During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?
During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?
During an audit of a disaster recovery plan (DRP) where critical systems are not covered, the next step should be to verify whether the systems are part of the business impact analysis (BIA). The BIA identifies all critical systems and their importance to the organization. By cross-referencing the systems with the BIA, the auditor can determine if the identified gaps result from an oversight in the DRP or if those systems were incorrectly deemed non-critical. This step provides a basis for understanding and addressing any discrepancies before evaluating the impact or escalating the issue.
i think its A
The question is about "to do NEXT". First he should verify if the systems are in the BIA, then evaluare the impact of not including them in the DRP
While evaluating the impact of not covering the systems (option A) is also important, verifying their inclusion in the BIA is a more direct way to identify any discrepancies or oversights in the planning process. It helps the auditor understand the context behind the absence of these systems in the DRP and guides further actions to address the deficiencies in the planning process.
If with D. the question is obviously open as to whether the systems in question were taken into account in the business impact analysis that had already been carried out, but were then not included in the DRP for whatever reason. Only then does it make sense to use A. to complete the last, possibly incomplete, business impact analysis. So D. is the next step.
How will an Auditor just proceed to assess impact? The Auditor should first seek further evidence like the BIA conducted to ascertain the asset/Business process coverage.
The BIA identifies critical systems and their importance to the organization. By cross-referencing the systems with the BIA, the auditor can assess the significance of the gaps in coverage. Confirm first if already documented in the BIA instead of evaluating immediately.
BIAits an importante part of DRP