ISO-22301-Lead-Implementer Practice Questions

An organization has implemented controls to prevent the unauthorized disclosure of documented information required by the BCMS. Is this in compliance with ISO 22301?

Scenario:

Marketiser, a marketing company in Florida specializing in branding, advertising, market research, and design services, primarily serves small and medium-sized enterprises. After a devastating hurricane caused severe flooding and rendered its office unusable, Marketiser decided to implement a BCMS based on ISO 22301 to handle such disruptions.

The company formed a project team of four members from various departments and appointed Danielle as the project manager. Danielle conducted a comprehensive business impact analysis (BIA) focusing on activities related to data loss and backup recovery, recognizing the critical importance of safeguarding digital assets. She set specific recovery objectives, including a one-day recovery point objective (RPO) and a two-day recovery time objective (RTO).

Based on the BIA outcomes, the team chose a business continuity strategy that involved relocating preconfigured trailers with essential hardware and connectivity to an alternate site. Considering Marketiser's vulnerability to hurricanes, the strategy allowed swift activation and relocation with minimal lead time. To validate their strategy, Danielle and the team conducted real-time recovery exercises, testing their ability to restore data and resume critical operations within the defined RTO.

Marketiser's business continuity process is illustrated in Scenario 5. Is this process compliant with ISO 22301?

According to ISO 22301, what should the top management ensure when establishing the business continuity policy?

Scenario:

Clicked is a law firm that handles complex clients' needs and offers a wide range of legal and tax services. Clicked’s professionals are equipped with an in-depth knowledge of the legal and regulatory requirements. They are committed to providing their clients with the best services and legal advice. Considering that it is essential to meet their clients' needs, Clicked decided to implement a BCMS based on ISO 22301 to provide them uninterrupted services.

To implement the BCMS, the top management of Clicked decided to contract an external consultant, Tris, as the BCMS project manager, and assembled a team of four members to aid in the process. Prioritizing a smoother integration of the BCMS, the top management focused on incorporating it into the company's existing operational procedures. Additionally, the top management and the project team chose to adopt the Plan-Do-Check-Act (PDCA) model as their implementation approach, allowing for a systematic and phased approach to establishing and maintaining the BCMS.

Then, the top management and Tris compiled a document containing the financial benefits and consequences of every decision they were going to make during the implementation of the BCMS. The top management also agreed that the project implementation should be finalized within a six-month timeframe, encompassing planning through the completion of the last implementation stage.

The project team initiated the implementation process by analyzing the company's internal and external context. This involved evaluating Clicked’s compliance with all applicable legal requirements and understanding the key services, necessary activities, and resource allocation, including staff expertise and technological tools. Based on this analysis, the top management and Tris established specific business continuity objectives. Their primary goal was to ensure that all critical legal services could be resumed within a two-hour timeframe following any disruptive incident to minimize client impact.

To facilitate the implementation of the BCMS, the top management prioritized integrating the BCMS within Clicked’s current operational processes. Is this acceptable?