Certified in Risk and Information Systems Control (CRISC) — Question 101

When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

Answer options

• A. BCP is often tested using the walkthrough method
• B. BCP testing is not in conjunction with the disaster recovery plan (DRP)
• C. Each business location has separate, inconsistent BCPs
• D. Recovery time objectives (RTOs) do not meet business requirements

Correct answer: D

Explanation

Option D is correct because if the Recovery Time Objectives (RTOs) do not align with the business requirements, the organization may not be able to recover within a timeframe that is acceptable, leading to significant losses. Options A, B, and C describe issues that are important but are not as critical as having RTOs that fail to meet the necessary business standards.