Most Recent PECB ISO-22301-Lead-Auditor Exam Questions & Answers

The step in the PDCA cycle that formulates and implements a management plan with actions is the Do step. The Do step is the second phase of the PDCA cycle, following the Plan step. In the Do step, the organization executes the plan that was developed in the Plan step, based on the objectives, policies, and procedures of the business continuity management system (BCMS). The Do step involves implementing the new or improved processes, controls, activities, and measures that are designed to achieve the desired outcomes and performance of the BCMS. The Do step also involves documenting the results and outcomes of the implementation, as well as any problems or deviations that occurred. The Do step provides the basis for the Check step, where the organization monitors and evaluates the effectiveness and efficiency of the implemented plan.Reference:

ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.3: PDCA Cycle1

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements, Clause 8: Operation2

The Do step in the PDCA cycle is the stage where the plan is implemented and executed. It involves carrying out the activities and processes that are defined in the BCMS. It is also the step where communication with key stakeholders is maintained. Communication is a vital element of the BCMS, as it ensures that all relevant parties are informed and involved in the business continuity process. ISO 22301 requires organizations to establish communication procedures that enable timely and effective communication during a disruption.These procedures should include clear communication channels, escalation processes, and guidelines for communication with stakeholders such as customers, suppliers, and regulatory bodies1. Communication and training are also important aspects of the Do step, as they ensure that all stakeholders are involved and aware of the PDCA cycle and their role in it.Provide training and support to help employees understand the process and how they can contribute to it2. The Do step also involves testing and exercising the BCMS to verify its effectiveness and identify areas for improvement. Testing and exercising are essential for validating the assumptions, plans, and procedures of the BCMS and ensuring that they are fit for purpose.They also help to raise awareness and confidence among the staff and stakeholders and demonstrate the organization's commitment to business continuity3.Reference::ISO 22301 Clause 7.4 Communication:The Plan-Do-Check-Act (PDCA) Cycle: A Guide to Continuous Improvement:ISO 22301 Business Continuity Management Made Easy

According to the ISO 22301 Auditing eBook, there are five types of strategies involved in the process-centric approach to business continuity management. They are:

Business continuity strategy: This is the overall approach that provides a framework for ensuring the continuity of an organization's critical functions in the event of a disruption. It defines the objectives, scope, principles, and policies of the business continuity management system (BCMS).

Recovery strategy: This is the specific approach that defines how an organization will restore its critical functions within a predefined time frame after a disruption. It identifies the resources, actions, and procedures required to recover the critical functions and resume normal operations.

Continuity strategy: This is the specific approach that defines how an organization will maintain its critical functions during a disruption. It identifies the alternative arrangements, methods, and modes of operation that will enable the organization to continue delivering its products or services at an acceptable level of performance.

Mitigation strategy: This is the specific approach that defines how an organization will reduce the likelihood and/or impact of a disruption. It identifies the preventive and protective measures that will minimize the exposure and vulnerability of the organization to potential threats and risks.

Response strategy: This is the specific approach that defines how an organization will react to a disruption. It identifies the roles, responsibilities, and authorities of the incident management team, the communication channels and protocols, and the escalation and notification procedures.

Reviewing is the stage that helps management to define where focus and resources should be invested. According to ISO 22301, reviewing is the process of evaluating the performance and effectiveness of the business continuity management system (BCMS) and identifying opportunities for improvement. Reviewing can be done through internal audits, management reviews, performance evaluations, and corrective actions.Reviewing can help management to ensure that the BCMS is aligned with the organization's strategic objectives, meets the needs and expectations of interested parties, complies with the applicable requirements, and continually improves its resilience and capability to respond to disruptive incidents.Reference: ISO 22301 Auditing eBook, page 171; ISO 22301:2019, clause 92

Deliverables are the specific tasks, products, or outcomes that are required in order to complete the project. They are the tangible and measurable results of the project activities, and they should be aligned with the project objectives and scope. Deliverables can be classified into two types: project deliverables and process deliverables. Project deliverables are the outputs that directly contribute to the achievement of the project goals, such as reports, plans, documents, software, hardware, etc. Process deliverables are the outputs that support the management and execution of the project, such as schedules, budgets, risk assessments, audits, etc. Deliverables should be clearly defined, agreed upon, and accepted by the project stakeholders, and they should be monitored and controlled throughout the project lifecycle. According to ISO 22301, some of the deliverables for implementing a business continuity management system (BCMS) are: business continuity policy, business continuity objectives, business impact analysis, risk assessment and treatment, business continuity strategy, business continuity plans, business continuity procedures, performance indicators, audit reports, corrective actions, etc.Reference: ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.1: Project Management, page 39. ISO 22301 Auditing eBook, Chapter 3: Planning the BCMS, Section 3.2: Project Deliverables, page 40.