Certified Information Systems Auditor (CISA) — Question 989

An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

Answer options

• A. Assess the risk to operations from the closing of the plant.
• B. Determine whether the business impact analysis (BIA) is current with the organization's structure and context.
• C. Perform testing to determine the impact to the recovery time objective (RTO).
• D. Determine the types of technologies used at the plant and how they may affect the BCP.

Correct answer: B

Explanation

The best course of action is to determine whether the business impact analysis (BIA) is current with the organization's structure and context, as this ensures that the BCP reflects the latest operational realities. Assessing risks from the plant closure, testing RTO impacts, or identifying technologies, while important, do not address the immediate need to align the BIA with the current organizational changes.