Certified Information Security Manager (CISM) — Question 845

Which of the following should an information security manager do FIRST when creating an organization's disaster recovery plan (DRP)?

Answer options

• A. Develop response and recovery strategies.
• B. Identify the response and recovery teams.
• C. Review the communications plan.
• D. Conduct a business impact analysis (BIA).

Correct answer: D

Explanation

The correct answer is D because conducting a business impact analysis (BIA) is essential to understand the potential effects of disruptions on the organization's operations. This foundational step informs all subsequent actions, such as developing strategies and identifying teams, making the other options less relevant as initial actions.