I think D. Enterprise Risk Assessment. Generally, a DRP is a subset of the BCP, so if the extended system outages were not addressed by the BCP, I would think that those scenarios have not been considered as a valid business risk. Hence, the IS Auditor might need to review the Enterprise risk assessment to investigate further.

Enterprise risk assessment: An enterprise risk assessment is a broad review of all potential risks facing an organization. While it is important for understanding the overall risk landscape, it is not as specific as the DRP in addressing the immediate concern of extended system outages.

B. Disaster recovery plan (DRP): (DRP) becomes particularly crucial. The DRP outlines specific procedures and protocols to recover IT systems and infrastructure after a disruptive event, such as extended system outages. Therefore, reviewing the DRP is essential to ensure that there are adequate strategies and measures in place to address such scenarios and minimize the impact on business operations.

May be B is right

let's reconsider the question. If the business continuity plan (BCP) does not address scenarios involving extended system outages, it implies a potential gap in risk management. In such a situation, reviewing the risk rating of business non-continuity (Option A) would indeed be crucial.

A disaster recovery plan (DRP) typically focuses on restoring IT infrastructure and systems after a disruption. If the BCP does not address scenarios involving extended system outages, it suggests a gap in continuity planning, particularly regarding IT systems. Reviewing the DRP is crucial to determine if it adequately addresses extended system outages and provides the necessary procedures and resources to recover IT systems within an acceptable timeframe.

Why not A?