ISO-22301-Lead-Auditor Questions and Answers

 The scope of the business continuity management system (BCMS) is the statement that defines the boundaries and applicability of the BCMS. It specifies which products, services, processes, locations, and organizational units are covered by the BCMS, as well as any exclusions or limitations. The scope should document and explain any exclusions, which are the products, services, or processes that are not within the scope of the BCMS. Exclusions may be justified for various reasons, such as:

• The products, services, or processes are not critical to the organization’s operations and objectives.
• The products, services, or processes are already covered by other management systems or plans.
• The products, services, or processes are outside the organization’s control or influence.
• The products, services, or processes are not relevant or applicable to the organization’s context or needs.

However, the exclusions should not affect the organization’s ability to provide products and services that meet the requirements and expectations of its interested parties. The exclusions should also not compromise the conformity of the BCMS with the requirements of ISO 22301, the international standard for business continuity management systems. The scope and the exclusions should be documented in a clear and concise manner, and communicated to all relevant stakeholders. The scope and the exclusions should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization. References:

• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 4.3: Determining the scope of the business continuity management system1
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Integration, Section 3.1: Business Continuity Integration Levels2
• ISO 22301 Clause 4.3 Determining the Scope of the Business Continuity Management System3

Support does not lay out the foundation of planning and managing the BCMS, but rather provides the necessary resources and arrangements to enable the effective operation of the BCMS. Support includes aspects such as competence, awareness, communication, documented information, and organizational knowledge. The foundation of planning and managing the BCMS is laid out by the leadership and planning clauses of ISO 22301, which define the roles and responsibilities, policies, objectives, and actions to address risks and opportunities for the BCMS. References: ISO 22301 Auditing eBook, page 15 1; ISO 22301:2019, clauses 5, 6, and 7 2

According to ISO 22301:2019, Clause 3.10, critical functions are the functions that are directly responsible for the delivery of products and services to the customers and other interested parties. Critical functions are essential for the organization to achieve its objectives, protect its reputation, and meet its legal and contractual obligations. Critical functions are also the ones that are most vulnerable to disruption, and therefore require the highest level of protection and recovery capability. The identification and prioritization of critical functions are part of the business impact analysis (BIA) process, which is a key component of the business continuity management system (BCMS). References: ISO 22301:2019, Clause 3.10; ISO 22301 Auditing eBook, Chapter 4.2.2.

A documentary review is a type of review that involves examining documents, records, or other forms of evidence related to the audit criteria and objectives. It can often be used as a secondary method to support other forms of information collection methods, such as interviews, observations, or sampling. A documentary review can help to verify the existence, implementation, and effectiveness of the audited processes, activities, or controls. It can also provide useful information about the context, scope, and objectives of the audit, as well as the roles and responsibilities of the auditees and other relevant parties. References: ISO 22301 Auditing eBook, page 611; ISO 19011:2018, clause 6.3.22

SMART is an acronym for Specific, Measurable, Achievable, Relevant, and Time-bound. It is a method of setting objectives and evaluating performance that entails the use of unstructured narrative style to inform specific factors and the overall work performance. SMART objectives are clear, realistic, and measurable, and they help to align the individual’s goals with the organization’s strategy. SMART objectives also provide feedback and motivation for the individual and the team. References: ISO 22301 Auditing eBook, page 321

According to the ISO 22301 Auditing eBook, there are five types of strategies involved in the process-centric approach to business continuity management. They are:

• Business continuity strategy: This is the overall approach that provides a framework for ensuring the continuity of an organization’s critical functions in the event of a disruption. It defines the objectives, scope, principles, and policies of the business continuity management system (BCMS).
• Recovery strategy: This is the specific approach that defines how an organization will restore its critical functions within a predefined time frame after a disruption. It identifies the resources, actions, and procedures required to recover the critical functions and resume normal operations.
• Continuity strategy: This is the specific approach that defines how an organization will maintain its critical functions during a disruption. It identifies the alternative arrangements, methods, and modes of operation that will enable the organization to continue delivering its products or services at an acceptable level of performance.
• Mitigation strategy: This is the specific approach that defines how an organization will reduce the likelihood and/or impact of a disruption. It identifies the preventive and protective measures that will minimize the exposure and vulnerability of the organization to potential threats and risks.
• Response strategy: This is the specific approach that defines how an organization will react to a disruption. It identifies the roles, responsibilities, and authorities of the incident management team, the communication channels and protocols, and the escalation and notification procedures.

References: ISO 22301 Auditing eBook, pages 40-42

The check phase in the PDCA cycle is the phase where the organization monitors, measures, analyzes, and evaluates the performance and effectiveness of the BCMS against the business continuity policy, objectives, and requirements. The check phase involves conducting internal audits, management reviews, and performance evaluations to identify the strengths and weaknesses of the BCMS, as well as the opportunities for improvement. The check phase also involves collecting and analyzing feedback from interested parties, such as customers, suppliers, regulators, and employees, to ensure that the BCMS meets their needs and expectations. The check phase provides the basis for the act phase, where the organization takescorrective actions and preventive actions to address the nonconformities and risks identified in the check phase. References: ISO 22301:2019, Clause 9; ISO 22301 Auditing eBook, Chapter 5.1.

The clarify and confirm step is the first step of the audit planning process, where the auditor clarifies the requirements with the business leads, such as the audit client, the auditee, and the audit team. The purpose of this step is to ensure that the audit objectives, scope, criteria, and deliverables are clearly defined, understood, and agreed upon by all the parties involved. The clarify and confirm step also involves the identification of the audit risks, opportunities, and resources, as well as the establishment of the audit communication channels and protocols. The clarify and confirm step is essential to ensure that the audit is aligned with the expectations and needs of the stakeholders, and that the audit is feasible, effective, and efficient. References:

• PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 4: Preparation of an ISO 22301 audit, Lesson 4.1: Audit planning, Slide 5: Audit planning process
• ISO 22301 Auditing eBook2, Chapter 4: Preparation of an ISO 22301 audit, Section 4.1: Audit planning, Subsection 4.1.1: Clarify and confirm

Business continuity programs should be a part of the governance process of the organization, which is the system by which the organization is directed and controlled. The governance process involves setting the strategic direction, establishing the policies and objectives, allocating the resources, monitoring the performance, and ensuring the accountability and transparency of the organization. Business continuity programs support the governance process by ensuring the continuity of the organization’s critical functions and processes in the event of a disruptive incident, and by enhancing the organization’s resilience and reputation. References: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.1: Governance, page 8.

 According to ISO 22301 Lead Auditor objectives and content, workshops are one of the methods that can be used to conduct a business impact analysis (BIA). Workshops bring a group of people together into a discussion, where they can share their knowledge, opinions, and perspectives on the organization’s processes, resources, dependencies, and impacts. Workshops can help to identify and prioritize the critical activities and resources that are essential for the continuity of theorganization’s operations. Workshops can also facilitate the communication and collaboration among different stakeholders, such as process owners, managers, employees, and customers. Workshops can be conducted in various formats, such as face-to-face, online, or hybrid, depending on the availability and preferences of the participants. Workshops should be planned and facilitated by a competent person, who can guide the discussion, ask relevant questions, collect and document the information, and ensure the validity and consistency of the results. References: ISO 22301 Auditing eBook, page 381; ISO 22301 Clause 8.2 Business impact analysis and risk assessment2

Crisis communication is the process of managing the flow of information during and after a crisis situation that threatens the reputation, operations, or survival of an organization. It aims to protect the organization’s shareholder value and long-term reputation by maintaining trust and confidence among its stakeholders. According to the ISO 22301 Auditing eBook, crisis communication is one of the key elements of a business continuity management system, as it enables the organization to communicate effectively with its internal and external parties, such as employees, customers, suppliers, media, regulators, and the public. Effective crisis communication can help the organization to minimize the negative impacts of a crisis, restore normal operations as soon as possible, and enhance its resilience and reputation in the long run. References: ISO 22301 Auditing eBook, pages 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, and 27.

 Deliverables are the specific tasks, products, or outcomes that are required in order to complete the project. They are the tangible and measurable results of the project activities, and they should be aligned with the project objectives and scope. Deliverables can be classified into two types: project deliverables and process deliverables. Project deliverables are the outputs that directly contribute to the achievement of the project goals, such as reports, plans, documents, software, hardware, etc. Process deliverables are the outputs that support the management and execution of the project, such as schedules, budgets, risk assessments, audits, etc. Deliverables should be clearly defined, agreed upon, and accepted by the project stakeholders, and they should be monitored and controlled throughout the project lifecycle. According to ISO 22301, some of the deliverables for implementing a business continuity management system (BCMS) are: business continuity policy, business continuity objectives, business impact analysis, risk assessment and treatment, business continuity strategy, business continuity plans, business continuity procedures, performance indicators, audit reports, corrective actions, etc. References: ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.1: Project Management, page 39. ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.2: Project Deliverables, page 40.

The knowledge of BCM and its methodology is not related to technical expertise, but to domain expertise. Technical expertise refers to the knowledge and skills related to the audit process, such as audit principles, procedures, techniques, and tools. Domain expertise refers to the knowledge and skills related to the specific field of the audit, such as BCM concepts, terms, definitions, requirements, and best practices. References: ISO 22301 Auditing eBook, page 11; ISO 19011:2018, clause 7.2.2

The collection of corporate information provides evidence on the state of organizational preparedness, as it allows the organization to assess its currentcapabilities, resources, and performance in relation to its business continuity objectives and requirements. Corporate information includes documents, records, data, and other types of information that are relevant to the organization’s business continuity management system (BCMS). By collecting and analyzing corporate information, the organization can identify its strengths, weaknesses, opportunities, and threats, and determine the gaps and areas for improvement in its BCMS. Corporate information also helps the organization to monitor and measure the effectiveness and efficiency of its BCMS, and to demonstrate its compliance with the ISO 22301 standard and other applicable regulations and standards. References: ISO 22301 Auditing eBook, page 34; ISO 22301:2019 standard, clause 9.1

Maintenance is the activity that ensures that the programme and its components remain in line with the organization’s overall strategy. Maintenance involves monitoring and reviewing the performance and effectiveness of the programme, identifying and implementing improvements, and ensuring alignment with the changing needs and expectations of the organization and its stakeholders. Maintenance is an essential part of the programme management cycle, as it helps to ensure that the programme delivers the intended benefits and outcomes, and that the programme remains relevant and adaptable to the changing environment. Maintenance is also a requirement of ISO 22301, the international standard for business continuity management systems (BCMS). According to ISO 22301, the organization shall establish, implement and maintain a process for continual improvement of the BCMS, which includes evaluating the need for changes to the BCMS, and ensuring that the BCMS remains suitable, adequate and effective1. References:

• ISO 22301:2019, clause 10.2

According to ISO 22301:2019, Clause 6.1.2, the organization must establish, implement, and maintain a documented process to manage risks related to the continuity of its critical functions and the achievement of its business continuity objectives. The risk management process should include the identification, analysis, and evaluation of the risks that may cause disruption to the organization’s operations, products, and services. The level of risk for an organization should be determined by combining the consequence and likelihood of the events that may lead to disruption, as well as the organization’s risk criteria, risk appetite, and risk tolerance. The consequence of an event is the impact or effect that it may have on the organization’s objectives, reputation, stakeholders, and resources. The likelihood of an event is the probability or frequency that it may occur, based on historical data, statistical analysis, expert judgment, or other methods. The organization should use appropriate tools and techniques to assess the level of risk, such as risk matrices, risk registers, risk maps, or risk software. The organization should also document the results of the risk assessment and communicate them to relevant interested parties. The purpose of risk management for business continuity is to find out what problems an organization may face, and to take appropriate actions to prevent, mitigate, or transfer the risks, or to accept them if they are within the organization’s riskcriteria. References: ISO 22301:2019, Clause 6.1.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

The Incident Management Structure (IMS) is a framework for organizing and managing the response to a disruptive incident. The IMS defines three levels of management activities: strategic, tactical, and operational. The strategic level is responsible for setting the overall direction and objectives of the response, as well as allocating resources and coordinating with external stakeholders. The tactical level is responsible for implementing the strategic decisions and managing the operational teams. The tactical level also monitors the situation and reports to the strategic level. The operational level is responsible for executing the specific tasks and actions required to achieve the objectives of the response. The operational level also provides feedback to the tactical level on the progress and issues encountered. References:

• ISO 22301 Auditing eBook, Chapter 4: Incident Response and Recovery, Section 4.2: Incident Management Structure1
• ISO 22320:2018(en), Security and resilience — Emergency management — Guidelines for incident management2

Organizational activities are the actions and processes that an organization performs to achieve its objectives and deliver its products and services. These activities are exposed to innumerable threats that have the potential to compromise the achievement of corporate goals. These threats can be internal orexternal, natural or man-made, intentional or accidental, and can affect the organization’s resources, capabilities, reputation, and continuity. Some examples of threats that can disrupt organizational activities are:

• Natural disasters, such as earthquakes, floods, storms, fires, or pandemics
• Cyber-attacks, such as hacking, malware, ransomware, denial-of-service, or data breaches
• Human errors, such as mistakes, negligence, or miscommunication
• Malicious acts, such as sabotage, theft, fraud, vandalism, or terrorism
• Supply chain issues, such as delays, shortages, quality problems, or contractual disputes
• Regulatory changes, such as new laws, standards, or policies that affect the organization’s operations or compliance
• Market changes, such as shifts in customer demand, preferences, or expectations, or increased competition or innovation
• Social changes, such as changes in demographics, culture, values, or behaviors that affect the organization’s stakeholders or environment To protect against these threats and ensure the continuity of organizational activities, organizations need to implement a business continuity management system (BCMS) that follows the requirements of ISO 22301. A BCMS is a set of policies, procedures, and practices that enable an organization to prepare for, respond to, and recover from disruptions when they arise. A BCMS helps an organization to identify its critical activities, assess the risks and impacts of potential disruptions, develop strategies and plans to mitigate and manage the disruptions, and test and improve the effectiveness of the BCMS. By implementing a BCMS, an organization can enhance its resilience, reduce its losses, and maintain its reputation and customer satisfaction. References: : What is ISO 22301 standard and what is its purpose? : Building Business Resilience: A Guide to ISO 22301 Certification : ISO 22301:2019(en), Security and resilience ? Business continuity management systems ? Requirements

 Document control is a process that ensures that documented information related to the BCMS is current, accurate, and available to relevant parties. It also ensures that the confidentiality of business continuity materials is safeguarded from unauthorized access, disclosure, or misuse. Document control covers the creation, approval, distribution, use, storage, preservation, retrieval, control of changes, retention, and disposition of documented information. Document control is required by clause 7.5.3 of ISO 22301:2019. References: ISO 22301:2019, clause 7.5.3; ISO 22301 Auditing eBook, page 56.

Reviewing is the stage that helps management to define where focus and resources should be invested. According to ISO 22301, reviewing is the process of evaluating the performance and effectiveness of the business continuity management system (BCMS) and identifying opportunities for improvement. Reviewing can be done through internal audits, management reviews, performance evaluations, and corrective actions. Reviewing can help management to ensure that the BCMS is aligned with the organization’s strategic objectives, meets the needs and expectations of interested parties, complies with the applicable requirements, andcontinually improves its resilience and capability to respond to disruptive incidents. References: ISO 22301 Auditing eBook, page 171; ISO 22301:2019, clause 92

Policy formulation is the BCMS process that is used to develop a business continuity policy that sets out an operating framework. According to ISO 22301, the organization shall establish a business continuity policy that is appropriate to the purpose and context of the organization and provides a framework for setting business continuity objectives. The policy shall also demonstrate top management’s commitment to the BCMS and its continual improvement1. The policy formulation process involves the following steps2:

• Define the scope and objectives of the policy
• Identify the relevant internal and external issues and requirements
• Analyze the current state of the BCMS and the gaps to be addressed
• Draft the policy statement and the key principles and guidelines
• Review and approve the policy by the top management
• Communicate and distribute the policy to the relevant stakeholders
• Monitor and update the policy as needed References:
• ISO 22301:2019, clause 5.3
• ISO 22301 Auditing eBook, page 24

Process management is the framework that is a continuous and progressive cycle that requires managerial, operational, administrative and technical support. Process management refers to the design, implementation, monitoring, evaluation, and improvement of the processes that deliver value to the organization and its stakeholders. Process management involves the following steps:

• Define the process: Identify the purpose, scope, objectives, inputs, outputs, activities, roles, and responsibilities of the process.
• Document the process: Create a visual representation of the process flow, such as a flowchart, diagram, or map, that shows the sequence of tasks, decisions, and interactions within the process.
• Implement the process: Execute the process according to the defined and documented specifications, using the appropriate resources, tools, and methods.
• Monitor the process: Measure and analyze the performance of the process, using key performance indicators (KPIs), metrics, and feedback mechanisms, to ensure that the process meets the expected outcomes and quality standards.
• Evaluate the process: Review and assess the effectiveness and efficiency of the process, using audit, review, and evaluation techniques, to identify the strengths, weaknesses, opportunities, and threats of the process.
• Improve the process: Implement corrective and preventive actions, based on the results of the evaluation, to enhance the process and eliminate or reduce the causes of nonconformities, errors, or inefficiencies.

Process management is a continuous and progressive cycle that requires managerial, operational, administrative and technical support, as the process is constantly subject to change and improvement, based on the changing needs and expectations of the organization and its stakeholders. Process management also supports the implementation and maintenance of a business continuity management system (BCMS), as it helps the organization to identify, protect, and optimize its critical business processes and resources, and to ensure their continuity and resilience in the event of a disruption. References:

• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.4: Planning, Page 18
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.6: Performance Evaluation, Page 21
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.7: Improvement, Page 23
• ISO 22301 Auditing eBook, Chapter 4: Business Continuity Management System Audit, Section 4.1: Audit Principles, Page 26
• ISO 22301 Auditing eBook, Chapter 4: Business Continuity Management System Audit, Section 4.3: Audit Process, Page 28

Continual improvement is the process that ensures the BCMS operates effectively and remains relevant in its context. Continual improvement is an essential aspect of any management system, as it allows organizations to identify areas for improvement and implement changes to enhance their performance. According to ISO 22301, organizations should establish, implement, maintain, and continually improve a business continuity management system (BCMS) based on the principles of continual improvement. Furthermore, this ongoing process should be embedded into the organization’s culture. The continual improvement involves regularly reviewing the BCMS to identify areas for improvement and taking action to make changes that will enhance the system’s effectiveness. This can be achieved through various methods, such as monitoring and measuring the system’s performance, analyzing data and trends, conducting internal audits and management reviews, and implementing corrective and preventive actions. ISO 22301 also emphasizes the importance of leadership in driving continual improvement. Top management should continually improve the BCMS and provide the necessary resources and support to achieve this. They should also set objectives and targets for improvement and monitor progress. Continual improvement is a systematic and ongoing process that involves identifying opportunities for improvement, making changes, and monitoring the results to ensure practical improvements. References: : ISO 22301 Auditing eBook, page 11 : ISO 22301:2019, clause 10.2 : ISO 22301:2019, clause 3.15 : ISO 22301 Clause 10.2 Continual improvement : ISO 22301 continuous improvement – How to achieve it

The four phases of the Deming Cycle are Plan, Do, Check, and Act. The Deming Cycle, also known as the PDCA cycle, is a four-step model for continuous improvement of processes, products, or services. The cycle was developed by Dr. W. Edwards Deming, a pioneer of quality management, and is based on the scientific method of problem-solving. The four phases of the Deming Cycle are1:

• Plan: Identify the problem or opportunity, analyze the root causes, and establish the objectives and measures for improvement.
• Do: Implement the planned solution, test the results, and collect data for evaluation.
• Check: Compare the actual results with the expected results, identify the gaps and deviations, and analyze the effectiveness and efficiency of the solution.
• Act: Take corrective or preventive actions to close the gaps and prevent recurrence, standardize the solution, and communicate and document the lessons learned. The Deming Cycle is a dynamic and iterative process that can be applied to any type of process, product, or service. The cycle helps to ensure that the improvement is based on facts and data, and that the improvement is monitored and evaluated for further improvement. The Deming Cycle is also aligned with the structure and content of ISO 22301, the international standard for business continuity management systems (BCMS). ISO 22301 follows the Plan-Do-Check-Act approach to establish, implement, maintain, and improve a BCMS that enables an organization to prepare for, respond to, and recover from disruptive incidents2. References:
• PDCA (Plan-Do-Check-Act) Cycle in ISO 9001 Requirements - Advisera
• ISO 22301:2019 - NQA, page 9

 Governance is the initiative of Business Continuity Management that is a regulatory system that controls an organization and its activities. Governance refers to the set of policies, processes, roles, and responsibilities that define how an organization is directed and managed. Governance ensures that the organization’s objectives, strategies, and operationsare aligned with the expectations and needs of its stakeholders, such as customers, employees, regulators, and shareholders. Governance also provides oversight and accountability for the organization’s performance, risks, compliance, and continuity.

Business Continuity Management (BCM) is a key component of governance, as it enables the organization to protect its critical assets and functions, and to respond and recover from disruptive incidents. BCM helps the organization to maintain its reputation, resilience, and value in the face of uncertainty and crisis. BCM also supports the organization’s compliance with relevant laws, regulations, standards, and best practices, such as ISO 22301, the international standard for business continuity management systems.

Therefore, governance is the initiative of Business Continuity Management that is a regulatory system that controls an organization and its activities, by providing direction, oversight, and accountability for the organization’s continuity and resilience. References:

• ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management, Section 1.1: What is Business Continuity Management?, Page 4
• ISO 22301 Auditing eBook, Chapter 2: Introduction to ISO 22301, Section 2.1: What is ISO 22301?, Page 9
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.1: Context of the Organization, Page 13
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.2: Leadership, Page 16