Certified Information Security Manager (CISM) — Question 919

Which of the following processes should be done NEXT after completing a business impact analysis (BIA)?

Answer options

• A. Evaluate the disaster recovery plan (DRP).
• B. Develop the requirements for the incident response plan.
• C. Develop a business continuity plan (BCP).
• D. Identify resources for business recovery.

Correct answer: C

Explanation

The correct answer is C because after conducting a business impact analysis, the next logical step is to develop a business continuity plan (BCP) that outlines how to maintain operations during a disruption. The other options, while important, either come after the BCP is established or are part of different planning processes.