EXIN Business Continuity

Management Foundation based on

ISO 22301

Preparation Guide

Edition June 2016

Copyright 2016 EXIN

All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing
system or circulated in any form by print, photo print, microfilm or any other means without written permission by EXIN.

Preparation Guide EXIN Business Continuity Management 2

Foundation based on ISO 22301 (BCMF.EN)
Content

1. Overview 4
2. Exam requirements 6
3. List of Basic Concepts 10
4. Literature 11

Preparation Guide EXIN Business Continuity Management 3

Foundation based on ISO 22301 (BCMF.EN)
1. Overview
EXIN Business Continuity Management Foundation (BCMF.EN)

Scope
The subjects of this module are:
The content of ISO22301:2012, Societal Security Business Continuity Management -
Requirements;
The implementation phases of the ISO22301;
The implementation elements of the ISO22301;
Implementing system management;
The Plan-Do-Check-Act cycle within this framework;
Management involvement;
Business Impact Analysis;
Risk Analysis;
Communication plan.

Summary
Business continuity management is a holistic management process that identifies potential
threats to an organization and the impacts to business operations those th reats, if realized,
might cause. It provides a framework for building organizational resilience with the capability of
an effective response that safeguards the interests of its key stakeholders, reputation, brand
and value-creating activities (Source: ISO 22301:2012).

Context
The Certificate EXIN Business Continuity Management is part of the overall qualification
scheme for Cyber Security.

Target group
Everyone in the organization must be aware of the Business and its Continuity. This certification is
directed at candidates who are involved or have an interest in the implementation of Business
Continuity within their organization: CEOs, CIOs, Security Officers and Quality Managers,
Operational Managers, Developers, Business and Technical Teams; for when the Continuity of an
organization comes to a halt for whatever reason, everyone in the organization must be aware of
the consequences and the solutions.

Requirements for certification

Successful completion of the EXIN Business Continuity Management Foundation exam

Preparation Guide EXIN Business Continuity Management 4

Foundation based on ISO 22301 (BCMF.EN)
Examination details
Examination type: Computer-based or paper-based multiple-choice questions
Number of questions: 40
Pass mark: 65%
Open book/notes: No
Electronic equipment/aides permitted: No
Time allotted for examination: 60 minutes

The Rules and Regulations for EXINs examinations apply to this exam.

Training
Contact hours
The recommended number of contact hours for this training course is 24. This includes group
assignments, exam preparation and short breaks. This number of hours does not include
homework, logistics for exam preparation and lunch breaks.

Indication study effort

60 hours, depending on existing knowledge

Training provider
You can find a list of our accredited training providers at www.exin.com.

Preparation Guide EXIN Business Continuity Management 5

Foundation based on ISO 22301 (BCMF.EN)
2. Exam requirements
The exam requirements are specified in the exam specifications. The following table lists the topics
of the module (exam requirements) and the subtopics (exam specifications).

Exam Exam specification Weight %

requirement
1. Context of the organization 20
1.1 The organization and its context
1.2 Business continuity management system (BCMS)

2. Leadership 15
2.1 Management commitment & Policy
2.2 Roles & Responsibilities

3. Planning & Support 15

3.1 Planning
3.2 Support

4. Operation 40
4.1 Planning & Control
4.2 Business Impact Analysis & Risk Assessment
4.3 Strategy and procedures

5. Performance evaluation and improvement 10

5.1 Exercising, testing, monitoring, measurement, analysis and
evaluation
5.2 Improvement
Total 100%

Preparation Guide EXIN Business Continuity Management 6

Foundation based on ISO 22301 (BCMF.EN)
Exam specifications

1. Context of the organization 20%

1.1 The organization and its context
The candidate understands the context of the organization in relation to planning for and
managing of business continuity
The candidate can
1.1.1 describe how to determine the external context of the organization
1.1.2 describe how to determine the internal context of the organization
1.1.3 explain the importance of the needs and expectations of interested parties
1.1.4 explain the importance of legal and regulatory requirements
1.2 Business continuity management system (BCMS)
The candidate understands the purpose of the business continuity management system
(BCMS)
The candidate can
1.2.1 explain the elements of the scope of the BCMS
1.2.2 explain what a BCMS is and how it fits in with other management systems

2. Leadership 15%
2.1 Management commitment & Policy
The candidate understands the importance of management commitment in planning for and
managing the business continuity system
The candidate can
2.1.1 explain the vital implications of management commitment
2.1.2 describe how top management can demonstrate its commitment to managing
business continuity
2.1.3 explain the elements of a business continuity policy
2.2 Roles & Responsibilities
The candidate understands the roles, responsibilities and authorities of staff involved in
planning for and managing business continuity
The candidate can
2.2.1 describe the different roles in planning for and managing business continuity
2.2.2 identify the necessary competences in planning for and managing business
continuity
3. Planning & Support 15%

Preparation Guide EXIN Business Continuity Management 7

Foundation based on ISO 22301 (BCMF.EN)
 3.1 Planning
The candidate understands the purpose of risk assessment in planning for and managing
business continuity
The candidate can
3.1.1 explain the steps in addressing risk and opportunities within the BCMS
3.1.2 describe how the business continuity objectives are established and managed
3.2 Support
The candidate understands the supporting elements of the business continuity management
system (BCMS)
The candidate can
3.2.1 describe the necessary resources for planning for and managing of business
continuity
3.2.2 explain the importance of incident response personnel
3.2.3 describe how the right level of competence of persons undertaking BCMS work is
secured
3.2.4 clarify the importance of communication regarding business continuity in the
organization
3.2.5 clarify the importance of documented information and a document management
system
3.2.6 clarify the importance of appropriate awareness regarding the BCMS in the
organization

4. Operation 40%
4.1 Planning & Control
The candidate understands the elements of the operational part of the BCMS
The candidate can
4.1.1 name the elements of the BCMS
4.1.2 identify control mechanisms within the BCMS for effective operational planning and
control
4.1.3 describe how effective management of the BCM environment is established
4.1.4 describe how effective maintenance of business continuity is established
4.1.5 list outcomes indicative of an effective BCM

Preparation Guide EXIN Business Continuity Management 8

Foundation based on ISO 22301 (BCMF.EN)
 4.2 Business Impact Analysis & Risk Assessment
The candidate understands the operation of BIA and Risk Assessment
The candidate can
4.2.1 describe the purpose of the Business Impact Analysis and its content
4.2.2 explain the concept of business impact and different types of impact
4.2.3 explain the basic concepts of the Business Impact Analysis
4.2.4 explain the concept of Risk Assessment and the different elements
4.2.5 name BCM related threats, risks and impact
4.3 Strategy and procedures
The candidate understands the organizational strategy and the related procedures
The candidate can
4.3.1 explain the relationship between the business continuity strategy and the procedures
4.3.2 describe the process of establishing and implementing business continuity
procedures
4.3.3 explain the content of a Business Continuity Plan
4.3.4 describe the procedures included in the Business Continuity Plan

5. Performance evaluation and improvement 10%

5.1 Exercising, testing, monitoring, measurement, analysis and evaluation
The candidate understands the evaluation of the BCMS performance
The candidate can
5.1.1 explain the process of exercising and testing the business continuity plan and how to
ensure its effectiveness and readiness
5.1.2 explain the process of monitoring, measuring, analyzing and evaluating the BCMS
and its purpose
5.1.3 explain the process of internal audit and how to secure conformity
5.1.4 explain the purpose of the Management Review
5.2 Improvement
The candidate understands the Act stage of PDCA in business continuity
The candidate can
5.2.1 explain the importance of acting on nonconformities and taking corrective actions
5.2.2 explain the importance of continual improvement of the BCMS and its content

Preparation Guide EXIN Business Continuity Management 9

Foundation based on ISO 22301 (BCMF.EN)
3. List of Basic Concepts
This chapter contains the terms and abbreviations with which candidates should be familiar.

Please note that knowledge of these terms alone does not suffice for the exam; the candidate must
understand the concepts and be able to provide examples.

Activity Maintaining
Analysis Management review
Analyzing Management system
Audit Maximum Acceptable Outage (MAO)
Awareness Maximum Tolerable Period of Disruption (MTPD)
Business Continuity (BC) Measurement
Business Continuity Management (BCM) Minimum Activity Level (MAL)
Business Continuity Management System (BCMS) Minimum Business Continuity Objective (MBCO)
Business Continuity Plan (BCP) Monitoring
Business Continuity Program Mutual Aid Agreement
Business Impact Analysis (BIA) Nonconformity
Commitment Objective
Communication Opportunity
Competence Organization
Conformity Outsourcing
Context Performance
Continual improvement Performance evaluation
Correction Personnel
Corrective action Policy
Criteria Procedure
Document Process
Documented information Products
Document Management System (DMS) Prioritized activities
Effectiveness Record
Establishing Recovery Point Objective (RPO)
Evaluating Recovery Time Objective (RTO)
Evaluation Requirement
Event Resource(s)
Exercise Risk
Exercising Risk appetite
Expectations Risk Assessment (RA)
Factors Risk management
Implementing Roles and Responsibilities
Incident Services
Infrastructure Stakeholder
Interested party Testing
Internal audit Top management
Invocation Verification
Leadership Work environment

Preparation Guide EXIN Business Continuity Management 10

Foundation based on ISO 22301 (BCMF.EN)
4. Literature
A Dejan Kosutic
Becoming Resilient The definite guide to ISO 22301 Implementation
The plain English, step-by-step handbook for business continuity practitioners
Zagreb, EPPS Services Ltd, 2013
ISBN: 978-953-57452-3-5 (eBook)
ISBN: 978-953-57452-4-2 (printed book)

Additional Literature
B International Standard Organization
ISO 22301:2012
Societal security -- Business continuity management systems --- Requirements
ISO, Switzerland, Geneva, 2012

C International Standard Organization

ISO 22313:2012
Societal security -- Business continuity management systems Guidance
ISO, Switzerland, Geneva, 2012

Notes:
- Additional literature is for in depth knowledge.

Literature reference

Exam Exam Literature Literature reference

requirement specification
1 1.1 A Ch 5.1; 5.3
1.2 A Ch 5.4; 4.4; 4.5

2 2.1 A Ch 3; 4.2; 5.5

2.2 A Ch 5.5; 5.7

3 3.1 A Ch 6.4; 5.6

3.2 A Ch 6.11; 5.7; 5.2

4 4.1 A p. 236; Ch 6; 7.1

4.2 A Ch 6.2, 6.3, 6.4, 6.5, 6.6
4.3 A Ch 6.7; 6.9; 6.10; 6.11; 6.12; 6.13;
6.14

5 5.1 A Ch 7.1; 7.4; 7.5; 7.6

5.2 A Ch 7.7

Preparation Guide EXIN Business Continuity Management 11

Foundation based on ISO 22301 (BCMF.EN)
Contact EXIN

www.exin.com