Certified Information Systems Auditor (CISA) — Question 883

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

Answer options

• A. The organization may be locked into an unfavorable contract with the vendor.
• B. The organization may not be allowed to inspect the vendor's data center.
• C. The vendor may be unable to restore critical data.
• D. The vendor may be unable to restore data by recovery time objective (RTO) requirements.

Correct answer: C

Explanation

The correct answer is C because if a vendor cannot restore critical data, it directly jeopardizes the organization's ability to recover from data loss incidents. While unfavorable contracts and inspection rights are concerns, they do not pose an immediate risk to data availability like the inability to restore essential data does. Meeting RTO requirements is also crucial, but without the capability to restore data at all, the RTO becomes irrelevant.