Certified Information Systems Auditor (CISA) — Question 1429

Which of the following findings should be of MOST concern to an IS audit or reviewing an organization's business continuity plan (BCP)?

Answer options

• A. The plan has not been updated in several years.
• B. The plan has not been signed by executive management.
• C. No tabletop exercises have been conducted for the plan.
• D. End users have not been trained on the latest version of the plan.

Correct answer: C

Explanation

The absence of tabletop exercises (Option C) indicates that the organization has not tested its BCP in a simulated environment, which is critical for identifying potential gaps and ensuring preparedness. While the other options raise concerns about the plan’s currency, approval, and user awareness, they do not directly reflect the practical readiness of the plan like the lack of exercises does.