As a CISO, you intend to establish a business continuity management system (BCMS) compliant with the ISO 22301 standard. You are considering the scope of the BCMS.  Which of the following least affects your decision of the scope?
A. Business impact analysis
B. Customer’s needs
C. Organizational structure
D. Employee’s attitude

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Business impact analysis.

Business impact analysis (BIA) is conducted after the scope has been defined.

To determine the scope, we have to conduct an analysis of the context of the organization, or external and internal environment analysis. The purpose of the analysis is to identify stakeholders, issues, and constraints.

The stakeholder analysis is then conducted to determine the needs and requirements. The employee is one of the stakeholders.

The scope is typically determined based on the results of those analyses.

There is a more in-depth justification from Chaudhary: