Certified Information Systems Auditor (CISA) — Question 85

Which of the following is the BEST way for an IS auditor to determine whether an organization’s disaster recovery plan (DRP) is current?

Answer options

• A. Review critical system documentation and related recovery time objectives (RTOs).
• B. Verify the DRP identifies appropriate staff with up-to-date contact details.
• C. Ensure all staff is trained on business continuity.
• D. Verify the DRP is periodically tested.

Correct answer: D

Explanation

The correct answer is D because regular testing of the DRP ensures that it is functional and up to date with the current organizational structure and threats. While the other options are important aspects of a DRP, they do not provide concrete evidence of the plan's effectiveness or current status like periodic testing does.