An effective response structure is defined during the Implementation phase of the Business Continuity Management (BCM) Lifecycle. This structure fundamentally consists of the teams, their roles, responsibilities, and the command, control, and communication framework. A plan for communicating with interested parties (A), defining the teams (B), and guidance on specific actions like regulatory notification (D) are all integral components of the response plans developed during Implementation.

However, a plan to exercise the response (C) belongs to the Validation phase of the BCM Lifecycle. While exercising is absolutely critical to prove and improve the effectiveness of the response structure, the plan to exercise is a distinct activity within the BCM program, separate from the definition of the structure itself. The structure must be created first before it can be validated.

A. A communication plan is a core, critical component of any response structure, ensuring information flows effectively to all internal and external interested parties during an incident.

B. The definition of the number and type of teams (e.g., Strategic, Tactical, Operational) is the foundational element that constitutes the response structure itself.

D. For most organizations, especially those in regulated industries, guidance on regulatory notification is a critical procedural requirement within the response plan to ensure legal compliance.

1. Business Continuity Institute (BCI), "Good Practice Guidelines (GPG), 2018 Edition."

Reference for Correct Answer (C): The GPG separates the BCM Lifecycle into distinct Professional Practices (PP). The development of the response structure is covered in PP 5: Implementation (specifically Section 8.3, "Developing and Implementing a Response"). The planning and execution of exercises are covered in PP 6: Validation (specifically Section 9.2, "Develop an Exercise Programme"). This structural separation in the official BCI framework demonstrates that the exercise plan is part of the validation program, not a requirement for the response structure itself.

Reference for Incorrect Options (A, B, D): PP 5: Implementation, Section 8.3.2 "Structure" and 8.3.3 "Incident Response Plan (IRP)," explicitly detail the need for defined teams (B), roles, responsibilities, and communication requirements (A), which include specific notifications to interested parties like regulators (D).

2. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements.

Reference for Correct Answer (C): Clause 8.5, "Business continuity procedures," details the requirements for response structures. Clause 9.2, "Internal audit," and Clause 9.1, "Monitoring, measurement, analysis and evaluation," cover the validation activities, including exercising. The standard treats the establishment of procedures and their validation as separate, though related, requirements.

3. Carnegie Mellon University, Software Engineering Institute, "CSIRT Development," Courseware.

Reference for Incorrect Options (A, B): Incident response team structures, such as those developed by CERT/CC, universally define the team structure (B) and communication protocols (A) as foundational elements. The courseware on creating a Computer Security Incident Response Team (CSIRT) emphasizes defining the team's structure, roles, and communication plan as the initial, critical steps. Exercising is presented as a maturity and validation activity.