Certified Information Systems Auditor (CISA) — Question 574

Which of the following should an IS auditor review FIRST during the audit of an organization's business continuity plan (BCP)?

Answer options

• A. System recovery time objectives (RTOs)
• B. List of critical business processes
• C. System recovery manuals and documentation
• D. Frequency of business database replication

Correct answer: B

Explanation

The auditor should review the List of critical business processes first because it provides an understanding of which functions are essential for the organization’s operation. The other options, while important, depend on understanding the critical processes to ensure effective recovery strategies are in place.