PECB ISO-22301-Lead-Auditor Exam Actual Questions

According to the ISO 22301 Auditing eBook, there are three types of personal interview, which differ in terms of the structure, purpose and depth of information to be elicited. They are:

Fully structured interview: This type of interview follows a predefined set of questions that are asked in a fixed order. The interviewer does not deviate from the script and does not probe for additional information. The advantage of this type of interview is that it ensures consistency and comparability of data across different interviewees. The disadvantage is that it may not capture the nuances and complexities of the interviewee's responses, and may miss some important information that is not covered by the questions.

Semi-structured interview: This type of interview has a general outline of topics or questions to be covered, but the interviewer has the flexibility to ask follow-up questions, clarify ambiguities, and explore new areas of interest that emerge during the conversation. The advantage of this type of interview is that it allows for a deeper and richer understanding of the interviewee's perspectives, opinions, and experiences. The disadvantage is that it may introduce some variability and bias in the data collection and analysis, depending on the interviewer's skills and style.

Unstructured interview: This type of interview has no predetermined agenda or questions, and the interviewer relies on the natural flow of the conversation to guide the discussion. The interviewer may use some open-ended prompts or probes to elicit more information, but the interviewee has the freedom to express whatever they want. The advantage of this type of interview is that it can reveal unexpected and insightful information that may not be obtained through other methods. The disadvantage is that it may be difficult to manage, control, and summarize the data, and it may require more time and resources to conduct and analyze.

1of30

According to ISO 22301 Lead Auditor objectives and content, workshops are one of the methods that can be used to conduct a business impact analysis (BIA). Workshops bring a group of people together into a discussion, where they can share their knowledge, opinions, and perspectives on the organization's processes, resources, dependencies, and impacts. Workshops can help to identify and prioritize the critical activities and resources that are essential for the continuity of the organization's operations. Workshops can also facilitate the communication and collaboration among different stakeholders, such as process owners, managers, employees, and customers. Workshops can be conducted in various formats, such as face-to-face, online, or hybrid, depending on the availability and preferences of the participants.Workshops should be planned and facilitated by a competent person, who can guide the discussion, ask relevant questions, collect and document the information, and ensure the validity and consistency of the results.Reference: ISO 22301 Auditing eBook, page 381; ISO 22301 Clause 8.2 Business impact analysis and risk assessment2

A documentary review is a type of review that involves examining documents, records, or other forms of evidence related to the audit criteria and objectives. It can often be used as a secondary method to support other forms of information collection methods, such as interviews, observations, or sampling. A documentary review can help to verify the existence, implementation, and effectiveness of the audited processes, activities, or controls.It can also provide useful information about the context, scope, and objectives of the audit, as well as the roles and responsibilities of the auditees and other relevant parties.Reference: ISO 22301 Auditing eBook, page 611; ISO 19011:2018, clause 6.3.22

The draft report is not amended according to the feedback provided by the respondents, but rather according to the audit team leader's judgment and discretion. The feedback from the respondents is only one of the inputs that the audit team leader considers when finalizing the audit report. The audit team leader has the ultimate responsibility and authority to decide on the content and conclusions of the audit report, based on the audit evidence and audit criteria.The audit team leader should ensure that the audit report is accurate, objective, clear, concise, constructive, and timely1.

A control is a measure that is implemented to reduce or eliminate the risk from occurring, or to mitigate the impact of the risk if it occurs. A control can be preventive, corrective, or detective, depending on the stage of the risk management process. A control can also be administrative, technical, or physical, depending on the nature of the risk and the organization. A control can be designed, implemented, monitored, and evaluated based on the risk assessment and the risk treatment plan. A control can be documented in the business continuity policy, objectives, plans, procedures, and other relevant documents. A control can be audited to verify its effectiveness and efficiency in achieving the intended outcomes.Reference:

PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 3: Fundamental principles and concepts of a business continuity management system (BCMS), Lesson 3.2: Business continuity management system (BCMS), Slide 15: Risk management

ISO 22301 Auditing eBook2, Chapter 3: Fundamental principles and concepts of a business continuity management system (BCMS), Section 3.2: Business continuity management system (BCMS), Subsection 3.2.4: Risk management