Certified Information Security Manager (CISM) — Question 1071

Which of the following should be the GREATEST concern for an information security manager when an annual audit reveals the organization's business continuity plan (BCP) has not been reviewed or updated in more than a year?

Answer options

• A. The organization may suffer reputational damage for not following industry best practices.
• B. The audit finding may impact the overall risk rating of the organization.
• C. An outdated BCP may result in less efficient recovery if an actual incident occurs.
• D. The lack of updates to the BCP may result in noncompliance with internal policies.

Correct answer: C

Explanation

The correct answer is C because an outdated BCP can hinder the organization's ability to respond effectively during an incident, leading to prolonged recovery times. While options A, B, and D highlight valid concerns, they do not directly address the immediate operational impact that an outdated BCP would have during an actual event.