Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-22301-Lead-Auditor Topic 6 Question 56 Discussion

Actual exam question for PECB's ISO-22301-Lead-Auditor exam
Question #: 56
Topic #: 6
[All ISO-22301-Lead-Auditor Questions]

The purpose of risk management for business continuity is to find out what problems an organization may face.

How should the level of risk for an organization be determined?

Show Suggested Answer Hide Answer
Suggested Answer: A

According to ISO 22301:2019, Clause 6.1.2, the organization must establish, implement, and maintain a documented process to manage risks related to the continuity of its critical functions and the achievement of its business continuity objectives. The risk management process should include the identification, analysis, and evaluation of the risks that may cause disruption to the organization's operations, products, and services. The level of risk for an organization should be determined by combining the consequence and likelihood of the events that may lead to disruption, as well as the organization's risk criteria, risk appetite, and risk tolerance. The consequence of an event is the impact or effect that it may have on the organization's objectives, reputation, stakeholders, and resources. The likelihood of an event is the probability or frequency that it may occur, based on historical data, statistical analysis, expert judgment, or other methods. The organization should use appropriate tools and techniques to assess the level of risk, such as risk matrices, risk registers, risk maps, or risk software. The organization should also document the results of the risk assessment and communicate them to relevant interested parties. The purpose of risk management for business continuity is to find out what problems an organization may face, and to take appropriate actions to prevent, mitigate, or transfer the risks, or to accept them if they are within the organization's risk criteria.Reference: ISO 22301:2019, Clause 6.1.2; ISO 22301 Auditing eBook, Chapter 4.2.2.


Contribute your Thoughts:

Antonio
1 days ago
I believe combining acceptable and tolerable events is also crucial in determining the level of risk.
upvoted 0 times
...
Chauncey
1 days ago
Combining consequence and likelihood of events? Sounds like the way to go! I mean, who doesn't love a good risk assessment?
upvoted 0 times
...
Vincent
3 days ago
I agree with Tony. It's important to consider both the impact and the probability of events.
upvoted 0 times
...
Tony
7 days ago
I think the level of risk should be determined by combining consequence and likelihood of events.
upvoted 0 times
...

Save Cancel