Certified Information Systems Auditor (CISA) — Question 325

An IS auditor is reviewing a bank’s service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center. Which of the following findings should be of GREATEST concern to the auditor?

Answer options

• A. The SLA has not been reviewed in more than a year.
• B. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (DRP).
• C. The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).
• D. Backup data is hosted online only.

Correct answer: B

Explanation

The correct answer is B because if the RTO is longer than what is indicated in the DRP, it can lead to significant downtime and operational disruption during a disaster. Options A, C, and D, while concerning, do not pose as immediate a risk to the bank's recovery capabilities as an inaccurately stated RTO.