Certified Information Systems Auditor (CISA) — Question 537

While reviewing an organization's business continuity plan (BCP), an IS auditor observes that a recently developed application is not included. The IS auditor should:

Answer options

• A. ensure that the criticality of the application is determined.
• B. include in the audit findings that the BCP is incomplete.
• C. recommend that the application be incorporated in the BCP.
• D. ignore the observation as the application is not mission critical.

Correct answer: A

Explanation

The correct answer is A because determining the criticality of the application is essential to understand its impact on business operations and whether it should be included in the BCP. Option B is incorrect as simply noting the BCP's incompleteness does not address the need to assess the application's importance. Option C, while logical, is premature without first understanding the application's criticality. Option D is also wrong as dismissing the observation may overlook potential risks to the organization.