View CBCI Exam Questions

Q: 1

Which of the following is a factor that should be taken into consideration when developing an exercise program?

Options

Discussion

Noah Feb 20, 2026 10:02 pm

A . The key thing is that an exercise program isn't a one-time thing, it's made up of scheduled events over time (A). D sounds tempting but it's a trap because BCI best practice says to test all plans and teams, not just a sample. If someone has seen different guidance, let me know.

SharpMentor4743 Feb 14, 2026 7:28 pm

A imo

Alex A. Mar 5, 2026 8:41 pm

Its A. Official guide talks about scheduling a series of exercises over time, not just doing it once or sampling. If you want to double check, the official manual or practice exam explains this pretty clear.

Robin O. Feb 17, 2026 6:54 am

Nah, not D. A is the real factor since BCI stresses an ongoing series of activities, not just testing a sample once.

Ivy N. Feb 21, 2026 1:52 am

These BCI practice questions always mess with my head. I'd pick D since it makes sense that you could just test a sample of plans and teams and get a good picture, especially if resources are limited. Pretty sure that's how some orgs do it in practice, but not totally certain-it'd be great to hear if someone else sees it differently.

Aaron Mar 3, 2026 10:15 am

Anyone used the official guide or sample tests for BCI prep here? Wondering if they stress that exercise programs should be ongoing (like A) or ever support just sampling as in D.

LaylaK Mar 1, 2026 9:21 am

A had a pretty similar question in a mock test and it matched up. The key is that exercises should cover a series of activities, not just a one-off thing. Seen this phrasing before.

Grace J. Mar 2, 2026 11:52 am

C or D? I tend to pick D here since sometimes exercises just use a sample of plans/teams to avoid resource drain, especially in big orgs. Maybe that's not full best practice though. Any strong arguments against D?

Alex H. Feb 18, 2026 11:19 am

I think D since sometimes only a sample of teams gets tested if resources are tight or phased.

Chloe U. Feb 28, 2026 6:46 pm

A every time. Exercise programs need to be ongoing with multiple activities, that's straight from BCI methodology. Sampling or single tests (the other options) miss key coverage. Pretty sure this is what the exam expects, but open if someone has a different reference.

Be respectful. No spam.

Correct Answer:

Explanation

An effective exercise program is not a single, isolated event but a structured and progressive series of activities scheduled over a defined period. This programmatic approach allows an organization to build and mature its capabilities incrementally, often starting with simpler exercises (e.g., tabletop discussions) and advancing to more complex simulations. The purpose is to validate different components of the business continuity management system (BCMS) over time, train personnel, and foster a culture of continuous improvement. This ensures that all critical plans and teams are eventually tested and that the organization's overall resilience is enhanced.

Why Incorrect

B. Exercises must be conducted periodically as part of a continuous improvement cycle, not just once, to validate changes and maintain readiness.

C. A variety of exercise types are necessary to test different aspects of plans and team capabilities effectively; a single type is insufficient.

D. A comprehensive program should aim to cover all critical plans and recovery teams over its lifecycle, not just a limited, unrepresentative sample.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition: In Professional Practice 5 (Validation), Section 8.3, "The Exercise Programme," states, "The exercise programme is a series of scheduled events and activities designed to practise, test, and review BCM plans and capabilities." This directly supports the concept of a series of events over time.

2. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements: Clause 8.5, "Business continuity exercise programme," requires the organization to "establish, implement and maintain a business continuity exercise programme." The standard also notes that the programme shall "be varied over time in terms of type and complexity," which contradicts the single-type approach in option C.

3. NIST Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities: Section 3.1, "TT&E Program Strategy," emphasizes the need for a "multi-year TT&E program strategy" that uses a "building-block approach," progressing from simple to more complex exercises over time. This aligns with the correct answer and refutes the notion of a single exercise or type.

Q: 2

Which of the following is NOT a way in which an organization can use exercise programs to ensure and validate supply chain continuity?

Options

Discussion

Ava H. Feb 14, 2026 10:42 pm

Option A is correct. Including key suppliers in an internal exercise doesn't really make sense since that would be a joint exercise, not internal. Trap is thinking D, but internal exercises can still help validate supply chain impact. Disagree?

Jordan S. Feb 27, 2026 8:33 pm

A . Saw similar wording in practice tests, and official guide spells out the difference between internal and joint exercises pretty clearly.

SharpAuditor6240 Feb 24, 2026 10:35 am

Ishaan Feb 19, 2026 9:12 pm

D Internal exercises might not always catch supply chain issues directly, so I could see someone picking this. Am I off base?

Daniel V. Feb 26, 2026 5:00 am

C or A

Pretty sure it's A since you can't call an exercise "internal" if it includes key suppliers. That would turn it into a joint exercise instead. The others make sense for validating supply chain continuity with outside parties. Let me know if I missed something.

ThoughtfulAnalyst7332 Feb 25, 2026 4:57 am

Its D
Actually wait, reading closer it has to be A. Internal exercise means just your own staff, so if you include suppliers it isn’t internal anymore. The others all make sense as valid supply chain continuity checks. Pretty sure A is the odd one out but open to other takes if I missed something.

Ben W. Mar 6, 2026 6:37 pm

C/D? But after reading it again, A stands out. You can't call an exercise "internal" if you're bringing suppliers into it. Pretty sure that's the point they're testing here but correct me if I'm off.

Ishaan G. Mar 3, 2026 9:13 am

Internal exercises including suppliers? Doesn't the CBCI guide say those are separate? Official practice exams might clarify.

Layla O. Feb 20, 2026 1:26 am

C/D? Might be D since just running internal impact assessments doesn’t always validate the full supply chain.

Ryan B. Feb 22, 2026 11:24 pm

Nah, I don't think it's D. A stands out because if you include suppliers in something called an "internal exercise" it stops being internal. Feels like a classic wording trap here, seen similar in practice sets. Disagree?

Be respectful. No spam.

Correct Answer:

Explanation

An exercise that includes an external organization, such as a key supplier, is by definition a joint or collaborative exercise, not an internal one. An internal exercise is restricted to the organization's own personnel and resources to test internal plans and capabilities. While exercising with suppliers is a highly effective validation method, describing it as an "internal exercise" is a contradiction in terms. The other options represent standard and valid methods for an organization to use its exercise program and related assurance activities to validate supply chain continuity.

Why Incorrect

B. This is a common due diligence activity where an organization verifies a supplier's preparedness without direct joint participation.

C. Contractually obligating suppliers via SLAs to conduct and report on exercises is a formal mechanism for ensuring supply chain resilience.

D. Internal exercises are crucial for an organization to understand its own dependencies and the potential business impact of a specific supply chain failure.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition.

Section 9.3.2, "Exercise participants": This section explicitly distinguishes between different types of exercises based on participants. It defines an internal exercise as one "involving only the organization’s own staff." It defines a joint exercise as one "involving external organizations, such as suppliers, battle-box or data storage providers, customers, or emergency services." This directly supports that including a supplier (an external party) makes an exercise joint, not internal, rendering option A incorrect.

Section 7.4, "Managing supplier and outsourcing arrangements": This section details methods for supply chain assurance, stating that an organization should "obtain evidence of the supplier’s BCM programme" and that "contractual arrangements should include the right to require the supplier to participate in exercises." This validates options B and C as correct practices.

Section 9.2, "Exercise programme": The purpose of an exercise program is to "validate business continuity plans" and "assess the likely impacts of a disruption." This supports option D, as assessing the impact of a supply chain failure is a valid objective for an internal exercise.

Q: 3

Analysing information about how an organization has responded to incidents, including engagement with those impacted and its approach to responsibility, can provide insight into the organization's:

Options

Discussion

Morgan J. Feb 17, 2026 10:31 pm

Makes sense to go with A here. How an org communicates and takes ownership after incidents really shows what their culture is like, especially around transparency and responsibility. Not seeing how business plan or structure would fit as directly. Pretty sure it's A but open to other takes.

Priya F. Mar 2, 2026 7:22 am

Option A

ArjunA Feb 18, 2026 12:08 pm

I don’t think A is right here. D, since incident response often highlights structure like chains of command more than just culture.

Sean Mar 5, 2026 2:14 pm

Its D for me since analyzing incident response can highlight reporting lines and responsible teams, which is classic org structure stuff. Maybe I'm missing something about culture but question feels more about formal roles. Anyone see it differently?

Sofia U. Mar 4, 2026 1:55 am

A , D is a common trap here since structure feels relevant, but the focus on engagement points more toward culture.

Reese O. Feb 28, 2026 2:53 am

B, Does it matter if they mean 'best insight' or just 'any insight'? Would switch if they clarify that.

Nathan Z. Mar 3, 2026 10:47 am

A every time. When you look at how an org handles accountability and talks to people after incidents, that really shows what its culture is about, not just lines on an org chart. Disagree?

Layla Feb 27, 2026 12:13 pm

Got this on a practice set and it's always worded so oddly. A imo

ThoughtfulArchitect5410 Mar 4, 2026 12:16 am

A tbh

DirectSec9765 Feb 19, 2026 12:55 pm

C/D? Meera makes a good point about structure and responsibility, but I think the question leans more toward A. The communication style and openness in incident response really show what kind of culture an org has. Hard to see how business plan or targets fit here. Pretty sure it's A but I get why D is tempting-thoughts?

Be respectful. No spam.

Correct Answer:

Explanation

Analyzing how an organization responds to incidents, including its communication with impacted parties and its approach to accountability, provides a direct and powerful insight into its organizational culture. Culture is defined by the shared values, beliefs, and behaviors that characterize an organization—often described as "the way we do things around here." An incident response under pressure reveals these underlying values in action, far more than any policy document. A transparent, empathetic, and responsible response indicates a positive and resilient culture, whereas a secretive or blame-oriented response suggests a dysfunctional one.

Why Incorrect

B. Business targets: These are specific, measurable objectives (e.g., financial goals). An incident response reflects values and behaviors, not the organization's predefined performance targets.

C. Business plan: This is a formal document outlining strategy and goals. The actual response to an incident demonstrates the organization's enacted culture, which may differ from its documented plans.

D. Structure: This refers to the formal hierarchy and reporting lines. While structure influences who responds, the manner of the response reflects the organization's character and values (culture), not its organizational chart.

References

1. Business Continuity Institute (BCI), "Good Practice Guidelines (GPG), 2018 Edition." In Professional Practice 2 (PP2): Embedding Business Continuity, Section 4.3, "Organizational Culture," it is stated that "An organization’s culture is a combination of the shared values, attitudes, and patterns of behaviour that give the organization its particular character." The analysis of past incident responses is a method to assess these actual patterns of behavior.

2. Pauchant, T. C., & Mitroff, I. I. (1992). Transforming the crisis-prone organization: Preventing individual, organizational, and environmental tragedies. Jossey-Bass. This foundational text on crisis management argues that an organization's culture is a primary determinant of how it will prepare for and respond to crises. Analyzing past responses is a key diagnostic for understanding this culture. (Chapter 3: "Diagnosing the Crisis-Prone Organization: The Search for Cultural and Unconscious Factors").

3. Smith, D., & Elliott, D. (2007). "Exploring the Attenuating Effect of Cognitive Biases on the Senior Management Team's Crisis Preparedness." Journal of Contingencies and Crisis Management, 15(4), 183-193. This article discusses how organizational culture and leadership attitudes (which are revealed during incident response) are critical factors in crisis management effectiveness, distinct from formal plans or structures. DOI: https://doi.org/10.1111/j.1468-5973.2007.00523.x

Q: 4

When considering solutions for supplier strategies, the Business Continuity professional should ensure that:

Options

Discussion

Chloe X. Feb 18, 2026 5:54 pm

Why does BCI keep putting these questions in every practice set? It's A.

Taylor C. Feb 24, 2026 5:05 pm

A. seen this kind of scenario in official guide questions. Business continuity always ties supplier capability directly to your Recovery Time Objectives, so that's what the exam looks for. If you're prepping, check the BCI syllabus and do some practice with real-life case studies too.

Nora Feb 22, 2026 6:56 pm

Ethan J. Mar 6, 2026 6:37 pm

Option A suppliers need to match the organization's RTOs. That's always highlighted in official guide and practice tests for CBCI. Pretty sure that's best for BC strategy, anyone see support for another option?

Neha H. Feb 26, 2026 7:06 am

A is the one here. Suppliers have to meet your RTOs or your whole continuity plan is at risk. Procurement review is good practice but not the main concern for BC strategy. Pretty sure this is what CBCI wants, but open to debate.

Ivy U. Mar 2, 2026 6:34 am

It's gotta be A, because aligning supplier capabilities with your RTOs is the core of business continuity planning. If they can't match your recovery timeframes, nothing else holds up. Makes sense for CBCI, but open if someone sees it differently.

RyanP Feb 26, 2026 5:23 pm

C or A seen similar question in practice tests, but A is what matches the BC requirement about aligning supplier capability with RTOs.

Sanjay Feb 21, 2026 2:49 pm

A makes sense, supplier capability has to match the org's RTOs for real continuity. Not just about BAU or procurement review here.

Jamie T. Mar 2, 2026 1:43 pm

A is right, suppliers must meet the org's RTOs to support business continuity. Just having good quality in BAU (B) or procurement review (C) isn't enough for recovery needs. Pretty standard for CBCI-correct me if you think otherwise.

Jason T. Mar 4, 2026 10:09 am

Its A, sometimes C trips people up but BC focus is always on matching RTOs.

Be respectful. No spam.

Correct Answer:

Explanation

The primary goal of a business continuity strategy for suppliers is to ensure the resilience of the supply chain. This is achieved by making certain that the recovery capabilities of critical suppliers are synchronized with the recovery needs of the organization. The Recovery Time Objective (RTO) defines the maximum tolerable downtime for a specific business activity. If an activity depends on a supplier, that supplier must be able to resume providing the necessary product or service within the activity's RTO. Failure to ensure this alignment would make the organization's own recovery plans unachievable, regardless of other supplier attributes.

Why Incorrect

B. This is a standard 'business as usual' (BAU) procurement and quality management requirement, not a specific consideration for continuity and resilience during a disruption.

C. While procurement review is a valid governance step, it is a procedural control, not the core strategic objective that the Business Continuity professional must ensure is met.

D. Prioritizing existing suppliers without a thorough resilience assessment can perpetuate risk, such as single points of failure. A sound strategy evaluates all options, including diversification.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition. Professional Practice 4 (PP4): Design, Section 4.5.4 Supply Chain Strategy, emphasizes that strategies must be developed for the continuity of the supply chain. It states, "The BIA will have identified the RTO for each activity and the organization needs to understand the ability of its suppliers to meet these requirements." This directly supports aligning supplier capability with organizational RTOs.

2. ISO 22318:2015, Societal security — Business continuity management systems — Guidelines for supply chain continuity. Clause 6.3, "Determining and selecting supply chain continuity strategy and solutions," outlines that the selection of strategies should be based on enabling the organization to meet its business continuity objectives (which are informed by RTOs) for product and service delivery.

3. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. Clause 8.3.3, "Selection of business continuity strategies and solutions," requires that strategies be selected to meet the requirements for resuming and recovering prioritized activities within their identified RTOs. This principle applies directly to activities that are dependent on suppliers.

Q: 5

Which type of review provides an evaluation of the Business Continuity Management System (BCMS) outputs against the requirements or expectations to determine whether Business Continuity is incorporated into every task undertaken through the BCMS?

Options

Discussion

Sean N. Feb 14, 2026 3:31 pm

C. based on most official guides and practice tests I’ve reviewed for CBCI.

ThoughtfulConsultant9300 Feb 20, 2026 6:22 pm

C . QA is about making sure the outputs of the BCMS line up with what’s required so that business continuity gets baked into everything. External audit (D) is more about independent verification and isn’t typically continuous or internal like QA. Pretty sure C matches the "every task" part best.

Emma G. Feb 26, 2026 8:09 am

Why not D here? Audit checks outputs against standards too, right?

CalmTester6410 Mar 2, 2026 12:21 am

Option C is what I'd pick too. QA focuses on embedding processes and checks throughout, so BC gets built into daily work, not just reviewed at the end. Not totally sure but I haven't seen A or D match this context.

Neha C. Feb 19, 2026 1:36 pm

Its D. I think audit’s the trap here but it matches the “evaluation” bit, right?

Sara Z. Feb 28, 2026 7:43 pm

D , audit sounds tempting if you're skimming the question but I think that's the trap here.

Vikram Y. Feb 24, 2026 10:34 am

C vs D, this type of wording trips me up every time. With BCMS reviews in practice, I've seen both QA and audits checking requirements, but QA seems more about ongoing integration. Not 100 percent but leaning C based on similar exam questions. Disagree?

Arjun R. Feb 25, 2026 3:53 am

Taylor M. Mar 2, 2026 8:10 am

Could be D here, since external audits also check outputs versus requirements.

ChloeG Feb 27, 2026 6:02 pm

D imo, since external audits check if outputs match standards. Saw a similar question in official guide stuff but not totally sure on this one, anyone else used exam practice tests for this?

Be respectful. No spam.

Correct Answer:

Explanation

Quality Assurance (QA) is a systematic, process-oriented activity focused on ensuring that the Business Continuity Management System (BCMS) and its outputs (e.g., policies, plans, Business Impact Analysis reports) consistently meet predefined requirements and quality standards. It is a proactive function designed to provide confidence that business continuity is effectively integrated into all relevant organizational tasks and processes. QA involves regular checks and evaluations to confirm that the BCMS is suitable, adequate, and effective, thereby embedding a culture of quality and resilience throughout the organization's operations. This directly matches the question's description of evaluating outputs against requirements to ensure BC is incorporated into every task.

Why Incorrect

A. Performance Appraisal: This evaluates the job performance of individual employees, not the outputs or processes of the entire BCMS.

B. Post-incident Review: This is a reactive evaluation conducted after a disruption to analyze the effectiveness of the response and recovery, not an ongoing review of all BCMS tasks.

D. External Audit: This is a formal, independent assessment conducted periodically by a third party, typically for certification, not the continuous internal process of ensuring quality is built-in.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition. Section 6.4, "Review," outlines the process for evaluating the "continuing suitability, adequacy, and effectiveness of the BCMS" and its components against the organization's policy and objectives. This principle of checking outputs against requirements is the core of Quality Assurance.

2. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements. Clause 9, "Performance evaluation," mandates the organization to evaluate the performance and effectiveness of the BCMS. This includes monitoring, measurement, internal audits, and management reviews, which are all fundamental activities within a Quality Assurance framework.

3. Hiles, A. (2011). The Definitive Handbook of Business Continuity Management (3rd ed.). Wiley. Chapter 25, "Maintaining and Reviewing the Arrangements," describes quality assurance as a key part of the BCM lifecycle, providing "confidence that the business continuity capability is complete, correct and current" by systematically checking outputs against defined standards.

Q: 6

Which of the following is NOT a critical requirement for an effective response structure?

Options

Discussion

Grace Feb 28, 2026 3:43 pm

My pick: C, plan to exercise is part of validation not response structure. Seen similar on mock tests.

Olivia Feb 22, 2026 11:25 pm

I'd stick with C for this. The plan to exercise comes after creating the actual response structure, so it's not a core requirement for setting it up. The others (A, B, D) are all part of defining what that structure actually is. Pretty sure that's what the exam expects-let me know if I missed something.

Jason H. Feb 19, 2026 9:10 pm

B tbh. The number and type of teams feels like something you work out once you already know the essential functions and communication needs, not a strictly critical item for the structure itself. In some orgs, teams flex a lot depending on incident. Unless they mean "minimum viable," I'd pick B here, but I know most go for C. Disagree?

Aisha K. Feb 19, 2026 6:28 am

That "plan to exercise" piece in option C is a bit of a curveball. Exercising the plan is all about validation, not part of the response structure itself as built during implementation. Pretty sure C is right, unless they twist the wording.

Arjun Feb 26, 2026 6:34 pm

C vs D
Pretty sure it's C this time. Escalation and response exercising sits with validation, not the core response structure. D is a classic distractor since regulator guidance usually does belong in the response plan.

Taylor E. Feb 15, 2026 4:25 am

Official guide and some practice exams highlight C as not being a structural requirement for response. C

Casey X. Feb 27, 2026 6:37 am

C vs D
Looks like C is correct since exercising the plan falls under validation, not building the response structure itself. D is tempting but regulatory notification actually guides the formal response process. Seen this tricked a few folks in practice questions.

Nathan Mar 6, 2026 2:29 am

Option C seen this called out in official guide and practice test.

Nora X. Feb 23, 2026 1:28 pm

Yeah, C is the odd one out here.

Alex V. Feb 15, 2026 11:36 pm

C not D. Seen in similar question sets, and the "plan to exercise" always trips people up. That's validation phase stuff, so it's not part of building the response structure itself. D feels like a trap here since regulator notification guidance is usually built in early. If anyone thinks otherwise let me know, but I'm pretty sure C is right.

Be respectful. No spam.

Correct Answer:

Explanation

An effective response structure is defined during the Implementation phase of the Business Continuity Management (BCM) Lifecycle. This structure fundamentally consists of the teams, their roles, responsibilities, and the command, control, and communication framework. A plan for communicating with interested parties (A), defining the teams (B), and guidance on specific actions like regulatory notification (D) are all integral components of the response plans developed during Implementation.

However, a plan to exercise the response (C) belongs to the Validation phase of the BCM Lifecycle. While exercising is absolutely critical to prove and improve the effectiveness of the response structure, the plan to exercise is a distinct activity within the BCM program, separate from the definition of the structure itself. The structure must be created first before it can be validated.

Why Incorrect

A. A communication plan is a core, critical component of any response structure, ensuring information flows effectively to all internal and external interested parties during an incident.

B. The definition of the number and type of teams (e.g., Strategic, Tactical, Operational) is the foundational element that constitutes the response structure itself.

D. For most organizations, especially those in regulated industries, guidance on regulatory notification is a critical procedural requirement within the response plan to ensure legal compliance.

References

1. Business Continuity Institute (BCI), "Good Practice Guidelines (GPG), 2018 Edition."

Reference for Correct Answer (C): The GPG separates the BCM Lifecycle into distinct Professional Practices (PP). The development of the response structure is covered in PP 5: Implementation (specifically Section 8.3, "Developing and Implementing a Response"). The planning and execution of exercises are covered in PP 6: Validation (specifically Section 9.2, "Develop an Exercise Programme"). This structural separation in the official BCI framework demonstrates that the exercise plan is part of the validation program, not a requirement for the response structure itself.

Reference for Incorrect Options (A, B, D): PP 5: Implementation, Section 8.3.2 "Structure" and 8.3.3 "Incident Response Plan (IRP)," explicitly detail the need for defined teams (B), roles, responsibilities, and communication requirements (A), which include specific notifications to interested parties like regulators (D).

2. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements.

Reference for Correct Answer (C): Clause 8.5, "Business continuity procedures," details the requirements for response structures. Clause 9.2, "Internal audit," and Clause 9.1, "Monitoring, measurement, analysis and evaluation," cover the validation activities, including exercising. The standard treats the establishment of procedures and their validation as separate, though related, requirements.

3. Carnegie Mellon University, Software Engineering Institute, "CSIRT Development," Courseware.

Reference for Incorrect Options (A, B): Incident response team structures, such as those developed by CERT/CC, universally define the team structure (B) and communication protocols (A) as foundational elements. The courseware on creating a Computer Security Incident Response Team (CSIRT) emphasizes defining the team's structure, roles, and communication plan as the initial, critical steps. Exercising is presented as a maturity and validation activity.

Q: 7

Which of the following is used to determine the organization's prioritised activities and the recovery timeframes and resource requirements?

Options

Discussion

Nathan O. Feb 24, 2026 10:23 am

C . D sounds tempting but only BIA gives formal outputs for priorities and recovery needs. D’s a trap here.

Sam Mar 5, 2026 4:54 am

C . The question points to BIA, not risk assessment. A is a trap here since it's just about threats.

Skyler L. Feb 28, 2026 1:55 pm

C tbh. Business Impact Analysis is what gives you the priorities and sets RTOs/MTPDs plus resource needs. A (risk assessment) checks for threats, but doesn't determine recovery timeframes directly. D is too vague, B is just testing the plan. Seen similar questions on practice exams-pretty sure C is what they're after here, but happy to hear other takes.

Ryan S. Feb 22, 2026 12:45 pm

Probably C, BIA is what sets the official recovery timeframes and priorities. Meetings (D) help but don't deliver formal requirements.

Ryan Feb 25, 2026 6:12 am

If it's more about gathering requirements from business owners directly, D might make sense.

Drew W. Feb 21, 2026 3:43 am

HelpfulDev1583 Feb 18, 2026 6:19 pm

Feels like C since BIA is the formal method to set priorities and recovery objectives. Official study guides always highlight BIA for this, textbooks too. Pretty sure that's what exam questions focus on.

Neha I. Feb 15, 2026 1:46 pm

Its C. Only a formal BIA covers prioritized activities, recovery timeframes, and resource needs-if you want compliance or audit proof, meetings alone (D) won’t cut it. Unless the org is super informal and ignores BCM standards, C fits best.

Riley G. Mar 4, 2026 6:39 am

Don't think it's D. C is the one that sets priorities, recovery times and resource needs formally.

Arjun G. Feb 28, 2026 5:59 pm

I think C is the match here. BIA actually formalizes priorities and recovery timeframes, not just gathering input like in D.

Be respectful. No spam.

Correct Answer:

Explanation

The Business Impact Analysis (BIA) is the formal and foundational process within Business Continuity Management used to identify an organization's critical products, services, and their supporting activities. It analyzes the impacts of a disruption to these activities over time. The primary outputs of a BIA are the prioritization of activities, the determination of maximum tolerable periods of disruption (MTPD), and the establishment of Recovery Time Objectives (RTOs), which define the required recovery timeframes. The BIA also identifies the minimum level of resources (e.g., people, technology, facilities, suppliers) needed to achieve recovery.

Why Incorrect

A. A risk assessment identifies and analyzes potential threats and vulnerabilities, not the time-sensitive impact of a disruption on specific business activities.

B. An exercise is conducted to validate and improve existing business continuity plans and capabilities, not to initially determine requirements and priorities.

D. A meeting with owners of product and services activities is a data-gathering technique used during a BIA, but it is not the comprehensive analysis process itself.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition.

Section 4.3, Business Impact Analysis (BIA): "The BIA is the process of analysing the business activities and the effect that a business disruption might have upon them... The BIA process enables the organization to: quantify the impacts of a disruption...; identify the priority for the recovery of products and services and their supporting activities and resources; [and] determine the RTO for each activity..."

2. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements.

Clause 8.2.2, Business impact analysis and risk assessment: This clause mandates that the organization's BIA process shall "a) identify the products and services... and the activities that support their provision;" "b) determine the time frames for resuming disrupted activities... at a specified minimum acceptable level;" and "c) identify the dependencies and determine the resources required by the prioritized activities..."

3. Hiles, A. (2011). The Definitive Handbook of Business Continuity Management (3rd ed.). Wiley.

Chapter 12, The Business Impact Analysis Stage: "The BIA is the process that identifies the critical business processes of an organization, the resources required to support them, and the impact of a failure of these processes over time... The BIA will provide the data from which the appropriate continuity strategy can be determined." (Paraphrased from concepts throughout the chapter).

Q: 8

In relation to a disruption to activities, the Minimum Business Continuity Objective (MBCO):

Options

Discussion

Sean Feb 21, 2026 11:30 am

Option B makes sense. MBCO is about the minimum level of operation you have to achieve after a disruption, and the RTO sets when you should hit that point. They're related but not the same thing. Pretty sure that's what most exam guides say, though I get why people mix up A and B.

CaseyK Feb 25, 2026 11:18 am

Pretty sure B for me too, but I always second guess since MBCO and RTO get mixed up a lot. My understanding is MBCO is the service level you hit once you're back online within the RTO window. Open to correction if I'm off here.

Sean Mar 1, 2026 1:55 pm

B , unless the org blurs MBCO and RTO by policy which is rare but possible.

Kevin Mar 1, 2026 9:07 am

Probably B here. MBCO is about the minimum level of operations you need after a disruption, and RTO is how fast you need that restored. They relate, but they're not the same thing. Open to corrections if I missed something.

Karan J. Mar 3, 2026 1:49 am

Wouldn't A be right if the MBCO was actually defined as the recovery deadline, not just the minimum service level? Like, if the organization's process tied both together in policy, A could make sense. Am I missing a subtle difference that's only in best practice frameworks?

Ravi A. Feb 23, 2026 1:03 pm

Nah, not A-B fits better since MBCO gets reached at RTO, not the same thing as the RTO itself. A is a common trap here.

Taylor Feb 28, 2026 8:33 pm

B not totally sure. The timing piece keeps tripping me up but I think MBCO is about the required level once you hit RTO, so B seems closer. But open if someone has a different take.

Luke E. Feb 20, 2026 7:40 pm

Maybe A since RTO feels like it should match the minimum needed, right?

Jamie L. Feb 21, 2026 7:42 am

Its B, A is tricky but mixes up time (RTO) with the minimum level (MBCO).

Emma R. Feb 15, 2026 9:17 pm

A or B, always find this confusing in mocks. I thought A made sense since RTO and minimum objective feel linked, but the official guide puts more focus on timing not just the name. Wouldn’t hurt to double-check in practice questions.

Be respectful. No spam.

Correct Answer:

Explanation

The Minimum Business Continuity Objective (MBCO) is the minimum acceptable level of service or product delivery an organization must achieve to meet its business objectives during a disruption. The Recovery Time Objective (RTO) is the target timeframe within which this level must be reached. Therefore, the MBCO is the performance target that is attained at the point in time defined by the RTO. An organization resumes its critical activities within the RTO, and upon resumption, they should be operating at or above the specified MBCO.

Why Incorrect

A. MBCO is a service level objective (a 'how much'), whereas RTO is a time-based objective (a 'how soon'); they are distinct, though related, metrics.

C. MBCO is determined during the Business Impact Analysis (BIA) to understand the impacts of a disruption, not during a risk assessment, which identifies threats and vulnerabilities.

D. The mobilization of response teams is a tactical action triggered early in an incident response, not the strategic recovery level defined by the MBCO.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition.

Section 5.4.3, Determining priorities for recovery: "The BIA determines the recovery time objective (RTO) for the resumption of the prioritized activities that deliver the key products and services to a specified minimum business continuity objective (MBCO)." This passage explicitly states that the RTO is the time set to achieve the MBCO.

Glossary of Terms: Defines MBCO as the "minimum level of services and/or products" and RTO as the "period of time following an incident within which a product or service must be resumed."

2. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements.

Section 8.2.2, Business impact analysis: The standard requires the organization to determine "the time frame for recovering prioritized activities at a specified minimum acceptable capacity." This directly aligns the concept of a time frame (RTO) with a minimum capacity (MBCO).

Q: 9

Which of the following is an outcome of personnel embracing Business Continuity and the organization's Business Continuity Management System (BCMS)?

Options

Discussion

Casey Feb 25, 2026 12:43 pm

Makes sense to pick A. Tailoring the BC program to fit the organization's culture only happens when the staff actually buy in.

Riley R. Feb 26, 2026 1:21 am

A . The others are kind of traps since B and D are risky (no org should stop updating or validating just because people are on board) and C is more of an external/public impact. Embracing BC leads to customization based on actual internal needs and culture, not a one-size-fits-all approach. Pretty confident here but open to other takes if I missed something.

Ravi M. Feb 27, 2026 3:28 am

A. saw a similar question in an exam report and it matched.

Luna Feb 14, 2026 10:33 pm

I don't think it's B or D since validation and updates are always needed for BCMS, no matter how committed the staff are. C talks about external perception, but the question is about internal outcomes. A makes sense because real buy-in leads to a program that's actually customized for how the company works. Pretty sure it's A, but open to other views if anyone disagrees.

Layla Q. Feb 22, 2026 11:45 pm

D imo, but not sure. The others just don't quite fit for BC culture outcomes.

Anita X. Feb 24, 2026 7:02 am

A tbh

Karan Feb 18, 2026 11:16 am

Probably A-personnel support makes the BC program fit the actual org culture. The others don't really follow BCM best practices. Open to debate if anyone has a different angle but I'm pretty sure on this one.

CarefulTester4553 Mar 5, 2026 5:51 pm

Yeah A fits best here.

Sean Q. Feb 25, 2026 11:13 pm

Its A, saw something super similar on my last practice exam. The internal focus tips it.

ThoughtfulOps4618 Mar 1, 2026 2:22 am

Option A Similar question came up on a practice test from the official guide.

Be respectful. No spam.

Correct Answer:

Explanation

When personnel at all levels embrace Business Continuity, it becomes embedded within the organization's culture. This widespread acceptance and understanding ensure that the Business Continuity Management System (BCMS) is developed with realistic inputs reflecting how the organization actually functions. Consequently, the resulting programme is not a generic template but is specifically tailored to the organization's unique processes, risk appetite, and cultural nuances. This cultural integration is a critical success factor for an effective and sustainable BCMS, transforming it from a compliance document into a practical operational tool.

Why Incorrect

B. Commitment does not eliminate the need for regular reviews; a BCMS must continually evolve with the organization and its threat landscape.

C. Increased sales are a potential indirect business benefit, not a direct outcome of internal personnel embracing the BCMS.

D. Validation through exercises is a mandatory and non-negotiable part of the BCMS lifecycle; commitment cannot replace empirical testing of plans.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition. Section 4.5, "Embedding Business Continuity," emphasizes making BC a part of the organization's culture ("business as usual"). This cultural integration ensures that the BC programme is practical, understood, and therefore tailored to the organization's reality, rather than being a theoretical construct.

2. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements. Clause 7.3, "Awareness," requires that personnel are aware of their contribution to the effectiveness of the BCMS. This contribution, driven by engagement, is essential for creating and maintaining solutions that are tailored to their specific roles and business functions.

3. Herbane, B. (2019). Rethinking business continuity management. Journal of Business Continuity & Emergency Planning, 12(4), 326-338. This article discusses how the effectiveness of BCM is enhanced when it moves from a siloed function to being embedded in organizational culture, which inherently involves tailoring the approach to the specific context and values of the organization. (Available via various academic databases; discusses BCM maturity and cultural integration).

Q: 10

Which of the following actions will lead to the protection of priority activities with respect to their Recovery Time Objectives (RTOs) and will limit the impacts of disruptions to prioritised activities?

Options

Discussion

Anita B. Feb 28, 2026 7:38 am

Makes sense to pick C. Implementing actual strategies is what protects those activities tied to their RTOs. Pretty sure that's the intent.

Sanjay G. Feb 26, 2026 5:35 pm

C. That's the one that actually puts strategies in place to protect RTOs.

Aaron V. Feb 20, 2026 3:14 am

Makes sense to pick C. Only approved strategies and solutions will actually ensure those priority activities meet their RTOs, not just identifying or discussing risks. Pretty sure about this but happy if someone thinks otherwise.

Nathan L. Feb 22, 2026 4:29 am

I don’t think it’s B here, since BIA just identifies what's critical and the RTOs. Actual protection comes after, so I'd go with C. Sometimes people get tripped up by that analysis vs solution step.

Riley U. Feb 18, 2026 12:48 am

C makes sense here since it's the only one that actually puts recovery strategies in place to protect those activities and meet RTOs. BIA (B) just identifies priorities, but doesn't protect them itself. Pretty sure C's the exam answer, but if anyone disagrees let me know.

Ethan Feb 22, 2026 4:18 pm

C . Frustrating how they always try to trip you up by making BIA sound like the main protection step, but putting real strategies and solutions in place (C) is what limits the actual impacts. Pretty sure that’s what exam practice questions push too, but open to debate.

Morgan Feb 18, 2026 2:39 am

Noah A. Feb 19, 2026 12:53 am

If the scenario was just about identifying which activities are critical, it'd flip to B. C.

Cameron I. Feb 15, 2026 9:02 am

Kevin B. Feb 26, 2026 9:19 pm

B . The BIA in B is what identifies the RTOs and priority activities, so I figured that's directly linked to protection steps. Maybe missing the action part, but feels like it sets the stage. Not totally sure though, could be overthinking.

Be respectful. No spam.

Correct Answer:

Explanation

The creation of approved strategies and solutions is the direct outcome of the Design stage (PP4) of the Business Continuity Management (BCM) Lifecycle. This stage uses the inputs from the Analysis stage (which includes the BIA and risk assessment) to determine how the organization will recover its prioritized activities within their established Recovery Time Objectives (RTOs). These strategies and solutions are the specific actions, arrangements, and resources put in place to protect activities, mitigate the impact of disruptions, and ensure timely recovery. Therefore, this action directly leads to the protection of activities and the limitation of impacts.

Why Incorrect

A. Conducting a risk assessment is an analytical step to identify threats and vulnerabilities; it does not implement protective measures itself.

B. Conducting a Business Impact Analysis (BIA) identifies priority activities and their recovery requirements (like RTOs) but does not create the solutions to meet them.

D. Grouping and discussing risks is a management and communication task, a precursor to action, not the implementation of the protective solutions themselves.

References

1. Business Continuity Institute (BCI), Good Practice Guidelines (GPG), 2018 Edition: In the section on the BCM Lifecycle, Professional Practice 4 (PP4): Design, it states, "The purpose of the Design stage is to identify and select appropriate strategies and solutions in order to meet the business continuity requirements identified in the BIA." (Page 79). This confirms that creating strategies and solutions is the specific action to meet RTOs.

2. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements: Clause 8.3, "Business continuity strategies and solutions," requires the organization to "determine and select business continuity strategies that consider options for before, during and after disruption." It further specifies that these strategies shall be based on the outputs of the BIA and risk assessment to protect and recover prioritized activities. This directly links the creation of strategies (Option C) to the protection of activities.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE