BCM Exerciser

Certified Lead Implementer Professional for ISO 22301 Business Continuity Management Systems
Exercises
This document contains all the Exercises provided to participants. Answers and
comments specific to instructors are displayed in gray shaded boxes (like this one). If
answers are not provided for an Exercise, it is because there is no right answer for
the questions or tasks; in these cases, instructors should rely on their experience to
respond to participant work.
This document includes instructions for the participant exercises. Each exercise
describes the purpose, directions, and the allotted time for completion.
Keep in mind; there may be more than one correct answer for an exercise. Try to
identify the strongest or most direct answer in each case, and be prepared to
consider, defend, or rebuke alternate answers raised during class discussions.
Table of Contents:
Exercise 1: Short Test on ISO22301 .......................................................2

Exercise 2: Terms and Definitions ..........................................................3
Exercise 3: Incidents, Disruptions and Impacts .......................................5
Exercise 4: Internal and External Issues .................................................6
Exercise 5: Scope of Registration for Pacific Telecom ............................7
Exercise 6: Top Management Responsibilities ........................................8
Exercise 7: BCMS Policy for Pacific Telecom .........................................9
Exercise 8: Implementation Considerations ..........................................12
Exercise 9: BC Objectives ....................................................................13
Exercise 10: Communications............................................................... 14
Exercise 11: Operation Processes ........................................................ 15
Exercise 12: Business Impact Analysis .................................................16
Exercise 13: Risk Assessment for Pacific Telecom ............................... 17
Exercise 14: BCM Strategy for Pacific Telecom ....................................18
Exercise 15: Incident Response Structure (IRS) - Plan ......................... 19
Exercise 16: Monitoring and Measuring Analysis and Evaluation .........20
Exercises (IG)
BCM02301ENIN V3.1 Mar 2014
The British Standards Institution 2012 1 of 20

Exercise 1: Short Test on ISO22301

Purpose:
To understand of clauses and requirements of ISO 22301
Duration:
15 minutes Individual work
10 minutes discussion
Directions:
This is a short quiz to establish your knowledge and understanding of ISO 22301 for
the Lead Implementation Course.
Answer all statements with true of false (T/F).
Q No ISO 22301 requires that: True/False

1. There is a greater emphasis on planning than other items from
PDCA
2. Risk is a theme that runs throughout ISO 22301
3. Not everyone working within the scope of the BCMS needs to be
aware of BC.
4. The organization needs to determine what needs to be
monitored, measured and analyzed
5. Risk appetite is where an organization determines what risk
need to be addressed
6. Only interested parties internal to the organization need to be
considered.
7. Top management need to have an involvement in exercises and
tests.
8. The BCMS needs to take into account organizational strategy.
9. BC Strategy tells you how to deal with an incident.
10. It is acceptable that exercises and tests are carried out on an
ad-hoc basis.
11. The effectiveness of any corrective actions taken must be
determined.
12. There is a link between Clause 4.1 and Clause 8.1
13. Documented information can only be in hard copy
14. The purpose of continual improvement is to enhance the
effectiveness of the BCMS
15. The BCM policy needs to be determined before the objectives.
16. Risk treatment comes before risk assessment
17. BC plans can be written before the BIA
18. Whenever there is a disruptive incident then the relevant
authorities should always be informed.
19. An organization must return to providing a full service and
products after an incident.
20. The scope of the BCMS can take into account only those parts
of an organization that have a direct effect on the products and
services to be provided.
Exercises (IG)

Exercise 2: Terms and Definitions

Purpose:
To consolidate understanding of clauses and requirements within ISO 22301
Duration:
20 minutes individual work
Directions:
As individuals, using the definitions from ISO 22301 Clause 3, review the terms and
definitions and note which definitions belongs to which term. Note the correct letter of
the definition next to the appropriate term.
Term Definition
Documented Information A Part of the overall management system that establishes,
implements, operates, monitors, reviews, maintains and
improves business continuity.
Business Continuity B period of time following an incident within which product or
Management service must be resumed, or activity must be resumed, or
resources must be recovered
Recovery time objective C Minimum level of services and/or products that is acceptable
(RTO) to the organization to achieve its business continuity
objectives during a disruption
Process D Time it would take for adverse impacts, which might arise as
a result of not providing a product/service or performing an
activity to become unacceptable.
Business continuity plan E Information required to be controlled and maintained by an
(BCP) organization and the medium on which it is contained
Interested party stakeholder F Set of interrelated or interacting activities which transforms
inputs into outputs.
Maximum Acceptable Outage G Effect of uncertainty on objectives
(MAO)
Products and services H Holistic management process that identifies potential threats
to an organization and the impacts to business operations
those threats, if realized, might cause, and which provides a
framework for building organizational resilience with the
capability of an effective response that safeguards the
interests of its key stakeholders, reputation, brand and value-
creating activities
Risk I Person or organization that can affect, be affected by, or

perceive themselves to be affected by a decision or activity
Exercise J Beneficial outcomes provided by an organisation to its
customers, recipients and interested parties, e.g.
manufactured items, car insurance, regulatory compliance
and community nursing
Minimum Business Continuity K Documented procedures that guide organizations to respond,
Objective (MBCO) recover, resume, and restore to a pre-defined level of
operation following disruption
Exercises (IG)

Management system L Activity in which the business continuity plan(s) is rehearsed

in part or in whole to ensure that the plan(s) contains the
appropriate information and produces the desired result when
put into effect
Business continuity M Set of interrelated or interacting elements of an organization
management system to establish policies and objectives, and processes to achieve
those objectives
Exercises (IG)

Exercise 3: Incidents, Disruptions and Impacts

Purpose:
Determine the relationships between incidents, disruptions and impacts.
Duration:
Directions:
List incidents that lead to disruptions that lead to impacts for your organization.
The main impacts are likely to be:

People
Premises
IT
Finance
Utilities
Suppliers
How the delegates get to the impacts doesnt matter.
Incident Disruption Impact
Exercises (IG)

Exercise 4: Internal and External Issues

Purpose:
Focus on issues related to your organization.
Duration:
Directions:
Referring to your lecture notes and the course slides, list some internal and external
issues for your organization that could have an impact on business continuity.
Exercises (IG)

Exercise 5: Scope of Registration for Pacific Telecom

Purpose:
Determine what makes a good scope for a business continuity management system.
Duration:
Directions:
Three examples of possible scope statements for a Certified BCMS for Pacific
Telecom are given below. Theyre modeled on typical real-life scope statements and
neither especially good nor bad. Identify the pros and cons of each. When you have
considered these, write a draft scope for your own organization and share with other
delegates.
Scope Option 1
The management of Business Continuity at Mumbai and Delhi
Pros
Cons
Scope Option 2
The management of the high availability of the Telecom Services provided by
Pacific Telecom from Mumbai
Pros
Cons
Scope Option 3
The management of Business Continuity in Mumbai operations.
Pros
Cons
Exercises (IG)

Exercise 6: Top Management Responsibilities

Purpose:
To enable participants to describe some of the key responsibilities of top
management.
Duration:
Directions:
This may be a group or single exercise as directed by the instructor. Review clauses
4,5, 6, and 7 of ISO 22301 and list five or more responsibilities of top management.
Who will be key in your organization to achieving a properly implemented system -
who do you need to gain commitment from? Be prepared to provide your answers
either orally or on a flip chart for class discussion, depending on the instructors
directions.
Exercises (IG)

Exercise 7: BCMS Policy for Pacific Telecom

Purpose:
Determine the relationships between policy and management goals.
Duration:
Directions:
The BCMS Policy gives direction to the BC professionals who will establish and
maintain the BCMS. Its top managements answer to their question, Why are we
building an ISO 22301 BCMS?
According to ISO 22301 Clause 5 along with Scope and Interested Parties, comprise
the major content of the Policy.
Assume that the scope has been defined to include the entire company and its
operations, and that the key products and services are:
Delivery of mobile voice and packet
Point of interconnect (POI) commissioning
Maintenance of Servers, Switch and Relay base
Customer Service
The following three examples of BCMS Policy and Objectives for Pacific Telecom
are neither especially good nor bad. Check whether they meet the requirements of
Clause 5 and identify the pros and cons of each. Then identify three questions you
would ask of top management in order to draft a BCMS policy that meets business
needs beyond Get the ISO 22301 Certificate.
BCMS Policy Option 1

1. The purpose of the BCMS is to enable Pacific Telecom to manage incidents
involving disruption of telecom services to customers, and disruptions to the
network.
2. The BCMS should enable compliance with customer contracts (SLAs) and
relevant laws and regulations, especially those concerned with telecom
operations.
3. The primary objective of the BCMS is to manage the telecom services and the
network so as to preserve the reputation of Pacific Telecom for consistent,
reliable and uninterrupted service.
4. The BCMS Policy is approved and supported by the Deputy Chairman.
Exercises (IG)


Top management at Pacific Telecom recognizes that effective business continuity
management is vital to protecting customers from the consequences of disruption.
We are therefore committed to establishing and maintaining a Business Continuity
Management System that:
1. Maintains compliance with relevant laws and regulations in all countries within
which we operate, specifically with regard to telecom protocols.
2. Delivers the premium services to customers to the best of our ability despite
disruptions due, for example, to network failure/congestion or power supply
shortages or even inclement weather.
3. Assesses business impact of disruptions and risks on a continuing basis and
establishes incident management plans and mitigation measures
commensurate with business impact, especially with regard to the companys
reputation for reliable service and integrity of the telecom network.
4. Sets standards for business continuity management that are communicated to
all employees.
5. Sets standards for handling business continuity incidents and weaknesses
such as to minimize their effect on customers, preserve our reputation, and
record actions and decisions taken for future reference.
6. Exercises our incident response structure, incident management and BC
management plans on a regular basis such that our business continuity
arrangements are continually validated.
7. Conforms to the requirements of ISO 22301 and certified as such.
Exercises (IG)

1. The objective of the Business Continuity Management System (BCMS) is to

protect Pacific Telecom from disruptions that could have an adverse impact
on quality of service and the companys reputation. The BCMS defines
methods and accountabilities for managing disruptions in order to preserve to
the best of our ability
a. Delivery of mobile voice and packet
b. Point of interconnect (POI) commissioning
c. Maintenance of Servers, Switch and Relay base
d. Customer Service
2. The BCMS defines methods and accountabilities for maintaining legal and
regulatory compliance in all operations despite disruption, especially with
regard to the telecom protocols.
3. The BCMS will be independently certified as conformant to ISO 22301.
4. Business impact analysis and risk assessment will be conducted annually, or
when significant events occur either directly involving Pacific Telecom or our
competitors or the telecom industry in general.
5. The BCMS will be managed by a management team who reports directly to
the Deputy Chairman. All departments and personnel are expected to co-
operate and comply with relevant BCMS procedures: BC is everyones
responsibility.
6. Business disruptions, or the potential for disruption, must be reported
immediately by phone or in person to a Manager, who will be responsible for
either dealing with the incident or escalating to the Incident Management
Team as appropriate.
7. The BCMS provides means for enabling top managers to assess business
continuity capability across the business on an annual basis. These
assessments are used to evaluate the effectiveness of the system and
establish business continuity budgets and priorities.
Exercises (IG)

Exercise 8: Implementation Considerations

Purpose:
To enable participants to consider the implementation of ISO 22301, focusing on
Clause 5,6, and 7.
Duration:
Directions:
This may be a group or single exercise as directed by the instructor.
What is important to be able to successfully implement ISO 22301?

Expanding on that, list five important resources required to successfully
implement a BCMS
How could you demonstrate you satisfy the requirements of Clauses 5, 6, and
7?
Exercises (IG)

Exercise 9: BC Objectives
Purpose:
Determine BC objectives.
Duration:
Directions:
What main five objectives might their be for your organization using the five items to
be achieved? Use the table below to list the five items to be achieved from Clause
6.2.
Objective Who will be What will be What When will it How will the
responsible? done? resources be results be
will be completed? evaluated?
required?
Exercises (IG)

Exercise 10: Communications

Purpose:
Learn to consider the need for communications with interested parties.
Duration:
Directions:
Communications is a very important aspect of a BCMS. Determine five primary
interested parties that should be communicated with in the event of an impact and
what, when, and how they would communicate. Refer back to Exercise 2 and choose
one of the impacts from that list.
Exercises (IG)

Exercise 11: Operation Processes

Purpose:
Determine key aspects of processes.
Duration:
20 minutes individual or group work
Directions:
Individually or in workgroups as assigned by your instructor:
Identify at least four key processes, within Clause 8, with their defined inputs
and outputs, as required by ISO 22301.
Identify the resources (people, skills, technology, etc) that would be required
to implement these processes.
Exercises (IG)

Exercise 12: Business Impact Analysis

Purpose:
Practice considerations of a BIA.
Duration:
75 minutes group work
Directions:
Your instructor will assign you to small workgroups. Conduct the activities below for
your organization. Many of the answers will be the same for all organizations.
Activity 1
Please use ISO 22301 clause 8.2.2 to devise a questionnaire that could be
completed by key managers, supervisors and staff at your organization as an initial
step in the BIA.
As a reference point, the first question is: Please identify a product or service to
analyze.
In many organizations, the answer to the above question will be defined by the BC
manager and the questionnaire sent to all departments that may be concerned with
supporting it.
Activity 2
In general terms, to whom in an organization should such a questionnaire be
directed?
How should questionnaire results be verified to ensure their accuracy and

completeness (especially if there is a risk that inconvenient activities may be
omitted, or impacts of disruption overstated)?
Who should analyze questionnaire returns and perhaps facilitate further analysis?
How much analysis should be conducted?
Exercises (IG)

Exercise 13: Risk Assessment for Pacific Telecom

Purpose:
Carrying out Risk Assessment for Pacific Telecom
Duration:
Directions:
As individuals or as directed by the instructor, Assess the Risk for PT, specifying risk
criteria and Risk appetite.
Exercises (IG)

Exercise 14: BCM Strategy for Pacific Telecom

Purpose:
Determine factors related to a Business Continuity Strategy.
Duration:
Directions:
As individuals or as directed by the instructor, read through the material below and
follow the directions.
Here are the salient points from Pacific Telecoms BIA, Risk Assessment and
Treatments, relevant to determining its BC Strategy:
It must be prepared for warehouse failure, or denial of warehouse (e.g.
through flood, pandemic, electricity failure)
It must anticipate Switch and Relay failures
It must expect Point of Interconnect (POI) to fail
It must be prepared for failure in MSC
Its priorities are to continue to provide Mobile 3G services as identified in the
Policy workshop
Please use the guidance in ISO 22313 clause 8 to suggest outline strategies, that
meet the requirements of ISO 22301 clause 8.3, for Pacific Telecom that address
People, Premises, Technology, Information, Supplies and Stakeholders.
Exercises (IG)

Exercise 15: Incident Response Structure (IRS) - Plan

Purpose:
To understand the components of Incident Response Structure - Plan.
Duration:
Directions:
Discuss the probable Table of Contents for IRS Plan, within your group and
provide responses as directed by the instructor:
Exercises (IG)

Exercise 16: Monitoring and Measuring Analysis and Evaluation

Purpose:
To determine what is required of a monitoring and measuring program for a BCMS.
Duration:
Directions:
Discuss the following within your group and provide responses as directed by the
instructor:
1. What needs to be measured and monitored?
2. How your organization would go about monitoring and measuring its BCM and
BCMS?
3. How would you ensure that your organization is continuing to meet interested
party, contractual and regulatory requirements?
Review these activities in relation to the Plan-Do-Check-Act cycle.
Exercises (IG)

BCM Exerciser

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCM Exerciser

Uploaded by

Copyright:

Available Formats

Certified Lead Implementer Professional for ISO 22301 Business Continuity Management Systems

Exercise 1: Short Test on ISO22301 .......................................................2

The British Standards Institution 2012 1 of 20

Exercise 1: Short Test on ISO22301

Answer all statements with true of false (T/F).

Q No ISO 22301 requires that: True/False

The British Standards Institution 2012 2 of 20

Exercise 2: Terms and Definitions

Risk I Person or organization that can affect, be affected by, or

The British Standards Institution 2012 3 of 20

Management system L Activity in which the business continuity plan(s) is rehearsed

The British Standards Institution 2012 4 of 20

Exercise 3: Incidents, Disruptions and Impacts

The main impacts are likely to be:

How the delegates get to the impacts doesnt matter.

Incident Disruption Impact

The British Standards Institution 2012 5 of 20

Exercise 4: Internal and External Issues

The British Standards Institution 2012 6 of 20

Exercise 5: Scope of Registration for Pacific Telecom

The British Standards Institution 2012 7 of 20

Exercise 6: Top Management Responsibilities

The British Standards Institution 2012 8 of 20

Exercise 7: BCMS Policy for Pacific Telecom

BCMS Policy Option 1

The British Standards Institution 2012 9 of 20

BCMS Policy Option 2

The British Standards Institution 2012 10 of 20

BCMS Policy Option 3

1. The objective of the Business Continuity Management System (BCMS) is to

The British Standards Institution 2012 11 of 20

Exercise 8: Implementation Considerations

What is important to be able to successfully implement ISO 22301?

The British Standards Institution 2012 12 of 20

The British Standards Institution 2012 13 of 20

Exercise 10: Communications

The British Standards Institution 2012 14 of 20

Exercise 11: Operation Processes

The British Standards Institution 2012 15 of 20

Exercise 12: Business Impact Analysis

How should questionnaire results be verified to ensure their accuracy and

How much analysis should be conducted?

The British Standards Institution 2012 16 of 20

Exercise 13: Risk Assessment for Pacific Telecom

The British Standards Institution 2012 17 of 20

Exercise 14: BCM Strategy for Pacific Telecom

The British Standards Institution 2012 18 of 20

Exercise 15: Incident Response Structure (IRS) - Plan

The British Standards Institution 2012 19 of 20

Exercise 16: Monitoring and Measuring Analysis and Evaluation

The British Standards Institution 2012 20 of 20

You might also like