Certified Information Security Manager (CISM) — Question 357

When performing a business impact analysis (BIA), who should calculate the recovery time and cost estimates?

Answer options

• A. Business process owner
• B. Business continuity coordinator
• C. Information security manager
• D. Senior management

Correct answer: A

Explanation

The business process owner is best positioned to calculate recovery time and cost estimates because they have a deep understanding of the processes and their criticality to the business. The business continuity coordinator may assist but does not have the same level of insight into specific processes. The information security manager focuses more on the security aspects rather than operational recovery, and senior management typically makes strategic decisions rather than detailed operational assessments.