Certified Information Systems Auditor (CISA) — Question 171

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

Answer options

• A. The DRP has not been updated since an IT infrastructure upgrade.
• B. The DRP has not been distributed to end users.
• C. The DRP has not been formally approved by senior management.
• D. The DRP contains recovery procedures for critical servers only.

Correct answer: A

Explanation

The most pressing concern is that the DRP has not been updated since an IT infrastructure upgrade, as this can lead to outdated recovery strategies that do not align with current systems. While distribution and approval are important, they become less critical if the plan itself is not current and relevant. Recovery procedures limited to critical servers also pose a risk, but updating the plan is paramount to ensure all aspects of the infrastructure are accounted for.