6.1.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

 Policy documents are developed in accordance to the framework of objectives, which are derived from the organization’s strategic direction, context, and interested parties’ needs and expectations. Policy documents provide guidance and direction for the organization’s business continuity management system (BCMS) and set the overall tone and commitment of top management. Policy documents also define the scope and boundaries of the BCMS and the roles and responsibilities of the relevant parties. References: ISO 22301 Auditing eBook, page 28; ISO 22301:2019 standard, clause 5.2

 According to ISO 22301 Lead Auditor objectives and content, workshops are one of the methods that can be used to conduct a business impact analysis (BIA). Workshops bring a group of people together into a discussion, where they can share their knowledge, opinions, and perspectives on the organization’s processes, resources, dependencies, and impacts. Workshops can help to identify and prioritize the critical activities and resources that are essential for the continuity of theorganization’s operations. Workshops can also facilitate the communication and collaboration among different stakeholders, such as process owners, managers, employees, and customers. Workshops can be conducted in various formats, such as face-to-face, online, or hybrid, depending on the availability and preferences of the participants. Workshops should be planned and facilitated by a competent person, who can guide the discussion, ask relevant questions, collect and document the information, and ensure the validity and consistency of the results. References: ISO 22301 Auditing eBook, page 381; ISO 22301 Clause 8.2 Business impact analysis and risk assessment2

 The Do step in the PDCA cycle implements the previous selected controls to meet the control objectives. According to the ISO 22301 Auditing eBook, the Do step involves implementing and operating the business continuity policy, controls, processes, and procedures that have been planned in the previous step. The Do step also includes establishing the necessary resources, competencies, awareness, communication, and documentation to support the effective operation of the business continuity management system (BCMS). The Do step aims to ensure that the organization is prepared to respond to and recover from disruptive incidents in a timely and effective manner. References: ISO 22301 Auditing eBook, pages 9, 10, 11, 22, 23, and 24.

SMART is an acronym for Specific, Measurable, Achievable, Relevant, and Time-bound. It is a method of setting objectives and evaluating performance that entails the use of unstructured narrative style to inform specific factors and the overall work performance. SMART objectives are clear, realistic, and measurable, and they help to align the individual’s goals with the organization’s strategy. SMART objectives also provide feedback and motivation for the individual and the team. References: ISO 22301 Auditing eBook, page 321

The act step in the PDCA cycle validates improvements by taking actions to address any gaps, nonconformities, or opportunities for improvement identified in the check step. The act step also involves reviewing the effectiveness of the actions taken and determining whether further improvement is possible or necessary. The act step closes the PDCA cycle and leads to a new plan step for the next cycle of continual improvement. The act step is one of the key requirements of ISO 22301, as it demonstrates theorganization’s commitment to enhance its business continuity capability and performance. References: ISO 22301 Auditing eBook, page 10 1; ISO 22301:2019, clause 0.3 2