A strategic plan:
May be supported by a separate crisis communications plan
Should identify viable options to coordinate efforts of the operational teams
Should contain procedures for responding to emergencies, including threats to life, or the environment
May contain procedures for coordinating the transportation of personnel to alternate facilities
Strategic plans set the overarching framework and objectives for Business Continuity and are often supported by separate tactical or crisis communication plans tailored to communication needs during disruptions. The CBCI 7.0 course clarifies that while strategic plans guide overall responses, detailed emergency procedures and logistics coordination typically reside in operational or tactical plans, ensuring clarity and focus at different planning levels.
Which of the following will improve understanding of the benefits of Business Continuity (BC) and increase voluntary commitment to BC across the workforce?
Enforcing regular BC activities such as attendance at briefings or training
Establishing a system where BC is seen only as a corporate mandate driven by policy
Allocating additional responsibilities and objectives related to BC roles to existing workloads
Establishing BC as a culture underpinned by personal beliefs and corporate behaviours
CBCI 7.0 (via GPG 7.0) is explicit that improving BC culture is not primarily achieved through compliance enforcement; instead, it is achieved by embedding BC into “how we operate” so people personally understand why it matters and choose to engage. PP2 (Embracing Business Continuity) focuses on improving the BC culture underpinning the BCMS over time, shifting away from a compliance-only model toward shared beliefs, attitudes, and behaviours that sustain readiness.
Option D matches this directly: when BC becomes a culture—supported by personal belief (“my role matters”) and corporate behaviours (leaders model it, teams practice it)—voluntary commitment increases. Option A can drive attendance, but forced participation often produces box-ticking rather than ownership. Option B creates resistance by framing BC as “someone else’s mandate.” Option C can overload people and reduce engagement if responsibilities are added without meaning, support, or prioritization. The best CBCI-aligned answer is D.
Which of the following should be included in a post-incident review of a Business Continuity Management System (BCMS)?
Information from those involved in the event and also from those involved in the response and recovery activities.
Consideration of responsibility and allocation of accountability for errors made either before or during the incident.
A review of the BCMS implementation and an action plan for improvement.
Information from a related audit report.
In GPG 7.0’s Validation practice (PP6), a post-incident review is emphasised as a way to evaluate response and recovery efforts and determine the extent to which “plans, capabilities, and competencies met the business continuity requirements.” To do that credibly, the review must capture factual, first-hand evidence from the people who experienced the incident and those who executed the response and recovery—what happened, what decisions were made, what worked, what didn’t, and why. That is exactly what option A provides.
Option B shifts the review into blame allocation, which undermines the constructive learning mindset that validation aims to build (identify strengths and improvements positively). Option C contains a desirable outcome (an improvement plan), but the question asks what should be included in the post-incident review itself; without structured input from participants, improvement actions become speculative. Option D (audit reports) can be a useful reference, but it is not the defining content of a post-incident review of actual response/recovery performance.
When implementing solutions so that they can be deployed to respond to disruption, the Business Continuity professional should:
Review and revise the specifications for each solution developed in the design phase prior to launching them
Work with the teams who will utilize the solutions to develop any new systems or tools required to enable implementation
Allocate implementation to the relevant teams and instruct them to manage the implementation as they see fit and to their own timelines
Empower the implementation team to make changes to specifications without referring back to top management
According to the CBCI 7.0 course, collaborating with the teams who will use the solutions is vital for successful implementation. This cooperative approach ensures that practical considerations, system requirements, and user needs are incorporated early, facilitating smoother integration and operationalization. It also promotes ownership and readiness. Revising specifications alone or delegating implementation without collaboration can lead to misaligned outcomes. Empowering teams to unilaterally change specifications without oversight risks scope creep or misapplication. Structured collaboration balances control and flexibility, ensuring solutions meet both design intent and practical deployment realities.
Why should a Business Continuity (BC) policy be written in a way that is easy to read and concise?
To ensure that only minimum information is shared with personnel and other interested parties
To ensure that the correct specialist jargon and acronyms are being used consistently across the organization
To ensure that it sets out points in a way that is straightforward and engaging for staff involved in implementing Business Continuity (BC) in the organization
To act as an accessible summary document to support the actions detailed in the Business Continuity Management System (BCMS)
A BC policy is a leadership-approved, high-level statement that sets direction for the BCMS and guides how business continuity will be approached across the organization. For it to be effective, it must be understood by the people who will implement it—leaders, plan owners, responders, and those supporting recovery. Writing the policy in a concise, easy-to-read way helps ensure it is communicated, absorbed, and acted upon, rather than being treated as a dense compliance document that few people read. In the GPG 7.0 approach, success depends on collaboration and enabling the organization to implement continuity practices in a way that fits how it operates; clarity supports engagement and consistent application.
Option A is incorrect because conciseness is not about restricting information; it is about improving understanding. Option B is the opposite of good practice—policies should avoid unnecessary jargon so they remain accessible. Option D describes a secondary benefit (a policy can be a useful summary), but the primary reason for conciseness is to make the policy straightforward and engaging for the people who must use it.
When developing a response structure for an organization, the process should include:
Consulting with customers and suppliers on the requirements for the structure
Ensuring that appropriate and competent individuals are assigned to leadership roles in the structure
Advising department heads that department structure will have to change to match the proposed response structure
Implementing a supporting performance management system in the organization to ensure that all managers and personnel are complying with the new requirements
A response structure must work under pressure, with clear leadership, decision rights, and coordination across incident management, crisis management, and recovery teams. In PP5 (Enabling Solutions), organizations embed agreed solutions by establishing response arrangements and plans that can actually be executed during disruption; that requires putting competent individuals into key leadership roles so decisions are timely, coordinated, and aligned to priorities.
Option B is therefore the correct inclusion in the process: ensure appropriate and competent individuals are assigned to leadership roles. Competence matters because leadership roles require situational assessment, escalation, communications, and resource prioritization—not just job titles.
Option A can be useful for specific dependencies (e.g., supplier coordination) but it is not a core requirement for designing the internal response structure. Option C is overly rigid: the response structure should integrate with existing management and operational structures where practical, rather than forcing wholesale reorganization. Option D (performance management) is not a prerequisite design step for response structures; it may support broader governance, but effective response depends first on clear roles, authority, and capable leadership.
The most appropriate type of exercise for verifying if a critical system can be restored from backups within the expected Recovery Time Objective (RTO) is a:
Scenario exercise
Test
Discussion-based exercise
Simulation
Verifying that a system can be restored from backups within the RTO requires a measurable, evidence-based activity with a clear “works/doesn’t work” outcome. In business continuity terminology aligned to ISO vocabulary commonly used in BC practice, a test is an exercise designed to produce an expected, measurable pass/fail outcome—which is exactly what you need when timing a backup restore and confirming the system becomes operational within the stated RTO.
BCI guidance on validation emphasizes that validation is the “true test” of an established BCMS, bringing together prior work to confirm objectives are met. In technical recovery, the objective is not discussion or role-play; it is confirming the technology recovery steps and timings actually achieve the target. The BCI Good Practice guidance also frames validation questions in practical terms such as whether a priority system “can be recovered and restored within the expected recovery time objective,” which is best answered through a controlled technical test.
Scenario/discussion exercises support understanding and decision-making, and simulations can be broader and more complex, but the most direct method for backup-restore-to-RTO verification is a test.
The purpose of a Business Continuity policy is to:
Initiate the development of an effective response structure in case of disruption to products or services within the scope of the Business Continuity Management System (BCMS)
Enable the Business Continuity professional to issue instructions to all on the changes that they will be required to make
Share the outcomes of a Business Impact Analysis with internal and external stakeholders
Establish shared understanding of the importance of a BCMS and its relevance to the organization
A Business Continuity policy acts as a foundational document that communicates the organization’s commitment to Business Continuity and sets out its scope, objectives, and principles. The CBCI 7.0 course stresses that the policy fosters a shared understanding across the organization about the importance of the BCMS and ensures that personnel recognize its relevance to their roles. It does not specify operational details or mandate actions but guides governance and culture. The policy supports alignment of efforts and continuous improvement of the BCMS.
Which of the following describes an operational plan?
Documented plans to protect people and property while supporting the recovery of the organization's prioritised activities
Documented procedures that are still in draft form as they have not yet been tested via exercises or actual incidents
Detailed information on any processes that have not been risk assessed by the organization and therefore present an increased risk
Pre-prepared information to facilitate the coordination of response activities when several different operational teams are involved
Operational plans sit within Enabling Solutions (PP5) and are designed to support the continuity and recovery of prioritised activities at the departmental or specialist-service level (e.g., facilities, ICT, logistics), from the beginning of an incident through recovery and return to normal. They translate agreed continuity solutions and resource requirements into actionable procedures for operational teams.
Option A is the best description because it captures the operational intent: protect people/property (immediate operational control and safety) while enabling recovery of prioritised activities and services. Option D is closer to what BCI guidance describes as a tactical plan outcome—a coordination framework between strategic and operational teams—rather than an operational plan itself.
Option B confuses plan status (draft/untested) with plan type; an operational plan can be draft or validated, but that does not define it. Option C is about risk documentation, not operational recovery planning. Operational plans are therefore best represented by A.
When identifying risk mitigation strategies and solutions in relation to unacceptable risk and/or single point dependencies, the Business Continuity (BC) professional should collaborate with:
Activity and resource owners
Top management
Incident response team leaders
Media and communication managers
In CBCI 7.0’s structure, unacceptable risks and single-point dependencies are typically discovered through analysis outputs (BIA and risk assessment) and are then treated through Solutions Design by selecting strategies and solutions that reduce vulnerability and enable recovery. To identify practical mitigations, the BC professional must work with the people who own the work and the resources—because they understand how activities are performed, where the true bottlenecks are, what constraints exist (skills, technology, suppliers, premises), and what changes are feasible without introducing new risks.
Activity and resource owners are also the stakeholders who will usually operate, maintain, and fund the controls or continuity solutions once agreed (e.g., alternate suppliers, resilience measures, cross-training, technology recovery design). Collaboration here ensures solutions are realistic, implementable, and aligned to operational needs.
Top management (B) approves priorities and budgets, but does not usually design detailed mitigations. Response team leaders (C) focus on incident-time execution, and communications managers (D) focus on messaging—both are important, but neither replaces the operational insight of owners when treating single points of failure. Therefore A is correct.
Which of the following is NOT correct in relation to Business Continuity plans?
They should contain detailed step-by-step instructions on what to do for every eventuality that could occur
They may include scenario-specific plans that are designed to address a particular threat
They should be validated before being deemed operational
They should be kept up to date
The CBCI 7.0 course explains that Business Continuity plans should not contain detailed step-by-step instructions for every possible eventuality, as this is impractical and can lead to overly complex, difficult-to-maintain plans. Instead, plans should provide clear, actionable guidance and procedures that focus on managing the most likely or impactful scenarios. Scenario-specific plans targeting particular threats can complement overarching plans to address specific risks more thoroughly. Validation through exercises and reviews is essential to confirm operational readiness, and plans must be regularly updated to reflect changes in organizational context, resources, and threats. Over-detailing can hinder flexibility and rapid decision-making during actual incidents.
Which one of the following should be implemented when updating Business Continuity (BC) plans?
A copy should be placed on the organization's shared drive so that personnel can identify it for themselves when they look at the system
A formal version control process to identify the date of review and bring attention to changes
A brief note about the update in a staff newsletter that is printed and placed on noticeboards
An internal email to all personnel stating that a new version is available and suggesting that personnel request a copy of the new version if they are interested in seeing it
When BC plans are updated, the organization must be able to prove which version is current, when it was reviewed, what changed, and who approved it. A formal version control process prevents confusion, reduces the risk of using outdated instructions during an incident, and supports assurance/audit needs. BCI guidance on content management for resilience explicitly highlights that clear version control prevents confusion and ensures teams work with the most current information—especially critical during crises when outdated guidance can compound problems.
Option B directly meets that requirement: it identifies review dates and highlights changes so plan owners and responders can trust the document. Option A (just saving to a shared drive) does not ensure people use the correct version or understand changes. Option C is insufficient for operational control. Option D is passive and does not implement document control; it also risks inconsistent distribution. In CBCI practice, controlled documents + versioning are essential to reliable response and recovery execution.
Which of the following solutions in the context of building and work environment resources would support a strategy of relocating operations to another work area belonging to the organization should an incident occur?
Re-purpose work areas and facilities to enable working arrangements for organization personnel during a disruption
Contract former employees and contractors to undertake work at the replacement during a disruption
Create a separate supply chain to support the alternative site in the case of an incident occurring
Advise personnel that they will have to work around the existing workstations and equipment in the alternative site as it will be an emergency situation
The CBCI 7.0 course outlines that a key solution to support relocation strategies involves re-purposing existing work areas and facilities to accommodate essential personnel and functions during disruptions. This may involve modifying spaces, reallocating equipment, or adapting layouts to maintain operations efficiently. Such pre-planning ensures that the organization can resume activities quickly and safely. Contracting former employees or creating separate supply chains may assist but are secondary to establishing viable physical environments. Expecting personnel to adapt to unprepared facilities risks inefficiency and morale issues. Proactive adaptation of workspace is a cornerstone of effective relocation strategies.
Which of the following is a benefit of conducting an exercise?
Confirmation of how well Business Continuity is incorporated into the tasks pertaining to the Business Continuity Management System (BCMS)
Confirmation that personnel are familiar with their roles, and authority in response to an incident
Increased understanding of the requirements set out in the Activities Business Impact Analysis (BIA)
Validation of the Business Continuity Management System (BCMS) against standards, regulations and legislation
The CBCI 7.0 course details that one of the primary benefits of conducting Business Continuity exercises is to confirm that personnel understand their roles and the authority they possess during an incident. Exercises simulate actual disruption scenarios, allowing participants to practice decision-making, communication, and coordination within their roles. This hands-on engagement reveals gaps in knowledge, clarifies responsibilities, and builds confidence, which are crucial for effective incident management. While exercises contribute to validating BCMS processes and improving task integration, their immediate operational benefit is ensuring personnel readiness and role familiarity. Understanding the BIA requirements or regulatory compliance are indirect benefits but not the core purpose of exercises. Exercises also reinforce the practical application of plans, helping teams to respond efficiently under pressure.
Which of the following is NOT a critical requirement for an effective response structure?
A plan to communicate with internal and external interested parties
The number and type of teams required by the organization
A plan to exercise the escalation and response
Guidance on when regulators should be notified and be included in the response
While communication plans, team structure, and exercising escalation and response are essential for an effective Business Continuity response structure, specific guidance on regulator notification, although important, is not typically considered a core structural element. The CBCI 7.0 course outlines that regulatory communications are usually integrated within communication plans but are not a standalone requirement for response structures. The focus remains on establishing clear roles, responsibilities, and communication mechanisms.
Following all Business Impact Analyses (BIAs), what information should be provided to top management in a consolidated analysis?
Feedback from staff on organizational concerns
Confirmation and information about the frequency of previous disruptions
Products and services by order of priority and the priority of related activities (and processes if relevant)
Review of external conditions and a determination of the probability of disruption for each threat identified
The purpose of consolidating BIA outputs is to give top management a clear, decision-ready view of what must be protected and recovered first. In CBCI 7.0’s Analysis (PP3), BIAs identify impacts over time and establish priorities and continuity requirements; consolidation brings this together so leaders can approve priorities and ensure strategies/solutions are designed to meet them.
Therefore, the most relevant consolidated information for top management is the ordered priority of products and services, and the associated priority of the activities (and processes where used) that enable those products and services to be delivered (Option C). This is what allows leadership to make informed choices on investment, trade-offs, recovery objectives, and governance decisions (including acceptance of residual gaps).
Options A and B may be useful context but are not the core consolidated BIA output for executive decision-making. Option D is primarily risk assessment territory (likelihood/probability by threat), whereas the BIA is impact-and-priority led; probability is handled in risk assessment after priorities are known, not as the main consolidated BIA deliverable.
When creating an effective response structure, which of the following should be considered as a critical requirement?
A summary of the outcomes of the Business Impact Analysis (BIA)
A method to monitor incidents so that early action can be taken to prevent them from escalating further
Procedures to activate and control the response to an incident
Procedures for carrying out risk assessments following the end of an incident
A response structure exists to ensure the organization has a documented mechanism for responding to an incident regardless of cause, with clear command, control, escalation, and communications. A “critical requirement” for such a structure is having clearly understood procedures for activation and control—i.e., how teams are stood up, who has authority, how decisions are made, and how the response is coordinated once activated. This is explicitly called out as a key requirement for an effective response structure.
Option B (monitoring/early recognition) is also important, but it is one component. The question asks for a critical requirement when creating the structure; activation and control procedures are foundational because without them, even a well-designed structure cannot be reliably mobilised or governed during disruption.
Option A (BIA summary) informs priorities, but it is not a defining requirement of the response structure mechanism itself. Option D relates to analysis/review after an incident, which supports improvement, but it is not the core requirement needed to operate the response structure during an incident. Therefore, C is the best answer.
As part of the preparation for responding to an incident, plans should be in place to enable the response team to meet. Which of the following is NOT correct in relation to arrangements for meeting facilities?
Meeting arrangements should be stated in plans that are made available to all team members
At least two meeting locations should be stated with the team leader deciding which to use at the time of the incident
Meetings must always take place in a physical rather than virtual location
A continuously available and stable power supply should be available to meeting locations
The CBCI 7.0 course explains that flexibility in meeting arrangements is critical for effective response. Requiring meetings to always occur physically is impractical, especially in disruptions impacting facilities or when personnel are remote. Virtual meeting capabilities have become essential, allowing teams to convene despite physical constraints. Plans should specify multiple meeting options (physical and virtual) and include contingencies like stable power and connectivity. Stating arrangements and empowering leaders to select locations supports responsiveness and operational continuity.
Why is it important to establish governance for a Business Continuity Management System (BCMS)?
To provide the foundation for further development, effective operation, support and continual improvement
To monitor and review BC training programmes regularly to ensure that any skills gaps identified by the gap analysis are being addressed
To ensure that different parts of the organization can take independent approaches to reflect their preferences and timelines
To align the governance of the BCMS with the structure of the organization's business sector
BCMS governance exists to ensure the organization has clear direction, oversight, accountability, and decision-making for business continuity. In CBCI 7.0’s PP1 focus, governance provides the structure for defining scope, setting policy and objectives, assigning roles, allocating resources, and ensuring the BCMS is operated and improved over time. Governance is therefore the foundation that enables consistent implementation and prevents BC from becoming fragmented or optional.
This aligns with internal audit/assurance concepts: effective governance is what allows an organization to evaluate and improve the effectiveness of risk management, control, and governance processes in a disciplined way—BCMS governance works similarly by ensuring BC processes are defined, owned, monitored, and improved.
Option B is too narrow (training is only one governance output). Option C contradicts BCMS intent—independent, inconsistent approaches create gaps and misalignment. Option D is irrelevant; governance must fit the organization’s structure and objectives, not the “sector structure.” Therefore, A is correct.
Which process determines the prioritised activities that enable product and service delivery to be resumed at a predetermined timeframe and capacity following a disruption?
Process BIA
Activity BIA
Product and Services BIA
Consolidated Analysis
In CBCI 7.0 / BCI GPG-aligned practice, the Analysis stage (PP3) uses BIA to identify what matters most and to define recovery priorities and resource requirements. A Product & Services BIA helps determine which products/services are most important, while Activity/Process BIAs identify the work that must be performed to deliver those priorities. The step that determines (finalizes) the set of prioritised activities and ties them to agreed recovery requirements (timeframe and capacity) is the consolidation of analysis outputs—bringing together BIA findings (and relevant assumptions/dependencies) into an integrated view that the organization can use for solution design and planning. This is why the correct option is Consolidated Analysis.
Activity BIA is critical because it identifies and prioritizes activities and captures detailed resource/dependency needs, but the question asks which process determines the prioritised activities in a way that links them to “predetermined timeframe and capacity” across products/services—this is the role of consolidation, turning multiple BIA layers into a single, actionable priority set for recovery.
Which of the following would NOT be included in plans at all levels?
Guidance for escalation
Risk assessments for each possible scenario
Purpose, scope, assumptions and objectives of the plan
Procedures for standing down the teams when the incident has been resolved
Plans at different levels (strategic, tactical, operational) typically share common foundational elements: a clear purpose and scope, key assumptions, and objectives (C), so users understand when and how to apply the plan. They also usually include escalation guidance (A) so issues are raised to the right level quickly, and stand-down/transition procedures (D) so teams can safely return to normal operations and capture learning after resolution. These elements support coordinated response across the response structure.
However, risk assessments for each possible scenario (B) would not be included “at all levels” of plans. Risk assessment is a distinct analysis activity, and while plans may reference key threats or assumptions, they are generally not built as scenario-by-scenario risk assessment catalogues—especially not across every plan level. The BCI distinguishes BIA (impact over time) and Risk Assessment (risks to prioritised activities) as analysis techniques; plans then enable execution of the chosen solutions and response arrangements.
So, risk assessments may inform plans, but they are not a universal content component at every plan level. Therefore B is correct.
Which of the following is NOT an activity that is undertaken as part of the governance of the Business Continuity Management System (BCMS)?
Carrying out specific operational activities relevant to BCMS priorities
Monitoring and evaluating the performance of the BCMS
Supporting continual improvement to the BCMS
Ensuring that the BCMS meets any related regulatory requirements
BCMS governance is about direction, oversight, and control—setting expectations, monitoring whether the BCMS is effective, and ensuring it remains fit for purpose. The BCI GPG 7.0 (Lite) highlights that a BCMS must operate and maintain processes and response structures while monitoring and reviewing performance and effectiveness, and using qualitative/quantitative measures to drive continual improvement. Governance also includes ensuring the BCMS aligns with external obligations such as relevant legal and regulatory requirements, because non-compliance can create unacceptable impacts and can influence priorities and recovery requirements.
What governance does not do is “run the recovery work” itself. Carrying out specific operational activities (e.g., restoring systems, relocating teams, executing step-by-step recovery tasks) is the role of operational teams and plan owners under the response structure, not BCMS governance. Governance ensures those operational capabilities exist, are resourced, and are validated—but it does not execute them day-to-day. Therefore, option A is the activity that is not part of governance, while options B, C, and D are core governance responsibilities.
Which of the following approaches should be taken when developing solutions and allocating financial resources?
Prioritise activities and resources with the shortest and most urgent Recovery Time Objective (RTO)
Provide equal input to all strategies and solutions as they are all mutually supportive
Empower the relevant resource or activity owner to make the decision on priority and spending
Prioritise activities and resources that are the cheapest to implement
Solutions Design (PP4) uses BC requirements from Analysis (PP3)—including RTOs and minimum acceptable capacity—to decide which strategies and solutions must be implemented first and where investment provides the most protection to priority delivery. An urgent/short RTO means the organization has very limited time before impacts become unacceptable; therefore, solutions supporting those activities typically require earlier funding and stronger capability (e.g., automation, replication, standby arrangements, pre-positioned resources). Prioritising spend against the most urgent RTOs is a direct, requirement-led approach and aligns investment to what the organization must recover fastest to survive disruption.
Option B is poor practice: not all strategies carry equal criticality—some protect essential delivery while others are “nice to have.” Option C can create inconsistent priorities across departments and undermine enterprise-wide optimization; owners contribute, but prioritisation must be governed centrally against agreed requirements. Option D focuses on cost rather than necessity; “cheap” solutions may fail to meet recovery requirements. Therefore, the correct approach is A: prioritize solutions for the shortest and most urgent RTOs.
Validation is achieved through a combination of activities. Which one of following options lists the three activities?
Exercising, debriefing, and peer review
Exercising, maintenance and analysing
Exercising, updating, and stakeholder review
Exercising, maintenance, and review
In CBCI 7.0 (aligned to BCI Good Practice Guidelines 7.0), Validation (PP6) is explicitly achieved through a combination of three activities: Exercising, Maintenance, and Review. Exercising is used to train for, assess, practice, and improve performance; maintenance ensures BC arrangements and plans remain relevant and operationally ready; and review assesses the suitability, adequacy, and effectiveness of the BCMS and identifies opportunities for improvement. This “three-part” approach ensures validation is not limited to running exercises: it also confirms that documents and capabilities stay current and that the BCMS remains effective as the organization and its context change. The GPG Lite 7.0 section for PP6 states this combination directly, and it also emphasizes that validation confirms implemented solutions and plans work to agreed specifications and are appropriate for the organization’s size and complexity—reinforcing why maintenance and review must accompany exercises rather than being optional add-ons.
The method to measure Business Continuity (BC) culture that assesses levels of response and performance in similar situations across all levels and the breadth of an organization is:
Behavioural Consistency
Pre-mortem Checks
Business Continuity Awareness
Unstructured Observations
In CBCI 7.0 (aligned to BCI GPG 7.0), measuring BC culture is most meaningful when it focuses on what people actually do under similar conditions—not only what they say they know. A “behavioural consistency” approach evaluates whether teams and leaders respond in a predictable, repeatable, and aligned way when faced with comparable situations across different parts of the organization. This directly fits the question wording: it looks at levels of response and performance “across all levels and the breadth” of the organization, identifying whether BC behaviours are embedded uniformly or only present in pockets. GPG 7.0 also reinforces that embracing BC is achieved by embedding behaviours beyond compliance, leading to improved culture and fit-for-purpose capability.
By contrast, “BC awareness” typically measures knowledge/visibility (training, communications reach), not consistency of performance. “Unstructured observations” can provide insight but lacks repeatability and comparability across the organization. “Pre-mortem checks” are a useful technique for anticipating failure modes, but they are not primarily a culture measurement method focused on observed response consistency.
In relation to Business Continuity (BC) solutions, which of the following would be included in the procedure for communications with people outside of the organization during a disruption?
Clarification that all personnel have the responsibility of keeping social media information up to date and should treat this as a priority activity
Identification of the team, group or individual with the responsibility, authority and technical knowledge to deliver communications via each available method
Instruction that external communications should not take place until after the incident is over
Permission for communications personnel to make decisions on how the organization is represented in a crisis without prior agreement with top management
Enabling Solutions (PP5) is where agreed continuity solutions are made usable through response structures and plans—this includes defining how communications will work during disruption. Effective external communications procedures must be role-based and controlled: they should identify who is authorized to communicate, through which channels, and with what approvals—so messages are accurate, timely, and consistent. Option B reflects that good practice: naming the team/group/individual with the required responsibility, authority, and technical capability for each method (e.g., media statement, website updates, customer notifications, hotline, social media).
Option A is dangerous because it decentralizes messaging and increases the risk of conflicting or inaccurate public information. Option C is unrealistic—stakeholders often need updates during the incident (customers, suppliers, regulators, media), not after it ends. Option D removes governance and can create reputational and legal risk; crisis communications normally follow agreed principles, escalation, and approvals, with top management involved in high-impact messaging. Therefore, B is the correct procedural inclusion for communicating outside the organization during disruption
Which of the following statements describes a good practice Business Continuity (BC) culture?
A situation where personnel follow procedures as set out by the organization but do not have a sense of ownership.
A situation where Business Continuity (BC) professionals have significant influence in the organization and specify all actions to be taken and carry out all reviews as needed.
A situation where all staff have a shared understanding of Business Continuity (BC) and everyone is involved.
A situation where the workforce is sufficiently committed to Business Continuity (BC) that top management does not get involved.
CBCI 7.0 reflects the GPG 7.0 emphasis that business continuity culture is not achieved by “mandating and enforcing compliance” alone; it is achieved when BC becomes understood, valued, and practiced across the organization. A “good practice” BC culture therefore looks like shared understanding and broad participation—people know why BC matters, understand their roles, and actively contribute to readiness and resilience. That matches option C.
Option A describes compliance without ownership, which is weaker and often fragile under stress. Option B incorrectly centralizes BC into the BC team; good practice requires distributed ownership (leaders and staff) rather than the BC function “doing it all.” Option D is also incorrect because top management involvement remains essential (leadership sets direction, provides resources, and reinforces expectations); a mature culture does not remove leadership accountability—it strengthens organization-wide engagement with leadership support. The GPG’s cultural focus is about enabling the organization to improve BC culture intentionally and make BC part of “how we operate,” not a specialist-only activity.
Which of the following would NOT be taken into account when developing and drafting a Business Continuity policy?
Providing detailed background information in the introduction to the policy which explains, with examples, how the new approach will be different from past approaches
Setting expectations for how the BCMS will be operationalized
Using concise and straightforward language that is accessible to all personnel
Designing the policy to be appropriate to the type of organization and to reflect the culture and operating environment
The CBCI 7.0 course indicates that Business Continuity policies should be clear, concise, and focused on the organization's current continuity objectives and governance, rather than including detailed historical background or examples of past approaches. The policy is a guiding document that sets expectations and scope, written in accessible language tailored to the organization’s culture and operating environment. Extensive background details can dilute the clarity and purpose of the policy, making it less effective as a communication tool. Operationalization expectations and cultural appropriateness are key inclusions.
The three main steps involved in the risk assessment process are listing risk sources, performing a risk source analysis and:
Identifying historical risks
Categorising risks
Assessing the consequences of risks
Evaluating risks
CBCI 7.0 aligns its risk assessment language to ISO/BCI terminology. BCI guidance defines risk assessment as an overall process of risk identification, risk analysis, and risk evaluation. In the wording of your question, “listing risk sources” maps to risk identification, and “performing a risk source analysis” maps to risk analysis (examining likelihood and consequences to understand risk level). The third step, therefore, is risk evaluation—comparing analysed risks against agreed criteria (risk appetite/tolerance) to decide whether further action is needed and to prioritise treatment.
Option C (assessing consequences) is part of risk analysis, not the final step. Options A and B can be helpful techniques, but they are not the standard third step in the three-step risk assessment model used in BC/ISO-aligned frameworks. Therefore, the correct answer is D: Evaluating risks.
In relation to the care and wellbeing of staff during an incident, which of the following would NOT be an immediate requirement for the People and Culture Management team?
Accounting for the personnel on the site where the incident has occurred
Being able to contact personnel and their family members
Assigning responsibilities to staff who are working away from the site to enable recovery activities to commence
Enabling access to physical care if needed
During an incident, immediate people-related requirements prioritize life safety, welfare, and accountability. In BC response structures, People/HR (often called People & Culture) typically focuses first on confirming who is affected, ensuring personnel are safe, supporting access to medical/physical care, and establishing reliable communications with staff and (where appropriate) family members. These actions reduce harm and enable leadership to make accurate decisions about escalation and support. This aligns with crisis/incident management good practice where “accounting for people” and welfare support are immediate priorities before broader recovery work is initiated. (ready.gov)
Option C—assigning recovery responsibilities to staff away from the site—is important for recovery enablement, but it is not an immediate care/wellbeing requirement. It belongs more to operational recovery coordination and plan activation once the immediate safety picture is understood. Options A, B, and D are directly tied to immediate welfare: confirm personnel status, contact and support staff/families, and enable access to care. Therefore, C is the correct “NOT immediate requirement” for the People and Culture Management team when the focus is specifically care and wellbeing.
Which of the following is NOT part of the process to implement solutions to resume business operations?
Ensuring alignment with the response structure and plans
Providing training for users of solutions and support staff
Updating the Activities Business Impact Analysis (BIA) to take into account the effect of the solutions on priority activities
Complying with the organization's project management procedures
While the Activities BIA informs the development of solutions, updating the BIA is not part of the solution implementation process itself. The CBCI 7.0 course explains that implementing solutions focuses on ensuring that operational plans, training, and governance are aligned and effectively deployed. Training equips personnel to use and support new solutions properly. Compliance with project management processes ensures structured, controlled implementation. The BIA is a foundational analysis tool and is typically reviewed or updated separately during scheduled risk and impact assessments rather than during solution implementation. Conflating BIA updates with implementation may confuse strategic assessment with operational execution.
Analysing information about how an organization has responded to incidents, including engagement with those impacted and its approach to responsibility, can provide insight into the organization's:
Culture
Business targets
Business plan
Structure
Understanding an organization’s response to incidents—particularly how it engages with affected parties and manages accountability—offers a window into its organizational culture. Culture reflects shared values, beliefs, and behaviors within an organization, influencing how risks are perceived and managed. The CBCI 7.0 course emphasizes that a strong Business Continuity culture ensures personnel are proactive in managing disruptions and responsible for their roles in response plans. Analysing incident responses reveals this underlying culture by showing commitment levels, openness to learning, and responsibility allocation, which collectively shape resilience. This insight is crucial because culture directly affects the effectiveness of the Business Continuity Management System (BCMS), as a positive culture fosters cooperation and adherence to continuity plans, while a weak culture may reveal gaps in preparedness and commitment.
Why is a risk assessment usually conducted after a Business Impact Analysis (BIA) as part of the analysis stage?
Conducting a BIA ties up personnel on this project; so resources are not available to conduct the risk assessment until after personnel are released from the BIA project
Conducting the risk assessment after the BIA has identified priorities enables the risk assessment to maximise investment in risk treatments where they are most needed
A risk assessment is not required until Business Continuity solutions based on the outcomes of the BIA have been developed for review
Risk assessments are not required until after the organization's business plan has been updated to confirm any changes in plans as a result of the BIA
The CBCI 7.0 course states that conducting the risk assessment after the BIA allows the organization to prioritize risk treatments effectively by focusing on the critical activities identified during the BIA. The BIA highlights which business functions are most important and the impact of their disruption, enabling the risk assessment to concentrate on threats that could affect these priority areas. This sequencing ensures that resources and mitigation efforts are directed toward protecting the most significant risks impacting continuity objectives. Resource availability is not the primary reason, and risk assessments are integral to ongoing BCMS maintenance rather than conditional on business plan updates or solution development.
When setting up any individual exercise, which of the following should be taken into consideration in relation to risks to business as usual?
Personnel, including senior managers, should be instructed to consider the exercise as a priority and ignore any risks to business as usual that may arise during the exercise
Pre-existing business as usual commitments should be treated as a secondary consideration to ensure that these commitments do not undermine the exercise activity
The disruption caused by the exercise and any impact should be planned in advance, monitored and controlled during the exercise and minimised
Any impacts of the exercise on business as usual should be written off in advance as an acceptable cost of carrying out the exercise
Exercising business continuity plans involves balancing the need to simulate realistic scenarios while minimizing unintended disruption to normal operations. The CBCI 7.0 course instructs that exercise planners must anticipate and control any business as usual impacts through careful planning, monitoring, and mitigation during the exercise. Ignoring risks or dismissing business as usual commitments undermines organizational operations and can reduce support for continuity activities. Managing disruption effectively ensures exercises achieve their objectives without unnecessary operational costs.
When establishing a Business Continuity Management System (BCMS), engagement with stakeholders is important. Which of the following is NOT a reason for engaging with internal stakeholders?
Existing policies and procedures may be relevant to the BCMS so early identification will reduce the risk for duplication of work
Early collaboration with colleagues will engage them in the process and secure support for the ongoing development and implementation of the BCMS
Engagement of stakeholders will reduce the potential for conflict at later stages of the programme
Involving stakeholders will reduce the workload and responsibilities of the Business Continuity Professional as administrative activities can be delegated to other staff
While stakeholder engagement facilitates collaboration, reduces conflict, and helps identify relevant policies, it does not primarily serve to lessen the workload of the Business Continuity Professional by delegating administrative tasks. The CBCI 7.0 course clarifies that stakeholder involvement is about gaining support, expertise, and ownership rather than shifting administrative burdens. The Business Continuity Professional retains core responsibility for managing the BCMS, though collaboration supports efficient and effective program delivery.
Why is it important to use a warning or code word such as “exercise only” when providing communication injects during an exercise?
To ensure that the information is not treated as a real message
To ensure that the information is treated as confidential
To indicate that the message has been approved by the exercise facilitator
To indicate that all information should be treated as real during the exercise
In BC validation and exercising, “injects” are simulated messages used to drive decisions and actions. Using a clear code word (e.g., “For exercise” / “Exercise only”) is essential to prevent simulated information being mistaken for a real incident notification—especially when exercise communications travel through normal channels (phone, radio, email, chat). This protects people, avoids unnecessary escalation, and prevents operational disruption caused by staff believing a real emergency is underway. Exercise guidance commonly defines “For Exercise” as a preamble meaning the message relates to the exercise only and “is not to be confused with real activity,” and recommends prefixing simulated calls/messages accordingly.
Therefore, option A is correct.
Option B (confidentiality) is not the main purpose of the code word; confidentiality is handled through exercise ground rules and distribution controls. Option C is not what the code word signifies. Option D is the opposite of the intent—while participants should act realistically within the exercise play, the code word ensures everyone understands the scenario is simulated, preventing real-world misinterpretation and unintended consequences.
Which of the following is a principle to be adhered to when producing communications during a disruption?
Communications should be consistent with the organization's beliefs, culture, values and value proposition
Senior personnel in areas affected by the disruption should take the lead in producing and releasing accurate information via media
Communications should be so that individuals involved in the disruption can be directly contacted by interested parties
In order to ensure that communications are not delayed, only pre-agreed general statements, without any reference to the specific disruption, may be released to pre-agreed interested parties
Effective communication during disruption must align with the organization's core beliefs, culture, and values to maintain trust and credibility. The CBCI 7.0 course highlights that consistent messaging helps ensure stakeholders understand the organization’s position and response approach. Communications must be transparent and reflect organizational identity, supporting both internal morale and external reputation. Delegation of communications to appropriate experts and timely information sharing are also important but must be aligned with organizational values for coherence.
An effective exercise programme should:
Be put in place as part of the outcome of the Business Impact Analysis (BIA) and the associated solutions design
Follow the same framework of activities each year so that progress can be compared over time
Be reviewed regularly at pre-defined intervals or following significant change
Reflect trends in customer concerns and feedback from stakeholders
Within CBCI 7.0 (aligned to BCI GPG 7.0), validation includes exercising and testing to confirm the BCMS performs as intended and stays effective as the organization changes. Good practice is not to “set and forget” an exercise programme; it must be kept current as threats, dependencies, operating models, staffing, suppliers, technology, and locations evolve. The BCI explicitly states that exercises should be performed at planned intervals and when there are significant changes within the organization or the context in which it operates—this directly supports the need to review the exercise programme regularly at pre-defined intervals or after significant change.
Option A is partly true (exercise objectives should reflect BIA and solutions), but it doesn’t capture the key “effective programme” control: continuous review/update. Option B can help comparison, but repeating the same framework can also create predictability and miss emerging risks. Option D may inform scenarios, yet customer concerns alone should not drive the programme. The strongest CBCI-aligned answer is C.
Where social media is a key element in an organization's communications response strategy, it is important for the organization to:
Build up followers and establish a social media presence before an incident
Empower all staff to engage with social media to ensure that information during a disruption can be delivered quickly
Ensure all staff who engage with social media are aware of the need to keep a note of their engagement in case valuable contacts are secured through this route
Limit social media engagement to one-way communications as only the organization's formal statements and opinions are required
The CBCI 7.0 course highlights that an effective social media strategy requires establishing and nurturing a following before incidents occur. A pre-existing audience ensures messages disseminated during disruptions reach stakeholders promptly and credibly. While empowering staff to engage may lead to inconsistent messaging and risks, centralized management ensures accuracy and control. Recording engagement can be useful but is secondary. Limiting social media to one-way communications may reduce interaction but safeguards message consistency. Building presence early is foundational to effective crisis communications.
A key difference between “embedding” and “embracing” Business Continuity (BC) is that:
Embedding is focused on mandating and enforcing compliance whereas embracing is aimed at creating a greater understanding of the reason why BC is needed through cultural change
Embedding is mandated by top management within the BCMS whereas embracing is designed and implemented by operational teams
Embedding is only relevant for organizations that are new to BC whereas embracing should only be undertaken in organizations with well-established BCMS
Embedding relies on commitment from personnel whereas embracing is mandated and incorporates strict discipline
CBCI 7.0 explicitly covers “the difference between embracing and embedding business continuity.” In BCI’s messaging around GPG 7.0, the change to “embracing” reflects a shift from a compliance-heavy mindset toward building understanding, belief, and culture, so people know why BC matters and behave accordingly.
Option A best captures this: “embedding” is commonly associated with making BC part of routines through processes and requirements (often interpreted as compliance enforcement), while “embracing” focuses on the cultural and behavioural commitment that makes BC sustainable and meaningful.
Options B–D misstate ownership and maturity. Embracing is not only an operational-team activity; it needs leadership sponsorship and organization-wide participation. It is also relevant at any maturity level, and it is not fundamentally about mandating strict discipline—rather it is about creating shared understanding and engagement.
Which of the following factors affects the way in which an organization selects and combines the different types of Business Impact Analysis (BIA)?
The outcomes of an organization's risk assessment to determine which part of the organization is at greatest risk
The scope of the Business Continuity Management System (BCMS)
The outcomes of a gap analysis to identify where there is greatest need for Business Continuity capability to be improved
Consultation with internal and external stakeholders on the extent of analysis that is required
The CBCI 7.0 course explains that the scope of the BCMS is the primary factor influencing the selection and combination of BIA types (e.g., activity, product, or process BIAs). The scope defines which organizational units, activities, and resources are covered, thereby guiding the level and focus of impact analysis. While risk assessments, gap analyses, and stakeholder consultations inform aspects of BCMS development, they do not determine the BIA methodology as directly as the defined scope. Aligning BIAs to scope ensures consistency and resource-effective analysis.
Which of the following would NOT affect the scope of the Business Continuity Management System (BCMS) and lead to the need for the scope of the BCMS to be reviewed?
A merger with another organization
A change to legal or regulatory requirements
A change to the way that products and services are delivered
A new communications manager being appointed to lead a business promotion campaign on social media
In CBCI 7.0, PP1 – Establishing a BCMS includes defining the BCMS scope and recognizing that BCMS activities are not one-time tasks; they evolve as the organization changes. Scope review is normally triggered by changes that materially affect continuity requirements—such as structural changes, changes to products/services, delivery models, locations, technology, critical resources, or external obligations. A merger (A) can significantly change organizational boundaries, critical activities, and dependency networks, requiring scope reassessment. A change in legal/regulatory requirements (B) can introduce new continuity obligations and thresholds for unacceptable impact, again affecting scope. A change in how products/services are delivered (C)—for example increased outsourcing, new platforms, or new channels—changes dependencies and recovery priorities, often requiring scope review.
Option D is different: appointing a communications manager to run a promotion campaign is not, by itself, a material change to continuity requirements or the operating model of prioritized products and services. Unless it creates a new critical service/dependency (which the option does not state), it would not normally trigger a BCMS scope review.
For a strategic response team to be effective, its members should have:
Ability to identify commercial opportunities in adverse situations
A detailed understanding of each requirement set out in Business Continuity plans
Skill in coordinating resources, operations and suppliers
Decisiveness and the ability to make decisions quickly
Strategic response teams play a crucial role in managing crises by making timely, high-level decisions that guide the organization's overall continuity response. The CBCI 7.0 course emphasizes that decisiveness and rapid decision-making are essential qualities for such teams, as delays can exacerbate disruptions and increase impacts. While coordination skills and understanding of Business Continuity plans are important, the strategic team must prioritize swift, confident decisions to steer operational teams and allocate resources effectively during dynamic and stressful situations. Identifying commercial opportunities is beneficial but secondary to ensuring continuity and stability.
In relation to validation, which of the following is NOT an aim of an exercise programme?
Improved teamwork and competency of recovery team members
Verification that the expected Recovery Time Objectives (RTOs) can be achieved
Identification of outdated information in the Business Continuity (BC) plans and areas for improvement
Design of additional Business Continuity (BC) policies and solutions
Validation (PP6) confirms whether the BCMS meets objectives set in policy and whether capability works in practice through awareness, exercising, maintenance, and review programmes. Exercise programmes are aimed at improving performance and readiness: they strengthen teamwork and competence (A), provide evidence that recovery performance targets (including RTOs) are achievable (B), and reveal issues such as outdated plan content, role confusion, missing resources, or unclear procedures so improvements can be made (C).
Designing new policies and solutions (D) is not the purpose of exercising. Policies are set within BCMS establishment/governance (PP1), and strategies/solutions are primarily designed in Solutions Design (PP4) and implemented in Enabling Solutions (PP5). Exercises may inform changes to policy or solutions via lessons learned, but “design of additional policies and solutions” is not an aim of the exercise programme itself—it’s a downstream improvement activity that follows from validation findings. Therefore, D is the option that is NOT an exercise-programme aim.
During the process of strategy determination as part of solutions design, the Business Continuity (BC) professional should consider and select solutions to deliver agreed strategies in partnership with the:
Finance director
Department representative
Relevant product, activity or resource owner
Incident response team leader
Solutions Design (PP4) turns requirements from Analysis into practical strategies and solutions (for people, premises, technology, information, suppliers, etc.). Selecting workable solutions requires collaboration with the stakeholders who own the product/service delivery, activities, and critical resources, because they understand operational constraints, dependencies, performance expectations, and what “minimum acceptable capacity” really means in practice. This is reinforced by the CBCI module outline for PP4, which includes selecting strategies/solutions and mitigating unacceptable risks/single points of failure—work that depends on detailed operational input from owners.
The finance director may advise on affordability, but is not the primary partner for solution design decisions. A “department representative” is vague and may not have authority/knowledge of the specific priority activity or resource. Incident response team leaders focus on incident-time coordination, not necessarily on designing recovery capabilities. Therefore, partnering with the relevant product, activity, or resource owner (option C) is best practice and delivers solutions that are realistic, maintainable, and actually executable during disruption.
In relation to Business Impact Analysis (BIA), why is the risk assessment conducted after the BIA has been completed?
To ensure that personnel and resources are not distracted from the primary purpose of delivering the BIA
To enable the risk assessment to focus on the risks associated with prioritised products and services as determined by the BIA
To prevent the risk assessment information leaking to external stakeholders before the BIA is available
To ensure that there is sufficient time and focus available to complete a full organizational risk assessment that is not biased by ongoing work on the BIA
GPG 7.0 explains that Analysis (PP3) uses two techniques: BIA and Risk Assessment. The BIA determines the impacts of disruption over time and identifies priorities and resource requirements; then the risk assessment analyses the relevant risks to prioritised activities to find concentrations of risk or potential points of failure. This sequencing is logical: you first decide what matters most and what must be recovered (BIA outputs), and then you assess what could stop those priorities from being delivered (risk assessment focused on prioritised products/services/activities). That is exactly what option B states.
Option A may be a side benefit, but it is not the core methodological reason. Option C is not a BC good-practice rationale. Option D is incorrect because PP3 risk assessment is typically scoped to prioritised activities rather than being a generic “full organizational risk assessment.”
Note on “100% verified from CBCI 7.0 course documents”: I cannot access the paid CBCI courseware directly, but these answers are verified against official BCI GPG 7.0 materials and BCI PP3/PP2 published guidance, which CBCI 7.0 is based on.
It is important to measure Business Continuity culture because this:
Can determine whether or not the organization needs to continue reviewing and making improvements to its Business Continuity Management System (BCMS)
Indicates how well personnel are likely to engage with, and follow Business Continuity plans and procedures
Indicates whether or not there is a need to validate and update operational plans
Provides data that can be used when promoting the organization to potential new recruits
Measuring Business Continuity culture is essential to assess the level of engagement, understanding, and commitment personnel have toward Business Continuity plans and procedures. The CBCI 7.0 course stresses that culture measurement helps predict the likely success of continuity efforts during disruptions. A strong culture supports adherence to plans and proactive risk management, while a weak culture may highlight areas needing targeted improvement. While measurements can indirectly inform reviews and validations, the primary focus is on gauging personnel behaviour and engagement, which is the most critical factor in continuity effectiveness.
Which of the following is correct in relation to simulation exercises?
Simulation exercises involve only key participants rather than all personnel that could be involved in a real incident
Answer:Simulation exercises are always discussion-based
Answer:Participants are provided with the full detail of the scenario prior to the exercise commencing, including any information and materials on issues that will arise during the scenario so they can be fully prepared
Answer:There are no time constraints as the exercise is not running in real time so participants can take time to discuss issues that arise and alternative ways to address them
Answer:A
Simulation exercises are designed to mimic real incident responses in as close to a real-time environment as possible but usually involve only the key personnel whose roles are critical in managing the disruption. The CBCI 7.0 materials specify that simulation exercises test the decision-making, coordination, and response of these essential participants rather than the entire workforce, ensuring focused and practical validation of plans and capabilities. They differ from discussion-based exercises, which involve broader participation and are scenario discussions without time constraints. Simulation exercises maintain real-time pressures and operational realism, although full scenario details are typically not disclosed upfront to simulate uncertainty.
Strategic, tactical, and operational plans should always be activated:
Simultaneously
Only after it is determined that full activation of all teams is necessary
When cascaded down from the strategic team
Based on the conditions or circumstances documented in the relevant team plan
The CBCI 7.0 course specifies that activation of strategic, tactical, and operational plans must be based on the conditions or triggering events detailed in each specific plan. Each plan type serves distinct purposes at different organizational levels and phases of incident response. Strategic plans set the overarching direction; tactical plans translate this into actions, and operational plans provide detailed task instructions. The triggering conditions—such as incident severity, scope, or impact—dictate when each plan should be activated to optimize resource use and response effectiveness. Simultaneous activation is neither practical nor efficient. Activation cascading from the strategic team is a controlled process, but ultimately depends on predefined triggers, ensuring an orderly and appropriate escalation.
TESTED 15 Jul 2026
