Certified Information Security Manager (CISM) — Question 328

An information security manager of an e-commerce business is reviewing the results of a business continuity plan (BCP) review. Which of the following findings should be the MOST immediate concern?

Answer options

• A. The cost of a recent recovery test exceeded budget expectations.
• B. The annual business impact analysis (BIA) has been delayed.
• C. The business continuity plan (BCP) has not been recently tested.
• D. The recovery time objective (RTO) was not met during a recent power outage.

Correct answer: D

Explanation

The correct answer is D, as failing to meet the recovery time objective (RTO) during a power outage indicates a critical failure in the BCP's effectiveness, which could severely affect business operations. Option A is about budget concerns, option B relates to a timing issue that is less urgent, and option C, while concerning, does not present an immediate operational threat like option D does.