Certified Information Security Manager (CISM) — Question 822

Which of the following is MOST helpful in determining the criticality of an organization's business functions?

Answer options

• A. Disaster recovery plan (DRP)
• B. Business continuity plan (BCP)
• C. Security assessment report (SAR)
• D. Business impact analysis (BIA)

Correct answer: D

Explanation

The Business Impact Analysis (BIA) is crucial for identifying and evaluating the potential effects of disruptions on business operations, making it the most effective for assessing criticality. While the Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) are important for recovery and continuity strategies, they do not directly assess the criticality of functions. The Security Assessment Report (SAR) focuses on security vulnerabilities, which is not the primary concern in determining business function importance.