Certified in Risk and Information Systems Control (CRISC) — Question 1307

Which of the following should be of GREATEST concern to a risk practitioner reviewing an organization’s disaster recovery plan (DRP)?

Answer options

• A. Risk scenarios used for the plan were last tested two years ago.
• B. The call list in the plan was last updated a year ago.
• C. The disaster recovery plan (DRP) does not identify a hot site.
• D. The IT steering committee determined the application recovery priorities.

Correct answer: C

Explanation

The absence of a hot site in the disaster recovery plan (DRP) is a significant concern because it means there is no immediate backup location to restore operations quickly after a disaster. While the other options indicate potential issues, they do not pose as critical a risk to the organization's ability to recover effectively as the lack of a hot site does.