Certified Information Systems Auditor (CISA) — Question 1344

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

Answer options

• A. The BCP has not been tested since it was first issued.
• B. The BCP is not version-controlled.
• C. The BCP's contact information needs to be updated.
• D. The BCP has not been approved by senior management.

Correct answer: A

Explanation

The most significant concern is that the BCP has not been tested since its inception, as untested plans may fail during an actual incident. While version control, updating contact information, and approval by management are important, they do not directly impact the plan's effectiveness in a crisis like a lack of testing does.