The PECB Certified ISO 22301 Lead Auditor Exam (ISO-22301-Lead-Auditor)

The clarify and confirm step is the first step of the audit planning process, where the auditor clarifies the requirements with the business leads, such as the audit client, the auditee, and the audit team. The purpose of this step is to ensure that the audit objectives, scope, criteria, and deliverables are clearly defined, understood, and agreed upon by all the parties involved. The clarify and confirm step also involves the identification of the audit risks, opportunities, and resources, as well as the establishment of the audit communication channels and protocols. The clarify and confirm step is essential to ensure that the audit is aligned with the expectations and needs of the stakeholders, and that the audit is feasible, effective, and efficient.  References :

PECB Certified ISO 22301 Lead Auditor eLearning Training Course 1 , Module 4: Preparation of an ISO 22301 audit, Lesson 4.1: Audit planning, Slide 5: Audit planning process

ISO 22301 Auditing eBook 2 , Chapter 4: Preparation of an ISO 22301 audit, Section 4.1: Audit planning, Subsection 4.1.1: Clarify and confirm

Strategy option evaluation and selection is the strategy that supports the recovery needs of each critical product and service. This strategy involves the following steps:

Identify the recovery options: Based on the results of the business impact analysis (BIA) and the risk assessment, identify the possible recovery options for each critical product and service. Recovery options are the alternative ways of resuming the delivery of the product or service within the recovery time objective (RTO) and the recovery point objective (RPO). Examples of recovery options are: relocating to an alternate site, activating a mutual aid agreement, using a cloud-based backup, outsourcing to a third-party provider, etc.

Evaluate the recovery options: Assess the feasibility, effectiveness, and efficiency of each recovery option, using criteria such as: cost, availability, scalability, compatibility, security, compliance, etc. Compare the advantages and disadvantages of each option and rank them according to their suitability for meeting the recovery needs.

Select the recovery options: Choose the best recovery option for each critical product and service, based on the evaluation results and the available resources. Ensure that the selected option aligns with the organization’s business continuity objectives, policies, and strategies. Document the rationale and justification for the selection and communicate it to the relevant stakeholders.

Strategy option evaluation and selection is the strategy that supports the recovery needs of each critical product and service, as it enables the organization to identify, evaluate, and select the most appropriate recovery option for each critical product and service, based on the BIA and the risk assessment results. This strategy helps the organization to ensure the continuity and resilience of its critical products and services in the event of a disruption, and to optimize the use of its resources and capabilities.  References:

ISO 22301 Auditing eBook , Chapter 3: Business Continuity Management System, Section 3.4.2: Business Continuity Strategy, Page 19

ISO 22301 Auditing eBook , Chapter 5: Business Continuity Management System Audit Activities, Section 5.3.2: Audit of Business Continuity Strategy, Page 37

ISO 22301:2019 , Clause 8.3: Business Continuity Strategies and Solutions, Page 18

The Do phase in the PDCA cycle consists of operation, which means implementing and operating the business continuity policy, controls, processes, and procedures that have been planned in the previous phase. The Do phase also involves establishing the necessary resources, competencies, awareness, communication, and documentation to support the effective operation of the business continuity management system (BCMS). The Do phase aims to ensure that the organization is prepared to respond to and recover from disruptive incidents in a timely and effective manner.  References : ISO 22301 Auditing eBook, pages 9, 10, 11, 22, 23, and 24.

The knowledge of BCM and its methodology is not related to technical expertise, but to domain expertise. Technical expertise refers to the knowledge and skills related to the audit process, such as audit principles, procedures, techniques, and tools. Domain expertise refers to the knowledge and skills related to the specific field of the audit, such as BCM concepts, terms, definitions, requirements, and best practices.  References : ISO 22301 Auditing eBook, page 11; ISO 19011:2018, clause 7.2.2

A personal interview is a type of interview that employs verbal questioning as its principal technique of data collection. It is a face-to-face conversation between the interviewer and the interviewee, where the interviewer asks open-ended or closed-ended questions to obtain information from the interviewee. A personal interview can be conducted in various settings, such as at the interviewee’s workplace, home, or a neutral location. A personal interview can be structured, semi-structured, or unstructured, depending on the level of flexibility and standardization of the questions. A personal interview can be used for different purposes, such as to assess the interviewee’s competence, motivation, attitude, or opinion on a certain topic. A personal interview can also be used to establish rapport, trust, and credibility between the interviewer and the interviewee. A personal interview can have various advantages and disadvantages, such as:

Advantages:

It allows the interviewer to observe the interviewee’s body language, facial expressions, and tone of voice, which can provide additional insights into the interviewee’s feelings, emotions, and reactions.

It enables the interviewer to probe deeper into the interviewee’s responses, clarify ambiguities, and ask follow-up questions to obtain more detailed and comprehensive information.

It gives the interviewer the opportunity to adapt the questions and the pace of the interview according to the interviewee’s level of knowledge, interest, and responsiveness.

It can increase the interviewee’s willingness to participate, cooperate, and disclose information, as the interviewer can establish a personal connection and a positive atmosphere with the interviewee.

It can reduce the possibility of misunderstanding, misinterpretation, or distortion of the information, as the interviewer can verify and confirm the interviewee’s answers immediately.

Disadvantages:

It can be time-consuming, costly, and labor-intensive, as it requires the interviewer to travel to the interviewee’s location, schedule the interview, and conduct the interview.

It can be influenced by various biases, such as the interviewer’s expectations, preferences, stereotypes, or prejudices, which can affect the interviewer’s choice of questions, interpretation of answers, and evaluation of the interviewee.

It can be affected by various factors, such as the interviewer’s skills, personality, appearance, or mood, which can influence the interviewer’s performance, behavior, and interaction with the interviewee.

It can be subject to various errors, such as the interviewer’s memory, recall, or transcription errors, which can result in the loss, omission, or alteration of the information.

It can pose various challenges, such as the interviewer’s difficulty in maintaining control, neutrality, or objectivity, or the interviewee’s reluctance, resistance, or dishonesty, which can hinder the quality and validity of the information.

References :

PECB Certified ISO 22301 Lead Auditor eLearning Training Course 1 , Module 5: Conducting an ISO 22301 audit, Lesson 5.2: Communication during the audit, Slide 8: Types of interviews

ISO 22301 Auditing eBook 2 , Chapter 5: Conducting an ISO 22301 audit, Section 5.2: Communication during the audit, Subsection 5.2.1: Types of interviews

Business continuity objectives are the objectives that take the form of targets to enhance organizational resilience, as defined by ISO 22301. Business continuity objectives are derived from the business continuity policy and the results of the business impact analysis (BIA) and risk assessment (RA). Business continuity objectives are measurable, consistent, and relevant to the organization’s business continuity requirements and strategies. Business continuity objectives are also aligned with the organization’s strategic direction and communicated to all relevant parties.  Business continuity objectives are one of the key requirements of ISO 22301, as they provide the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS).  References : ISO 22301 Auditing eBook, page 28  1 ; ISO 22301:2019, clause 6.2  2

 Evaluation is the process of assessing the performance of an organization, a system, a process, or an activity against a set of criteria, standards, or objectives. Evaluation can be used to identify strengths, weaknesses, opportunities, and threats, as well as to measure the effectiveness, efficiency, and impact of the organization’s activities. Evaluation can also be used to compare the performance of different organizations, systems, processes, or activities, and to identify and share best practices and lessons learned. Evaluation is one of the key elements of the Plan-Do-Check-Act (PDCA) cycle, which is the basis of the ISO 22301 standard for business continuity management systems (BCMS). Evaluation is related to performance evaluation, audit, and benchmarking study, as these are some of the methods or tools that can be used to conduct evaluation.  References : ISO 22301 Auditing eBook, Chapter 2: Introduction to Business Continuity Management Systems (BCMS), Section 2.3: The PDCA Cycle, Page 17; ISO 22301 Auditing eBook, Chapter 5: Audit Principles, Section 5.1: Introduction, Page 65; ISO 22301 Auditing eBook, Chapter 6: Audit Program, Section 6.3: Audit Program Objectives, Page 75; ISO 22301 Auditing eBook, Chapter 7: Audit Activities, Section 7.1: Introduction, Page 85; ISO 22301 Auditing eBook, Chapter 8: Audit Competence and Evaluation of Auditors, Section 8.1: Introduction, Page 105.

 The document that is owned by executive management and sets the purpose of BCM in an organization is the Business Continuity Policy. The Business Continuity Policy is a high-level document that defines the scope, objectives, principles, and roles and responsibilities for business continuity management within the organization. It also demonstrates the commitment of top management to support and continually improve the BCMS.  The Business Continuity Policy is one of the mandatory documents required by ISO 22301, the international standard for BCMS 1 2 .

The other options are not correct because they are not documents that are owned by executive management and set the purpose of BCM in an organization. A Business Process Policy is a document that describes the procedures and rules for performing a specific business process, such as procurement, sales, or accounting. A Register is a document that records and tracks the status of certain items, such as risks, incidents, or assets. A Worksheet is a document that contains data and calculations, such as a spreadsheet or a form.

References :  1 : ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 5.3  2 : ISO 22301 Auditing eBook, Chapter 2.2.2

A management system is an integrated set of processes and tools that an organization uses to develop its strategy, transform it into actions, and monitor and evaluate its performance and effectiveness. A management system helps an organization to achieve its objectives and continually improve its performance.