Certified Information Systems Auditor (CISA) — Question 1075

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Answer options

• A. Maximum allowable downtime (MAD)
• B. Mean time to restore (MTTR)
• C. Recovery point objective (RPO)
• D. Key performance indicators (KPIs)

Correct answer: A

Explanation

Maximum allowable downtime (MAD) is crucial as it directly impacts the business's ability to operate during system failures. While Mean time to restore (MTTR), Recovery point objective (RPO), and Key performance indicators (KPIs) are important metrics, they are secondary to understanding how long the organization can tolerate system downtime before significant harm occurs.