Certified Information Systems Auditor (CISA) — Question 1209

Which of the following findings is the GREATEST concern when reviewing a disaster recovery plan (DRP) with high availability requirements?

Answer options

• A. Annual tabletop testing is not required.
• B. Vendor contact information is not reviewed.
• C. Recovery time objectives (RTOs) are not defined.
• D. Responsibilities are not defined for the recovery team.

Correct answer: C

Explanation

The correct answer, C, highlights that without defined Recovery Time Objectives (RTOs), there is no clear target for how quickly systems need to be restored, jeopardizing high availability. Options A and B, while important, do not directly impact the critical timelines for recovery. Option D, though significant, pertains to team organization rather than the recovery timeline itself.