CISA Exam - Question 780

I think It's C.

One of the key components of a DRP is assessing and quantifying risk. This involves identifying potential threats and vulnerabilities to the organization's critical systems and data, evaluating the likelihood and potential impact of these threats, and determining appropriate risk mitigation strategies. The risk assessment process should involve all relevant stakeholders, including IT staff, business leaders, and other key personnel. The assessment should consider a range of potential threats, including natural disasters, cyber attacks, power outages, and other disruptions. Once the risks have been identified and assessed, the organization can develop appropriate risk mitigation strategies, including backup and recovery procedures, redundant systems and data storage, and other measures to minimize the impact of a disaster

C. Obtaining replacement supplies is a key aspect that should be included in a disaster recovery plan

Risk assessment and quantification should be done as a BCP, not a DRP; the DRP should plan and train procedures for obtaining replacement supplies for disaster recovery.

I'll correct the answer. While option C (obtaining replacement supplies) might be relevant in certain types of disasters (such as natural disasters that damage physical infrastructure), it is not as fundamental to a disaster recovery plan as assessing and quantifying risk. Risk assessment forms the foundation for determining the scope, priorities, and strategies of the DRP. Therefore, including steps for assessing and quantifying risk (option D) is a critical component of a comprehensive Disaster Recovery Plan (DRP).