Certified in Risk and Information Systems Control (CRISC) — Question 162

A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?

Answer options

• A. Identify what additional controls are needed
• B. Update the business impact analysis (BIA)
• C. Prioritize issues noted during the testing window
• D. Communicate test results to management

Correct answer: D

Explanation

The correct answer is D, as communicating test results to management is crucial for transparency and can lead to necessary changes in strategy. While identifying additional controls, updating the BIA, and prioritizing issues are important, they are subsequent actions that depend on management being informed first.