Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?
An IS auditor should be most concerned about the DRP not being updated since an IT infrastructure upgrade. An outdated disaster recovery plan may not account for changes in the IT environment, which could lead to ineffective recovery efforts in the event of a disaster. Ensuring that the DRP accurately reflects the current IT infrastructure is essential for maintaining the organization's ability to recover and continue operations during disruptive events.
It should be C as the DRP must be approved by senior management before it can be used to guide during a disaster.
I think its D. the GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan is the absence of recovery procedures for critical systems other than just the critical servers. A comprehensive DRP should cover all critical systems and data to ensure effective business continuity and disaster recovery capabilities.
A DRP should cover not only critical servers but also critical business processes, applications, and data. Focusing only on critical servers may leave other important components of the organization vulnerable during a disaster. The adequacy of recovery procedures for critical business functions is crucial for business continuity.
D means the DRP was never adapted and has gap in the scope. A means DRP lost relevance over time, because the scope have not been adapted. so D is worst, because it never worked, A worked, but not anymore
A: It raises concern if plan is outdated.
The DRP has not been formally approved by senior management - Formal approval is important for ensuring that the DRP is supported at the highest levels of the organization. However, the lack of approval does not necessarily mean the plan is ineffective, whereas an outdated plan is inherently flawed.
I think, if DRP is not approved then it is not enforceable. So, testing does not matter which is not enforceable.
While formal approval by senior management (option C) is also important for ensuring organizational support and commitment to the DRP, an outdated plan poses a more immediate risk as it may not accurately reflect the organization's current capabilities and requirements for disaster recovery. Therefore, ensuring that the DRP is updated following infrastructure changes should be of the greatest concern for an IS auditor.
While the formal approval of the DRP by senior management (option C) is important for governance and accountability, an outdated DRP poses a more immediate risk to the organization's ability to recover effectively from disasters. Senior management approval ensures commitment and support for the DRP, but an outdated plan undermines its operational effectiveness and reliability. Therefore, ensuring that the DRP has been updated since an IT infrastructure upgrade should be of the GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan.