The ISO 22301 standard specifies that a Business Continuity Management System (BCMS) should be established, implemented, maintained, and continually improved as part of the organization's overall management system. It is not a standalone or isolated activity. Integrating the BCMS into the organization's processes, culture, and overall management structure ensures that business continuity is considered a strategic priority, receives appropriate resources, and is aligned with the organization's objectives. This holistic approach moves beyond a narrow focus, such as IT, to encompass all aspects of the organization's resilience.

A. A part of the organization's IT Management system

This is incorrect because business continuity management is much broader than IT. It includes people, processes, premises, and suppliers, not just technology and data recovery.

D. Always managed by an external service provider

This is incorrect because there is no requirement for a BCMS to be managed externally. While external expertise can be used, the ultimate responsibility remains with the organization's top management.

1. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements.

Section 0.1, General: "The organization should integrate its BCMS with, and into, its related management processes and structures." This statement explicitly confirms that the BCMS is part of the overall management system.

Clause 4.1, Understanding the organization and its context: This clause requires the organization to consider its overall purpose and strategic direction when defining the BCMS, reinforcing its integration with the entire organization.

2. Herbane, B. (2019). Rethinking business continuity management. Continuity & Resilience Review, 1(1), 38-51. https://doi.org/10.1108/CRR-03-2019-0003

Page 40: The paper discusses the evolution of BCM from a technically-focused discipline (like IT disaster recovery) to a "holistic management process" that is integrated into corporate governance and strategic management, supporting the idea that it is part of the overall management system.

3. Järveläinen, J. (2013). IT incidents and business impacts: A classification and the role of business continuity management. International Journal of Information Management, 33(5), 742-750. https://doi.org/10.1016/j.ijinfomgt.2013.05.003

Section 3.2: This article distinguishes between IT-focused disaster recovery and the broader, process-oriented BCM, stating, "BCM is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause..." This clarifies why limiting BCMS to an IT system (Option A) is incorrect.