Certified in Risk and Information Systems Control (CRISC) — Question 276

An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Answer options

• A. Invoke the disaster recovery plan (DRP) during an incident
• B. Reduce the recovery time by strengthening the response team
• C. Prepare a cost-benefit analysis of alternatives available
• D. Implement redundant infrastructure for the application

Correct answer: C

Explanation

The correct answer is C because preparing a cost-benefit analysis helps identify feasible alternatives to meet the application's acceptable downtime. Options A and D may address the issue but do not directly solve the mismatch between downtime expectations and recovery capabilities. Option B, while potentially helpful, does not provide a comprehensive solution without evaluating the costs and benefits of the options.