Certified Information Security Manager (CISM) — Question 522

When performing a business impact analysis (BIA), who should be responsible for determining the initial recovery time objective (RTO)?

Answer options

• A. Information security manager
• B. External consultant
• C. Business continuity coordinator
• D. Information owner

Correct answer: D

Explanation

The information owner is the correct choice because they have the best understanding of the criticality of the data and systems, which informs the recovery time objective. The other roles, while important, typically do not have the same level of insight into specific data requirements and priorities that an information owner possesses.