An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?
An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?
When an organization undergoes significant changes in its structure affecting business processes, it is crucial to update the business impact analysis (BIA) promptly. The BIA identifies critical business processes and the potential impact of disruptions. Conducting the BIA two years before the reorganization means that the analysis may no longer reflect the current organizational requirements, vulnerabilities, and priorities. An outdated BIA can lead to an ineffective or misaligned business continuity plan, which should be the auditor's greatest concern.
BCP should be reevaluated where significant impact is found (Since significant imapct is found on critical business process, we assume BIA has been done). If test plans are older (before reorg) that means that no testing has been done even after the reorg.. So c could be right
B. The most recent business impact analysis (BIA) was performed two years before the reorganization.
Answer could be A
I would go with B
D. Key business process end users did not participate in the business impact analysis (BIA)
B. The most recent business impact analysis (BIA) was performed two years before the reorganization
BCP testing would determine if the current BCP is still relevant, if not then update should be performed on the BCP which will then involve additional BIA within the process
Ignore above, it says test plan, not actual testing. So the correct answer is B. BIA should be performed after significant change in business process as a result of reorganization to help determine if current critical business processes.
I chose B
During a change in organizational structure with significant impacts on business processes, it's essential to ensure that all relevant personnel have access to the updated BCP. Failure to distribute the plan to new business unit end users could result in a lack of awareness of their roles and responsibilities during disruptions, potentially leading to confusion and inefficiencies during recovery efforts.
I choose D. Option B - BCP still be relevant to some extent, Option D - makes the BCP not relevant, adequate and complete which is a greatest risk. Option C - BCP plan may be adequate to some extent.
B is correct