Certified Information Systems Auditor (CISA) — Question 310

Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?

Answer options

• A. Backup procedures are not documented.
• B. Weekly and monthly backups are stored onsite.
• C. Backups are stored in an external hard drive.
• D. Restores from backups are not periodically tested.

Correct answer: D

Explanation

Option D is the most critical concern because if backups are not regularly tested, there is no assurance that they can be restored successfully when needed. While options A, B, and C present issues, they do not directly impact the reliability of the backup in a crisis as much as the lack of testing does.