Certified Information Systems Auditor (CISA) — Question 229

Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?

Answer options

• A. A combination of questionnaires, workshops, and interviews is used.
• B. Outsourced business processes are excluded from the scope of the BIA.
• C. Resource dependencies for critical processes are not determined.
• D. Recovery objectives are identified without conducting risk assessments.

Correct answer: C

Explanation

The correct answer, C, is concerning because not identifying resource dependencies can lead to unpreparedness during a disruption. Options A and B, while potentially problematic, do not directly compromise the understanding of critical processes. Option D is also significant, but without knowing resource dependencies, recovery efforts could be ineffective.