Which of the following should be of GREATEST concern to an IS auditor reviewing a report of an unsuccessful disaster recovery test?
Which of the following should be of GREATEST concern to an IS auditor reviewing a report of an unsuccessful disaster recovery test?
The disaster recovery procedures not being up to date should be of greatest concern to an IS auditor. Updated procedures are fundamental as they ensure the plan aligns with current business processes, technologies, and threat landscapes. Without up-to-date procedures, even a well-executed recovery test could fail due to steps or information being obsolete, leading to an ineffective response in the event of an actual disaster.
A. A root cause analysis was not performed. When a disaster recovery test fails, it's crucial to conduct a root cause analysis to understand why the test was unsuccessful.
C is right.
Answer A while the lack of up-to-date disaster recovery procedures (option C) is a concern, addressing the root causes of the unsuccessful test (option A) takes precedence as the GREATEST concern for an IS auditor to ensure that future disaster recovery tests are successful and the organization's resilience to disruptions is strengthened.
The absence of a root cause analysis poses a greater risk as it may indicate systemic issues that need to be addressed to improve the effectiveness of the disaster recovery program. Therefore, option A is likely of greatest concern to an IS auditor reviewing a report of an unsuccessful disaster recovery test.