• Add To Cart Try Demo Learn More
  • CertGear Product Features
  • Sign Up Today


Free CISA Certification Practice Questions:

You have recently been hired by a firm to assess an organization's recoverability in case of a disaster. You are in the process of reviewing the organization's disaster recovery plan. While reviewing the plan, you learned that the organization had contracted with an outside consulting firm to develop the recovery plan. Which of the following is the MOST appropriate action to take?

A) Review the plan to ensure that all mission-critical applications have been identified

B) Review the plan to ensure adequate input from the relevant business and IS personnel during plan development

C) Review the plan to ensure that the key decisions dictated by the consulting firm are appropriate for the organization

D) Review the plan to determine whether all aspects of the current processes are described in detail

E) Review the plan to determine whether the methodology used by the consulting firm was appropriate for the organization

  • [Ans: B]

  • As each organization is unique, a recovery plan should be tailored to an organization's specific needs and requirements. Adequate input from the relevant business and IS personnel during plan development is critical in order to identify and prioritize the business processes that are uniquely critical to the livelihood of the organization.

    A comprehensive evaluation of the environment must involve the input from senior management, end-users, key IS staff and should identify the following:

    1) The most critical business processes across the entire enterprise

    2) The maximum outage that a business process can sustain before it severely impacts the well-being of the company

    3) The financial, productivity and personal impacts of an extended business disruption

    4) An assessment of short-term business impacts and permanent business losses

    5) The priority of business process recovery

    Although ensuring that all mission critical applications are identified is an important aspect of the recovery plan, such a goal cannot be achieved without first ensuring that the key business and IS personnel are identified and involved during the recovery plan development.

    Reviewing the plan to determine whether all processes are described in detail is NOT appropriate. During a disaster, only mission-critical applications / systems will likely be recovered. Non-critical systems will be ignored. Hence, a recovery plan should not document all the processes in detail, but rather describe the procedures necessary to recover the mission-critical applications. Since many of the current processes may not be relevant during a disaster, documenting the un-necessary process may actually hinder and interfere with the recovery process.

    While reviewing the methodology used by the consulting firm may be relevant to the audit, it is NOT as important as ensuring that key IS personnel were involved during the plan development. Lastly, a consulting firm should NOT dictate key decisions during recovery planning. Instead, those who are intimately involved in the management and operations of the business, such as senior management and key IS staff, should be involved in the key decision making process. In fact, if a consulting firm was making key decisions on behalf of the organization, this would constitute a material weakness.

    References: http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bcp_toc.htm

BACK    |    NEXT