Certified Information Systems Auditor (CISA) — Question 890

Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

Answer options

• A. The recovery plan does not contain the process and application dependencies.
• B. The duration of tabletop exercises is longer than the recovery point objective (RPO).
• C. The recovery point objective (RPO) and recovery time objective (RTO) are not the same.
• D. The duration of tabletop exercises is longer than the recovery time objective (RTO).

Correct answer: A

Explanation

The correct answer is A because understanding process and application dependencies is crucial for an effective recovery plan. Without this information, the organization may struggle to restore critical functions after a disruption. Options B, C, and D, while concerning, do not present as significant a risk to the overall effectiveness of the BCP as missing dependencies in the recovery plan.