Certified Information Security Manager (CISM) — Question 815

An organization is planning to outsource the execution of its disaster recovery activities. Which of the following would be MOST important to include in the outsourcing agreement?

Answer options

• A. Requirements for regularly testing backups
• B. The disaster recovery communication plan
• C. Recovery time objectives (RTOs)
• D. Definition of when a disaster should be declared

Correct answer: C

Explanation

The correct answer is C because recovery time objectives (RTOs) are essential for determining how quickly services must be restored after a disaster. Options A and B, while important, focus on processes and communication rather than recovery timing, and D deals with the declaration of a disaster, which is less critical than ensuring timely recovery.