PECB ISO-22301-Lead-Auditor PECB Certified ISO 22301 Lead Auditor Exam Exam Practice Test

SMART is an acronym for Specific, Measurable, Achievable, Relevant, and Time-bound. It is a method of setting objectives and evaluating performance that entails the use of unstructured narrative style to inform specific factors and the overall work performance. SMART objectives are clear, realistic, and measurable, and they help to align the individual’s goals with the organization’s strategy. SMART objectives also provide feedback and motivation for the individual and the team. References: ISO 22301 Auditing eBook, page 321

According to ISO 22301:2019, Clause 3.10, critical functions are the functions that are directly responsible for the delivery of products and services to the customers and other interested parties. Critical functions are essential for the organization to achieve its objectives, protect its reputation, and meet its legal and contractual obligations. Critical functions are also the ones that are most vulnerable to disruption, and therefore require the highest level of protection and recovery capability. The identification and prioritization of critical functions are part of the business impact analysis (BIA) process, which is a key component of the business continuity management system (BCMS). References: ISO 22301:2019, Clause 3.10; ISO 22301 Auditing eBook, Chapter 4.2.2.

 All outsourced functions or processes that are part of the organization’s delivery system should be included in the scoping analysis, as they can have a significantimpact on the organization’s ability to deliver its products or services in the event of a disruption. The organization should also consider the dependencies and interdependencies between its internal and external functions or processes, and the potential consequences of their failure or disruption. The organization should define the scope of its business continuity management system (BCMS) based on the results of the scoping analysis and document it in the BCMS policy. References: ISO 22301 Auditing eBook, page 29; ISO 22301:2019 standard, clause 4.3

 The evaluation process that enables senior executives to manage decisions on building resilience in the development programme is the new product/service assessment. This process involves evaluating the potential impact of new products or services on the organization’s business continuity objectives, risks, and capabilities. The new product/service assessment helps senior executives to identify and prioritize the business continuity requirements and resources needed for the successful launch and delivery of new products or services. The new product/service assessment also helps senior executives to monitor and review the performance and effectiveness of the new products or services in relation to the business continuity objectives and expectations. References:

• ISO 22301 Auditing eBook, page 67
• ISO 22301:2019, clause 8.3

Business Continuity Management (BCM) is the approach that identifies potential threats to an organization and impacts to business operations. BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities1. BCM involves the following steps2:

• Establishing the context and scope of the BCMS
• Conducting a business impact analysis (BIA) and risk assessment (RA)
• Developing business continuity strategies and solutions
• Implementing business continuity plans and procedures
• Exercising, testing and reviewing the BCMS
• Continually improving the BCMS References:
• ISO 22301:2019, clause 3.6
• ISO 22301 Auditing eBook, page 15

Reviewing is the stage that helps management to define where focus and resources should be invested. According to ISO 22301, reviewing is the process of evaluating the performance and effectiveness of the business continuity management system (BCMS) and identifying opportunities for improvement. Reviewing can be done through internal audits, management reviews, performance evaluations, and corrective actions. Reviewing can help management to ensure that the BCMS is aligned with the organization’s strategic objectives, meets the needs and expectations of interested parties, complies with the applicable requirements, andcontinually improves its resilience and capability to respond to disruptive incidents. References: ISO 22301 Auditing eBook, page 171; ISO 22301:2019, clause 92

Regulatory compliance is the adherence to laws, regulations, guidelines and specifications relevant to an organization’s business processes. It has always been a challenge to organizations since it has a significant influence on corporate planning, such as strategic objectives, policies, procedures, risk management, performance measurement and improvement. Regulatory compliance can also affect the organization’s reputation, customer satisfaction, stakeholder confidence and legal liability. Therefore, organizations need to establish, implement, maintain and improve a business continuity management system (BCMS) that meets the requirements of ISO 22301 and other applicable regulations. References: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.2: Regulatory Compliance, page 9.

Business continuity objectives are the objectives that take the form of targets to enhance organizational resilience, as defined by ISO 22301. Business continuity objectives are derived from the business continuity policy and the results of the business impact analysis (BIA) and risk assessment (RA). Business continuity objectives are measurable, consistent, and relevant to the organization’s business continuity requirements and strategies. Business continuity objectives are also aligned with the organization’s strategic direction and communicated to all relevant parties. Business continuity objectives are one of the key requirements of ISO 22301, as they provide the basis for planning, implementing, monitoring, reviewing, and improving the business continuity management system (BCMS). References: ISO 22301 Auditing eBook, page 28 1; ISO 22301:2019, clause 6.2 2

 A risk assessment is a review that uncovers the vulnerability and exposure of the organizational activities to specific types or risk. A risk assessment helps to identify, analyze, and evaluate the potential threats and impacts that could affect the organization’s ability to achieve its objectives and maintain its continuity. A risk assessment also helps to determine the appropriate risk treatment options and controls to reduce the likelihood and/or consequences of the risks. A risk assessment is an essential part of the business continuity management system (BCMS) as it enables the organization to prioritize its business continuity requirements and resources based on the level of risk. References:

• ISO 22301 Auditing eBook, page 25
• ISO 22301:2019, clause 6.1.2

The key areas of exercise are organisation and plans. According to the ISO 22301 Auditing eBook1, an exercise is a process to train for, assess, practice, and improve performance in an organization. The purpose of an exercise is to evaluate the organization’s capability to respond to a disruptive incident and implement its business continuity plans. Therefore, the key areas of exercise are the organization itself, which includes its structure, roles, responsibilities, resources, and culture, and the plans that define the objectives, scope, scenarios, procedures, and evaluation criteria of the exercise. These two areas are essential to ensure that the exercise is realistic, relevant, effective, and aligned with the organization’s business continuity objectives and expectations. References:

• ISO 22301 Auditing eBook, page 71
• ISO 22301:2019, clause 8.5

Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities1. One of the main objectives of BCM is to prepare the entire organization in advance of any major incident, so that it can respond and recover effectively and efficiently. This is achieved by implementing a Business Continuity Management System (BCMS), which is a set of policies, processes, procedures, roles, responsibilities, resources, and plans that enable an organization to manage business continuity2.

According to ISO 22301, the international standard for BCMS, one of the benefits of implementing a BCMS is that it helps an organization to establish a culture of good business practice, which is an initiative that helps in preparing the entire organization in advance of any major incident3. Good business practice means that an organization follows the principles of business continuity, such as customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. By adopting these principles, an organization can enhance its resilience, reduce its risks, improve its performance, and increase its customer satisfaction.

The other options are not correct because they are not initiatives of BCM that help in preparing the entire organization in advance of any major incident. Leadership is a principle of business continuity, but it is not an initiative by itself. It refers to the role of top management in establishing the BCMS, providing direction and support, and ensuring its effectiveness. Governance is a function of the organization that ensures that the BCMS is aligned with the strategic objectives, complies with the legal and regulatory requirements, and meets the expectations of the interested parties. Long range focus is a characteristic of a resilient organization, but it is not an initiative of BCM. It means that an organization anticipates and adapts to the changing environment, and plans for the future.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.4 2: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 3.5 3: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Introduction : ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 0.2 : ISO 22301 Auditing eBook, Chapter 2.2.2 : ISO 22301 Auditing eBook, Chapter 2.1.1

According to ISO 22301:2019, clause 10, improvement consists of two elements: nonconformity and corrective action, and continual improvement. Nonconformity and corrective action is the process of identifying and addressing any deviations from the requirements of the standard or the organization’s own policies and procedures. It involves taking actions to eliminate the causes of nonconformities, prevent their recurrence, and reduce their impact. Continual improvement is the process of enhancing the suitability, adequacy, and effectiveness of the BCMS and its performance. It involves identifying and implementing opportunities for improvement based on the results of monitoring, measurement, analysis, evaluation, internal audit, and management review. References: : ISO 22301 Auditing eBook, page 11 : ISO 22301:2019, clause 10 : ISO 22301: Clause 10 - Improvement – ISO Templates and Documents Download : ISO 22301 continuous improvement – How to achieve it - Advisera

ISO 22301 is the system/standard that brings together all existing standards and a collection of good practices to develop a universal approach to Business Continuity Management (BCM). ISO 22301 is the international standard for Security and resilience — Business continuity management systems — Requirements. It specifies the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. ISO 22301 is based on the high-level structure (HLS) that provides a common framework for all management system standards. This helps to ensure consistency and alignment with other standards, such as ISO 9001 (quality management), ISO 14001 (environmental management), ISO 27001 (information security management), etc. ISO 22301 also incorporates the best practices and guidance from other sources, such as ISO 22313 (guidelines for business continuity management systems), ISO 22317 (guidelines for business impact analysis), ISO 22318 (guidelines for supply chain continuity), ISO 22320 (guidelines for incident management), ISO 22398 (guidelines for exercises and testing), etc. ISO 22301 aims to provide a universal approach to BCM that is applicable to all types and sizes of organizations, regardless of their nature, sector, or location. References:

• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements1
• ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.2: ISO 22301 Standard2
• ISO 22301 - Business Continuity2

The knowledge of BCM and its methodology is not related to technical expertise, but to domain expertise. Technical expertise refers to the knowledge and skills related to the audit process, such as audit principles, procedures, techniques, and tools. Domain expertise refers to the knowledge and skills related to the specific field of the audit, such as BCM concepts, terms, definitions, requirements, and best practices. References: ISO 22301 Auditing eBook, page 11; ISO 19011:2018, clause 7.2.2

A personal interview is a type of interview that employs verbal questioning as its principal technique of data collection. It is a face-to-face conversation between the interviewer and the interviewee, where the interviewer asks open-ended or closed-ended questions to obtain information from the interviewee. A personal interview can be conducted in various settings, such as at the interviewee’s workplace, home, or a neutral location. A personal interview can be structured, semi-structured, or unstructured, depending on the level of flexibility and standardization of the questions. A personal interview can be used for different purposes, such as to assess the interviewee’s competence, motivation, attitude, or opinion on a certain topic. A personal interview can also be used to establish rapport, trust, and credibility between the interviewer and the interviewee. A personal interview can have various advantages and disadvantages, such as:

Advantages:

• It allows the interviewer to observe the interviewee’s body language, facial expressions, and tone of voice, which can provide additional insights into the interviewee’s feelings, emotions, and reactions.
• It enables the interviewer to probe deeper into the interviewee’s responses, clarify ambiguities, and ask follow-up questions to obtain more detailed and comprehensive information.
• It gives the interviewer the opportunity to adapt the questions and the pace of the interview according to the interviewee’s level of knowledge, interest, and responsiveness.
• It can increase the interviewee’s willingness to participate, cooperate, and disclose information, as the interviewer can establish a personal connection and a positive atmosphere with the interviewee.
• It can reduce the possibility of misunderstanding, misinterpretation, or distortion of the information, as the interviewer can verify and confirm the interviewee’s answers immediately.

Disadvantages:

• It can be time-consuming, costly, and labor-intensive, as it requires the interviewer to travel to the interviewee’s location, schedule the interview, and conduct the interview.
• It can be influenced by various biases, such as the interviewer’s expectations, preferences, stereotypes, or prejudices, which can affect the interviewer’s choice of questions, interpretation of answers, and evaluation of the interviewee.
• It can be affected by various factors, such as the interviewer’s skills, personality, appearance, or mood, which can influence the interviewer’s performance, behavior, and interaction with the interviewee.
• It can be subject to various errors, such as the interviewer’s memory, recall, or transcription errors, which can result in the loss, omission, or alteration of the information.
• It can pose various challenges, such as the interviewer’s difficulty in maintaining control, neutrality, or objectivity, or the interviewee’s reluctance, resistance, or dishonesty, which can hinder the quality and validity of the information.

References:

• PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 5: Conducting an ISO 22301 audit, Lesson 5.2: Communication during the audit, Slide 8: Types of interviews
• ISO 22301 Auditing eBook2, Chapter 5: Conducting an ISO 22301 audit, Section 5.2: Communication during the audit, Subsection 5.2.1: Types of interviews

 The Do step in the PDCA cycle implements the previous selected controls to meet the control objectives. According to the ISO 22301 Auditing eBook, the Do step involves implementing and operating the business continuity policy, controls, processes, and procedures that have been planned in the previous step. The Do step also includes establishing the necessary resources, competencies, awareness, communication, and documentation to support the effective operation of the business continuity management system (BCMS). The Do step aims to ensure that the organization is prepared to respond to and recover from disruptive incidents in a timely and effective manner. References: ISO 22301 Auditing eBook, pages 9, 10, 11, 22, 23, and 24.

According to the ISO 22301 Auditing eBook, there are five types of strategies involved in the process-centric approach to business continuity management. They are:

• Business continuity strategy: This is the overall approach that provides a framework for ensuring the continuity of an organization’s critical functions in the event of a disruption. It defines the objectives, scope, principles, and policies of the business continuity management system (BCMS).
• Recovery strategy: This is the specific approach that defines how an organization will restore its critical functions within a predefined time frame after a disruption. It identifies the resources, actions, and procedures required to recover the critical functions and resume normal operations.
• Continuity strategy: This is the specific approach that defines how an organization will maintain its critical functions during a disruption. It identifies the alternative arrangements, methods, and modes of operation that will enable the organization to continue delivering its products or services at an acceptable level of performance.
• Mitigation strategy: This is the specific approach that defines how an organization will reduce the likelihood and/or impact of a disruption. It identifies the preventive and protective measures that will minimize the exposure and vulnerability of the organization to potential threats and risks.
• Response strategy: This is the specific approach that defines how an organization will react to a disruption. It identifies the roles, responsibilities, and authorities of the incident management team, the communication channels and protocols, and the escalation and notification procedures.

References: ISO 22301 Auditing eBook, pages 40-42

 The document that is owned by executive management and sets the purpose of BCM in an organization is the Business Continuity Policy. The Business Continuity Policy is a high-level document that defines the scope, objectives, principles, and roles and responsibilities for business continuity management within the organization. It also demonstrates the commitment of top management to support and continually improve the BCMS. The Business Continuity Policy is one of the mandatory documents required by ISO 22301, the international standard for BCMS12.

The other options are not correct because they are not documents that are owned by executive management and set the purpose of BCM in an organization. A Business Process Policy is a document that describes the procedures and rules for performing a specific business process, such as procurement, sales, or accounting. A Register is a document that records and tracks the status of certain items, such as risks, incidents, or assets. A Worksheet is a document that contains data and calculations, such as a spreadsheet or a form.

References: 1: ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, 5.3 2: ISO 22301 Auditing eBook, Chapter 2.2.2

The top management should demonstrate its commitment to the business continuity management system (BCMS) by conducting effective management reviews of the BCMS and ensuring that the business continuity management (BCM) objectives are aligned to the strategic goals of the business. These are two of the requirements of ISO 22301, the international standard for business continuity management systems, under clause 5.1: Leadership and commitment1.

Management reviews are periodic evaluations of the BCMS by the top management to assess its suitability, adequacy, and effectiveness. Management reviews help to ensure that the BCMS is performing as intended and meeting the requirements and expectations of the interested parties. Management reviews also help to identify and address any issues, gaps, or opportunities for improvement in the BCMS. Management reviews should be conducted at planned intervals, based on the organization’s needs and context. Management reviews should consider various inputs, such as the performance and results of the BCMS, the feedback and satisfaction of the interested parties, the internal and external audits, the corrective actions, the changes that may affect the BCMS, etc. Management reviews should also produce various outputs, such as the decisions and actions related to the improvement and effectiveness of the BCMS, the allocation of resources, the revision of policies and objectives, the communication of the results and outcomes, etc. Management reviews are an important way for the top management to demonstrate its commitment to the BCMS, as they show that the top management is actively involved in overseeing and supporting the BCMS.

BCM objectives are the specific and measurable outcomes that the organization intends to achieve with its BCMS. BCM objectives help to guide and direct the organization’s BCM activities and processes, as well as to evaluate and improve the organization’s BCM performance and capability. BCM objectives should be consistent with the organization’s business continuity policy and aligned with the organization’s strategic goals and vision. BCM objectives should also be relevant and meaningful to the organization’s context and needs, as well as the requirements and expectations of the interested parties. BCM objectives should be established and maintained by the top management, in consultation with the relevant stakeholders. BCM objectives should also be communicated and understood within the organization, as well as reviewed and updated regularly to reflect the changing circumstances and needs of the organization. Ensuring that the BCM objectives are aligned to the strategic goals of the business is an important way for the top management to demonstrate its commitment to the BCMS, as it shows that the top management is integrating BCM into the organization’s overall strategy and direction.

References:

• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 5.1: Leadership and commitment1
• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.6: Business Continuity Objectives2
• ISO 22301 Auditing eBook, Chapter 5: Audit Process, Section 5.3: Audit Criteria3

A quality audit verifies that the BCM programme activities are adequately managed through conformance to the BCMS requirements, policies, and procedures. It also evaluates the effectiveness and efficiency of the BCMS processes and the continual improvement of the BCMS performance. A quality audit can be internal or external, depending on the source of the audit. References: ISO 22301 Auditing eBook, page 19 1; ISO 22301:2019, clause 9.2 2

 According to ISO 22301:2019, Clause 7.2, the organization must determine the necessary competence of persons doing work under its control that affects its business continuity performance. The organization must ensure that these persons are competent on the basis of appropriate education, training, or experience, and where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken. The organization must also retain appropriate documented information as evidence of competence. Therefore, people are the ones who have determined roles and responsibilities based on knowledge and skills profiles, as they are the key resources for implementing and maintaining the business continuity management system (BCMS). References: ISO 22301:2019, Clause 7.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

Stakeholders are individuals or groups that have an interest in the organization’s performance. According to the ISO 22301 Auditing eBook, "Stakeholders are persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity of the organization. Stakeholders can be internal or external to the organization. Examples of internal stakeholders are employees, managers, owners, and board members. Examples of external stakeholders are customers, suppliers, regulators, investors, competitors, media, and the public."1 Stakeholders have different needs and expectations regarding the organization’s business continuity management system (BCMS) and its ability to respond to and recover from disruptive incidents. Therefore, the organization needs to identify its relevant stakeholders and understand their requirements and expectations, as well as communicate with them effectively and appropriately. This is one of the requirements of ISO 22301, the international standard for business continuity management systems. ISO 22301 requires the organization to determine the interested parties that are relevant to its BCMS and the requirements of these interested parties2. Interested parties are a subset of stakeholders that have a direct or indirect influence on the BCMS or a stake in its outcome3. The organization also needs to monitor and review the information about these interested parties and their requirements, as they may change over time2. References:

• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.1: Stakeholders1
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 4.2: Understanding the needs and expectations of interested parties2
• Interested parties in ISO 27001 and ISO 22301 | Who are they?3

Succession planning is the type of planning that minimizes impacts due to the unavailability of key staff. Succession planning is a process of identifying and developing potential successors for key positions in an organization. It helps to ensure the continuity of leadership and critical skills in the event of staff turnover, retirement, resignation, illness, death, or any other cause of unavailability. Succession planning is an important component of business continuity management, as it helps to reduce the risk of disruption and loss of performance due to the loss of key staff. Succession planning also helps to retain and motivate high-potential employees, as well as to enhance the organization’s reputation and attractiveness as an employer. Succession planning should be aligned with the organization’sstrategic objectives, culture, and values. It should also be based on a systematic assessment of the current and future needs of the organization, as well as the competencies and potential of the existing and prospective staff. Succession planning should involve the participation and commitment of senior management, human resources, and the relevant staff. It should also be reviewed and updated regularly to reflect the changing circumstances and needs of the organization. References:

• ISO/TS 30433:2021 - Human resource management — Succession planning metrics cluster1
• ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.4: Business Continuity Strategy2
• ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements, Clause 7.2: Competence3

 Corporate Services and Information Technology are the functions that provide a range of physical and technological infrastructure services to all other functions, such as human resources, finance, legal, procurement, facilities, security, IT systems, networks, applications, databases, etc. These functions are essential for the continuity of the organization’s operations, as they support the delivery of products and services to customers and stakeholders. Therefore, they need to be included in the scope and objectives of the business continuity management system (BCMS), and their roles and responsibilities need to be defined and communicated. References: ISO 22301 Auditing eBook, Chapter 2: Business Continuity Management System (BCMS), Section 2.1: Scope and Objectives, page 23.

Organizational activities are the actions and processes that an organization performs to achieve its objectives and deliver its products and services. These activities are exposed to innumerable threats that have the potential to compromise the achievement of corporate goals. These threats can be internal orexternal, natural or man-made, intentional or accidental, and can affect the organization’s resources, capabilities, reputation, and continuity. Some examples of threats that can disrupt organizational activities are:

• Natural disasters, such as earthquakes, floods, storms, fires, or pandemics
• Cyber-attacks, such as hacking, malware, ransomware, denial-of-service, or data breaches
• Human errors, such as mistakes, negligence, or miscommunication
• Malicious acts, such as sabotage, theft, fraud, vandalism, or terrorism
• Supply chain issues, such as delays, shortages, quality problems, or contractual disputes
• Regulatory changes, such as new laws, standards, or policies that affect the organization’s operations or compliance
• Market changes, such as shifts in customer demand, preferences, or expectations, or increased competition or innovation
• Social changes, such as changes in demographics, culture, values, or behaviors that affect the organization’s stakeholders or environment To protect against these threats and ensure the continuity of organizational activities, organizations need to implement a business continuity management system (BCMS) that follows the requirements of ISO 22301. A BCMS is a set of policies, procedures, and practices that enable an organization to prepare for, respond to, and recover from disruptions when they arise. A BCMS helps an organization to identify its critical activities, assess the risks and impacts of potential disruptions, develop strategies and plans to mitigate and manage the disruptions, and test and improve the effectiveness of the BCMS. By implementing a BCMS, an organization can enhance its resilience, reduce its losses, and maintain its reputation and customer satisfaction. References: : What is ISO 22301 standard and what is its purpose? : Building Business Resilience: A Guide to ISO 22301 Certification : ISO 22301:2019(en), Security and resilience ? Business continuity management systems ? Requirements

 Policy documents are developed in accordance to the framework of objectives, which are derived from the organization’s strategic direction, context, and interested parties’ needs and expectations. Policy documents provide guidance and direction for the organization’s business continuity management system (BCMS) and set the overall tone and commitment of top management. Policy documents also define the scope and boundaries of the BCMS and the roles and responsibilities of the relevant parties. References: ISO 22301 Auditing eBook, page 28; ISO 22301:2019 standard, clause 5.2

Process management is the framework that is a continuous and progressive cycle that requires managerial, operational, administrative and technical support. Process management refers to the design, implementation, monitoring, evaluation, and improvement of the processes that deliver value to the organization and its stakeholders. Process management involves the following steps:

• Define the process: Identify the purpose, scope, objectives, inputs, outputs, activities, roles, and responsibilities of the process.
• Document the process: Create a visual representation of the process flow, such as a flowchart, diagram, or map, that shows the sequence of tasks, decisions, and interactions within the process.
• Implement the process: Execute the process according to the defined and documented specifications, using the appropriate resources, tools, and methods.
• Monitor the process: Measure and analyze the performance of the process, using key performance indicators (KPIs), metrics, and feedback mechanisms, to ensure that the process meets the expected outcomes and quality standards.
• Evaluate the process: Review and assess the effectiveness and efficiency of the process, using audit, review, and evaluation techniques, to identify the strengths, weaknesses, opportunities, and threats of the process.
• Improve the process: Implement corrective and preventive actions, based on the results of the evaluation, to enhance the process and eliminate or reduce the causes of nonconformities, errors, or inefficiencies.

Process management is a continuous and progressive cycle that requires managerial, operational, administrative and technical support, as the process is constantly subject to change and improvement, based on the changing needs and expectations of the organization and its stakeholders. Process management also supports the implementation and maintenance of a business continuity management system (BCMS), as it helps the organization to identify, protect, and optimize its critical business processes and resources, and to ensure their continuity and resilience in the event of a disruption. References:

• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.4: Planning, Page 18
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.6: Performance Evaluation, Page 21
• ISO 22301 Auditing eBook, Chapter 3: Business Continuity Management System, Section 3.7: Improvement, Page 23
• ISO 22301 Auditing eBook, Chapter 4: Business Continuity Management System Audit, Section 4.1: Audit Principles, Page 26
• ISO 22301 Auditing eBook, Chapter 4: Business Continuity Management System Audit, Section 4.3: Audit Process, Page 28

According to ISO 22301:2019, Clause 6.2, the organization must establish business continuity objectives at relevant functions and levels. The business continuity objectives must be consistent with the business continuity policy, measurable, monitored, communicated, and updated as appropriate. The organization must also retain documented information on the business continuity objectives. One of the elements that should be included in the documented information is the timescale for the task completion. The timescale is the period of time within which the task or activity must be completed, such as hours, days, weeks, or months. The timescale helps to define the expected performance and results of the business continuity management system (BCMS), and to evaluate the progress and effectiveness of the implementation and operation of the BCMS. References: ISO 22301:2019, Clause 6.2; ISO 22301 Auditing eBook, Chapter 4.2.2.

Supporting functions are the functions that provide support to the critical functions of an organization, such as human resources, finance, IT, or facilities management. Supporting functions are essential for the continuity of the critical functions, but they are not directly involved in delivering the products or services to the customers. Supporting functions are also part of the scope of the business continuity management system (BCMS) and need to be identified, analyzed, and protected by the organization. Supporting functions are one of the key concepts of ISO 22301, as they help the organization to determine its business continuity requirements and strategies. References: ISO 22301 Auditing eBook, page 23 1; ISO 22301:2019, clause 8.2.2 2

A management system is an integrated set of processes and tools that an organization uses to develop its strategy, transform it into actions, and monitor and evaluate its performance and effectiveness. A management system helps an organization to achieve its objectives and continually improve its performance.