Effective CISSP Questions

Your company initiated a business continuity program (BCP) to implement the business continuity management system (BCMS) compliant with ISO 22301. The BCP team is planning for business continuity. Which of the following is the most feasible requirement? (Wentz QOTD)
A. The BCP team shall also consider the incident response.
B. Risk assessment shall be completed before business impact analysis.
C. Risk assessment shall be completed during business impact analysis.
D. The scope of BCP shall be enterprise-wide to cover the enterprise as a whole.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The BCP team shall also consider the incident response.

“The organization shall identify and document business continuity plans and procedures based on the output of the selected strategies and solutions. The procedures shall focus on the impact of incidents that potentially lead to disruption.” (Clause 8.4.1, ISO 22301:2019)

Business Continuity Management History
Business Continuity Management History

Many organizations proposed business continuity methodologies, approaches, frameworks, or standards. The International Organization for Standardization (ISO) is one of the most well-known, which defined the ISO 22301:2019 standard of the business continuity management system (BCMS). The following verbal forms are used in the ISO standard. Similar keywords for use in RFCs to indicate requirement levels can be found in RFC 2119.

  • shall” indicates a requirement;
  • “should” indicates a recommendation;
  • “may” indicates a permission;
  • “can” indicates a possibility or a capability.

Business Continuity Management System (BCMS)

Business Continuity Policy
Business Continuity Policy

ISO 22301:2019 “specifies the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption… The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity. “

  • Business continuity is the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.” (ISO 22300:2018)
  • Management system is a “set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.” (ISO 22301: 2019)
  • Disruption is an “incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organization’s objectives.” (ISO 22300:2018)
  • Incident is an “event that can be, or could lead to, a disruption, loss, emergency or crisis.” (ISO 22300:2018)

The Scope of Business Continuity Planning

The scope of BCP “CAN” be enterprise-wide to cover the enterprise as a whole. Even though it’s commonly agreed upon that BCPs “should” cover the organization as a whole, it’s not mandatory because of the limited resources owned by an organization.

Enterprise-wide BCP
Source: Harris, Shon; Maymi, Fernando. CISSP All-in-One Exam Guide, 7th Ed. McGraw-Hill.

Business Impact Analysis (BIA) and Risk Assessment

The ISC2 Certified Information Systems Security Professional Official Study Guide (OSG) introduces the business impact assessment as a wrapper process that includes risk assessment. However, ISO 22301 treats business impact analysis and risk assessment as different processes or steps. Clause 8.2.2 prescribes business impact analysis; clause 8.2.3 for risk assessment. The clause may imply the sequence, but the standard adds a note that states risk assessment can be conducted before business impact analysis. To sum up, ISO 22301 doesn’t prescribe the sequence of business impact analysis and risk assessment.

Business Impact Analysis (OSG)
Source: Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP ISC2 Certified Information Systems Security Professional Official Study Guide. Wiley.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

貴公司啟動了業務連續性計晝(Business Continuity Program),以實施符合ISO 22301的業務連續性管理系統(BCMS)。BCP團隊正在計劃業務連續性。 以下哪一項是最可行的要求?(QOTD)
A. BCP團隊必須也要考慮事件回應。
B. 風險評鑑必須在業務衝擊分析(BIA)之前完成。
C. 風險評鑑必須在業務衝擊分析(BIA)期間完成。
D. BCP的範圍(scope)必須是企業層級,並且覆蓋整個企業。

2 thoughts on “CISSP PRACTICE QUESTIONS – 20210517

Leave a Reply