Which of the following findings should be of MOST concern to an IS audit or reviewing an organization's business continuity plan (BCP)?
Which of the following findings should be of MOST concern to an IS audit or reviewing an organization's business continuity plan (BCP)?
An organization's business continuity plan (BCP) must be tested to ensure its effectiveness in a real-world scenario. The lack of tabletop exercises means there is no guarantee that the plan will work as intended during an actual disaster, making it a significant concern. A plan that is untested can leave the organization vulnerable during an emergency, as potential weaknesses and gaps would remain unidentified and unaddressed.
In this scenario there's an existing BCP. That rules out option B, as no such plan would existing without being approved in the first place Option A could be fixed by ensuting that the plan is updated each time a change to operations is implemented such as addressing any new risks or cyber threats etc. Option D can't be considered because only the members of the Business Continuity Management team are privy to the plan (including making sure that the BCP plans align with the company's objectives etc) The option that should be of most concern to the Auditor is Option C. An untested plan is just as bad as having no plan at all. Without testing, there's no guarantee that this approach would enable the company to recover from a disaster
I think correct answer is C
If the plan is not approved by Mang.do you have a BCP?
should be B
Do you think answer is B?
Regular updates to the BCP are essential to ensure its relevance and effectiveness in mitigating disruptions and maintaining business operations during emergencies. Without updates, the plan may lack critical information, fail to address new threats or vulnerabilities, and be unable to support the organization's recovery efforts effectively. While conducting tabletop exercises (option C) is important for testing the BCP and enhancing preparedness, the absence of updates to the plan represents a fundamental weakness that could undermine its overall effectiveness. Therefore, the finding that the plan has not been updated in several years should be of greater concern during an IS audit or review of a business continuity plan.
Tabletop exercises are critical components of business continuity planning as they simulate various disaster scenarios and test the effectiveness of the BCP in response to those scenarios. Conducting tabletop exercises helps identify weaknesses, gaps, and areas for improvement in the plan, as well as assess the organization's readiness to respond to different types of disruptions. The absence of tabletop exercises suggests that the organization has not tested its BCP in a real-world scenario, leaving it unvalidated and potentially ineffective during an actual disaster or crisis situation. Therefore, this finding should be of the MOST concern to an IS auditor, as it indicates a significant deficiency in the organization's preparedness for business continuity.
Why Not D