Certified Information Systems Auditor (CISA) — Question 22

Critical processes are not defined in an organization's business continuity plan (BCP). Which of the following would have MOST likely identified the gap?

Answer options

• A. Updating the risk register
• B. Reviewing the business continuity strategy
• C. Reviewing the business impact analysis (BIA)
• D. Testing the incident response plan

Correct answer: C

Explanation

The business impact analysis (BIA) is specifically designed to identify and prioritize critical processes and their potential impacts on the organization. If critical processes are missing from the BCP, reviewing the BIA would most likely uncover that gap. The other options, while important for overall risk management and preparedness, do not specifically focus on identifying critical processes like the BIA does.