Certified Information Systems Auditor (CISA) — Question 919

Which of the following is MOST important for an IS auditor to review when an audit identifies that the business continuity plan (BCP) does not address scenarios involving extended system outages?

Answer options

• A. Risk rating of business non-continuity
• B. Disaster recovery plan (DRP)
• C. Historical incidents resulting in extended system outages
• D. Enterprise risk assessment

Correct answer: B

Explanation

The Disaster Recovery Plan (DRP) is crucial as it outlines the steps to recover from significant outages, addressing the gaps identified in the BCP. While the risk rating, historical incidents, and enterprise risk assessment provide context, they do not directly offer the actionable recovery strategies needed to manage extended outages effectively.