Certified Information Systems Auditor (CISA) — Question 1428

An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?

Answer options

• A. Copies of the BCP have not been distributed to new business unit end users since the reorganization
• B. The most recent business impact analysis (BIA) was performed two years before the reorganization
• C. A test plan for the BCP has not been completed during the last two years
• D. Key business process end users did not participate in the business impact analysis (BIA)

Correct answer: B

Explanation

The correct answer is B because the relevance of the BIA diminishes over time, especially after significant changes like a reorganization. If the BIA is outdated, it may not accurately reflect the current risks and impacts to the new business processes. Options A, C, and D are important but do not carry the same level of immediate risk to the organization's continuity strategy as having an outdated BIA.