GAQM CBCP-002 Certified Business Continuity Professional (CBCP) Exam Practice Test

In the event of a disaster that destroys the physical office site operations will be relocated to a temporary site. This is true because one of the recovery strategies for a disaster is to have an alternate site where the critical functions and processes can be resumed until the primary site is restored or replaced. The alternate site can be a pre-arranged location, such as a rented office space, a hotel, or another branch of the same organization, or a mobile facility, such as a trailer or a container. The alternate site should have the necessary equipment, systems, data, and resources to support the continuity of the business. Verified References:

Technical risk is the type of risk that is associated with risk of physical assets failing/being damaged or enhanced. Technical risk is the uncertainty or variability of the performance or reliability of physical assets, such as equipment, systems, infrastructure, or data. Technical risk can result from factors such as design flaws, manufacturing defects, maintenance issues, obsolescence, human error, natural disasters, or cyberattacks. Technical risk can affect an organization’s operational efficiency, quality, safety, security, or profitability. Verified References:

Operational risk is the type of risk that is related to human error or achievement. Operational risk is the uncertainty or variability of the execution or outcome of an organization’s functions or processes. Operational risk can result from factors such as inadequate policies, procedures, systems, controls, skills, training, supervision, or compliance. Operational risk can affect an organization’s operational efficiency, quality, safety, security, reputation, or profitability. Verified References:

Tolerating risk is where no action is taken to mitigate or reduce a risk. This is true because tolerating risk is one of the possible strategies for managing risk. Tolerating risk means accepting or retaining a risk without taking any further action to reduce it, either because the risk level is acceptable or because the cost or effort of reducing it is not justified. Tolerating risk may be appropriate for low-priority or low-impact risks that do not pose a significant threat to the organization’s objectives. Verified References:

A facility certification center is a center that provides the physical infrastructure for testing and certifying the functionality and performance of products, systems, or services. A facility certification center may have specialized equipment, tools, environments, or standards that can simulate real-world conditions or scenarios. A facility certification center may also have qualified staff, experts, or auditors who can conduct the testing and certification process. Verified References:

Threats can be considered any events or situations that can cause harm or disruption to an organization’s functions or processes. Threats can be natural, human-made, or technological in origin. Some examples of threats are water (such as floods, leaks, or spills), technology failure (such as system crashes, cyberattacks, or power outages), and fire (such as arson, accidents, or explosions). Verified References:

In Business Continuity Planning (BCP), confidentiality and security of sensitive information are critical considerations when releasing details publicly. According to standard practices outlined in Business Continuity Professional guidelines, such as those from the Disaster Recovery Institute International (DRI) and ISO 22301, certain elements of a BCP should remain confidential to protect the organization and its stakeholders.

Process flows: These describe how critical processes are maintained or recovered during a disruption. While detailed process flows may be sensitive internally, a high-level overview can often be shared publicly to demonstrate preparedness without compromising operational security. Thus, they are not inherently prohibited from public release.

Contact lists: These contain personal and operational details such as names, phone numbers, and roles of key personnel involved in the BCP. Releasing contact lists publicly poses significant risks, including privacy violations, potential targeting by malicious actors, and operational vulnerabilities. Best practices dictate that contact lists should remain confidential and restricted to authorized personnel only.

BIA results: The Business Impact Analysis (BIA) identifies critical functions, recovery time objectives (RTOs), and potential impacts of disruptions. While detailed BIA results are sensitive, summary-level findings (e.g., critical processes identified without specific vulnerabilities) can sometimes be shared to show due diligence. However, this is not strictly prohibited in public releases if anonymized or generalized.

All of the above: Since process flows and BIA results can be released in a controlled, summarized form, this option is incorrect. The key element that should unequivocally not be released is the contact list due to its sensitive nature.

Therefore, the correct answer isB. Contact lists, as it aligns with the principle of protecting sensitive personal and operational data in public disclosures.

References:

DRI International Professional Practices for Business Continuity Management (2023), Section 6: Business Continuity Plan Development – Emphasizes safeguarding sensitive data like contact details.

ISO 22301:2019, Clause 8.4 – Highlights confidentiality in BCP documentation and communication.

BIA helps to identify all of the above aspects of an organization’s functions and processes. It helps to identify the critical services and products that the organization delivers to its customers and stakeholders, and the functions and processes that support them. It also helps to identify the critical interdependencies and interested parties that are involved in or affected by the organization’s functions and processes, such as suppliers, partners, regulators, or employees. Moreover, it helps to identify the tangible and intangible impacts of a disruption to the organization’s functions and processes over a period of time, such as financial losses, reputational damage, legal liabilities, or customer dissatisfaction. Verified References:

A full-scale exercise is a type of exercise that involves all teams. A full-scale exercise is a high-pressure exercise that simulates a realistic scenario of a disruption that affects all or most of the organization’s functions and processes. A full-scale exercise tests the effectiveness and efficiency of the plans, procedures, systems, teams, and resources that are required to respond to and recover from a disruption. A full-scale exercise also evaluates the coordination and communication among all the teams and stakeholders involved. Verified References:

The frequency of BCP testing for critical processes is a fundamental aspect of ensuring a plan remains effective and relevant. Business Continuity Professional standards, such as those from DRI International and ISO 22301, provide guidance on testing frequency based on the criticality of processes and organizational needs.

Annually: Industry standards recommend that critical processes undergo comprehensive BCP testing at least once a year. This ensures that plans are validated, personnel are trained, and any gaps or changes in the business environment are addressed. Annual testing is considered a baseline requirement for maintaining resilience, particularly for critical functions that, if disrupted, could severely impact the organization.

Quarterly: While more frequent testing (e.g., quarterly) may be appropriate for highly dynamic environments or specific high-risk processes, it is not a universal requirement for all critical processes. Quarterly testing is typically reserved for specific scenarios or as part of a progressive testing strategy rather than a standard frequency.

As per calendar planned at beginning of the year: This option implies a flexible schedule, but it lacks specificity and does not align with standardized recommendations. Testing should follow a defined frequency rather than an arbitrary calendar plan unless explicitly tied to a standard (e.g., annual).

Half-yearly: Semi-annual testing (every six months) may be adopted by some organizations for additional assurance, but it exceeds the minimum standard requirement of annual testing for critical processes unless specified by organizational policy or regulatory mandates.

The verified answer,A. Annually, reflects the widely accepted minimum frequency for testing critical processes as per Business Continuity Professional guidelines. However, organizationsmay increase frequency based on risk assessments or regulatory requirements, though this is not the default expectation.

References:

DRI International Professional Practices for Business Continuity Management (2023), Section 9: Testing and Exercising – Recommends annual testing as a minimum for critical processes.

ISO 22301:2019, Clause 8.5 – Specifies regular testing and exercising, with annual frequency as a common benchmark for critical functions.

The four R’s are action approaches for crisis and post-crisis management. They are:

Reduction: This approach aims to prevent or mitigate the occurrence or impact of a crisis by identifying and addressing the root causes, vulnerabilities, and risks.

Readiness: This approach aims to prepare for a potential crisis by developing plans, policies, procedures, systems, teams, and resources that can enable a timely and effective response.

Response: This approach aims to manage a crisis by activating the plans, policies, procedures, systems, teams, and resources that can contain, control, and resolve the situation.

Recovery: This approach aims to restore normal operations after a crisis by implementing actions that can repair damages, restore functions and processes, resume services and products, recover losses, and learn lessons. Verified References:

A Business Continuity Plan (BCP) is designed to ensure an organization can maintain or resume critical functions during and after a disruption. According to Business Continuity Professional standards, such as those from DRI International and ISO 22301, the BCP typically encompasses three core components that address different phases of response and recovery:

A. Emergency response: This component focuses on the immediate actions taken during a disruption (e.g., evacuation, safety measures, and initial coordination). It is a foundational part of the BCP, ensuring personnel and asset safety as a prerequisite to continuity and recovery efforts.

B. Incident management: While incident management (handling and resolving incidents) is critical in broader crisis management frameworks, it is often considered a distinct process under an Incident Response Plan (IRP) rather than a core BCP component. It overlaps with BCP but is not universally listed as one of the three primary elements.

C. Problem management: This is an IT service management process (e.g., under ITIL) focused on identifying and resolving the root causes of incidents. It is not a standard component of a BCP, which prioritizes continuity and recovery over long-term problem resolution.

D. Business recovery: This involves restoring critical business functions and processes after a disruption, ensuring the organization can resume normal operations. It is a central pillar of the BCP, addressing recovery time objectives (RTOs) and operational continuity.

E. Disaster recovery: This focuses on recovering IT systems, data, and infrastructure following a disaster. Often integrated into the BCP, it ensures technological continuity, making it a key component alongside business recovery and emergency response.

The verified answer isA. Emergency response, D. Business recovery, E. Disaster recovery, as these three components collectively cover the lifecycle of a BCP—immediate response, business function restoration, and IT recovery—per established standards. While incident management is related, it is typically supplementary rather than a core BCP element when narrowed to three components.

References:

DRI International Professional Practices for Business Continuity Management (2023), Section 6: Business Continuity Plan Development – Identifies emergency response, business recovery, and disaster recovery as key BCP components.

ISO 22301:2019, Clause 8.4 – Outlines planning for response (emergency), continuity (business recovery), and IT recovery (disaster recovery) as integral to BCP.