PECB ISO-22301-Lead-Implementer Actual Questions

Page: 4 / 5

Question 16

Scenario:

Prebank is a multinational financial institution. Its services include banking and investing through banking centers, ATMs, and mobile banking platforms. With millions of clients, Prebank's database systems record vast amounts of data and transactions daily. Its main activities depend on the ability of its employees to access clients' data through its database system at any time.

Recently, Prebank's database system stopped working unexpectedly. Soon after, it was discovered that this disruption was caused by the maintenance work on the road outside the company's office building. During the road repair, the workers had unintentionally damaged a water pipe that leaked into Prebank's basement. This leakage affected the company's electrical infrastructure, resulting in a loss of power, which shut down equipment and computers in the server room. Consequently, employees were unable to access Prebank's database system.

After this incident, the employees immediately notified Prebank's IT team. Subsequently, the IT team informed both the maintenance company responsible for the roadworks and the insurance company. The company responsible for maintenance told Prebank's IT team that the maintenanceteam was not available for the day. Since Prebank did not have a plan for responding to similar disruptions, they had to stop working and go home. Thankfully, the maintenance team arrived at the scene on the next day and made all the necessary repairs, allowing Prebank to resume all its operations.

Following these events, Prebank decided to change its strategy and procedures to prioritize business continuity planning within the company. Its main focus was to address the root cause of disruptions to improve business continuity. As such, the top management decided to implement a Business Continuity Management System (BCMS) based on ISO 22301.

After setting the company's business continuity objectives, the company established a project team, including a project manager and four additional team members. The BCM team was responsible for managing the BCMS implementation process, whereas the top management was responsible for the effectiveness of the BCMS. Through analyzing potential risk scenarios, the team defined Prebank's business continuity strategy as well as the resources for supporting business continuity within the company. This enabled the team to predict the impact of disruptions caused by various incidents, such as power outages. Following these actions, the company established a business continuity plan to manage disruptions effectively without impacting the workflow.

The effective implementation of the BCMS helped Prebank not only minimize losses and ensure continuity in its services but also absorb and adapt to a changing environment.

As stated in Scenario 1, Prebank's IT team was not briefed on how to handle a power outage. What does this indicate?

Options:

Lack of a business continuity plan

Violation of business continuity principles

Inadequate segregation of duties

Answer:

Explanation:

Context of Prebank's Situation:The scenario describes a critical service disruption due to a power outage caused by external factors, coupled with the inability of the IT team to respond effectively. This reflects a fundamental gap in preparedness and response mechanisms.

Requirement for a Business Continuity Plan (BCP):According to ISO 22301:2019, clause 8.4.4 mandates that organizations must establish, implement, and maintain documentedBusiness Continuity Plans (BCPs). These plans should outline responses to various disruptions, including system outages, infrastructure damage, and external incidents.

Evidence of Non-Conformance:

The IT team was unprepared to manage the incident, highlighting an absence of predefined procedures or training on handling power outages.

No contingency plans were in place to maintain critical operations during the outage.

The lack of immediate recovery or fallback measures indicates the absence of a robust BCP, as stipulated inISO 22301:2019 Clause 8.4.3.

Violation of BCMS Framework Requirements:A comprehensive BCMS includes Business Impact Analysis (BIA) and Risk Assessments (RA) to anticipate disruptions and plan appropriate strategies (Clauses 8.2.2 and 8.3). Prebank's lack of a prepared response indicates these components were either inadequate or missing.

Clarification of Incorrect Options:

Option B (Violation of business continuity principles): While principles may have been overlooked, the root issue is the non-existence of a documented and actionable BCP, which is a core deliverable under ISO 22301.

Option C (Inadequate segregation of duties): There is no evidence in the scenario to suggest a failure related to duties allocation or role responsibilities.

Action Plan for Compliance:

Immediate: Establish a documented BCP addressing power outages, including clear roles, fallback solutions, and communication protocols.

Training and Awareness: Train IT staff on incident management and ensure alignment with BCP objectives (Clause 7.3).

Ongoing Improvement: Use management reviews (Clause 9.3) and audits (Clause 9.2) to evaluate the BCMS and incorporate lessons learned from this incident.

Question 17

Scenario:

Headquartered in Sri Lanka, Operons Inc. is a freight forwarding company that adopted a BCMS aligned with ISO 22301. Prior to the certification audit, Operons Inc. measured gaps between their BCMS and the standard's requirements to ensure compliance. The certification body was contracted to conduct the audit, and a biased auditor from a previous ISO 9001 audit was replaced upon request. During the audit, two minor nonconformities were identified, and the audit team issued a recommendation for certification.

The top management determined the time required to plan and accomplish the audit activities, and they agreed that the audit activities should be completed within two weeks. Is this acceptable?

Options:

No, the certification body determines the time required to plan and accomplish the audit activities.

No, the external audit activities for a BCMS must take more than two weeks to be completed.

Yes, the top management must determine the audit time, usually no more than two weeks, for the completion of audit activities.

Question 18

Scenario:

Fundon is a financial services company certified against ISO 22301. As part of their BCMS, the company has established an exercise program. Due to an unexpected situation, the exercise coordinator of Fundon decided to suspend the exercise, which was planned to be conducted next week.

Is this acceptable?

Options:

Yes, the exercise coordinator may suspend or stop an exercise if an unexpected situation, such as a real incident, occurs.

No, the decision of stopping or suspending an exercise should be made only by the top management of the organization.

No, ISO 22301 requires organizations to always perform exercise programs if they were planned.

Question 19

Scenario:

Teleconn, a UK-based telecommunications provider, initiated a BCMS based on ISO 22301 to ensure reliable and consistent services. To monitor the BCMS’s performance, the internal audit function was outsourced to a company specializing in auditing services. The outsourced internal auditor was given unrestricted access to employees and documented information necessary for an effective audit.

According to Scenario 6, based on management reviews, the top management decided to establish new performance indicators to measure the effectiveness of the updated controls, including real-time monitoring of network stability and incident response times. What did the top management determine in this case?