ISO 22301 (BCMS) Lead Auditor Quiz Questions and Answers

What is the root cause of the phishing attack that occurred in RDK on May 2021?

Answer :
  • The lack of staff awareness

Explanation :

The staff of RDK attended trainings that presumably enhanced their set of skills necessary for task completion. Nonetheless, they were not trained nor made aware of potential risks that the company can be subject to, such as cyberattacks. Similarly, the lack of awareness is a reason why they were unable to undertake any action during or after the incident, given that their roles and responsibilities were not defined.

How did business continuity management evolve as a discipline?

Answer :
  • Due to the necessity of minimizing the negative impacts of any operational interruption

Explanation :

Business continuity management derives from the Information Technology Disaster Recovery (ITDR), which addressed the issue of losing critical data since companies started using computers for their everyday work. Currently, business continuity management is regarded as a discipline that significantly reduces the magnitude of negative impacts deriving from business disruptions.

Based on the fact that the BCMS policy was available to the audit team only after the auditor pointed out that the policy is not maintained as documented information, what should the audit team do?

Answer :
  • Issue a nonconformity, as the policy was not available and the staff and other interested parties could not access it

Explanation :

The auditor should not overlook the fact that the business continuity policy is not made available to interested parties. Instead, the auditor should report this nonconformity as ISO 22301 requires organizations to maintain the business continuity policy as documented information and ensure that it is available for all the interested parties of the organization.

What recommendation should be issued if the auditee has complied with the standard requirements, but few minor nonconformities have been detected?

Answer :
  • Recommendation for certification, conditional upon filing of corrective actions

Explanation :

In this case, the auditor provides a recommendation for certification, conditional upon the filing of corrective action plans. The auditee is required to submit corrective action plans for each minor nonconformity within a reasonable period of time. If the corrective action plans are accepted, the auditee can then be certified.

Which of the following courses of action should be taken by the auditor provided that some nonconformities were identified in the SDS’ BCMS?

Answer :
  • The auditor issues a corrective action request, the auditee prepares a corrective action plan, the auditor evaluates the adequacy of the responses

Explanation :

If a nonconformity is detected and the certification recommendation is conditional upon filing corrective actions, the auditor should demand corrective actions from the auditee. The auditee should then prepare a corrective action plan. Afterward, the auditor should evaluate the adequacy of the auditee’s responses.

Which statement is true regarding an observer?

Answer :
  • The auditor should be informed about the presence of an observer prior to the commencement of the audit

Explanation :

For observers, any arrangements for access, health and safety, environmental, security, and confidentiality should be managed between the audit client and the auditee. The audit team leader should have the right to deny observers from being present during certain audit activities if they interfere in the process.

Among others, ________________________ consists of identifying organization’s critical activities and resources needed to support prioritized activities of an organization.

Answer :
  • Business impact analysis

Explanation :

The organization shall use the process for analyzing business impacts to determine business continuity priorities and requirements. The process shall identify the activities that support the provision of products and services and determine which resources are needed to support prioritized activities.

What are the steps of business continuity planning process?

Answer :
  • Business impact analysis; recovery strategies; plan development; tests and exercises

Explanation :

To ensure the successful implementation of the BCMS, an organization should have a process for business continuity planning. This process consists of the following steps: conducting business impact analysis, identifying recovery strategies, developing a plan, and conducting tests and exercises.

What is the first step that should be taken when planning the business impact analysis (BIA)?

Answer :
  • Determining the approach and data collection method

Explanation :

The initial activity that should be undertaken when planning the BIA is determining the approach and data collection method. The insights generated from the data collection process, then, serve to identify key products and services, select the impacts to be analyzed, and prepare the BIA tools

What did the audit team demonstrate when they decided to use the claims of the auditee as the main evidence to draw audit conclusions?

Answer :
  • Lack of professional skepticism

Explanation :

Displaying a professional attitude of skepticism is important in minimizing the risk of drawing false audit conclusions. As such, rather than relying on the word of the auditee, auditors should look for evidence to support the claims of the representatives of the auditee.