CISA Certified Information Systems Auditor – Question0409

An IS auditor is performing a business continuity plan (BCP) audit and identifies that the plan has not been tested for five years. However, the plan was successfully activated during a recent extended power outage. Which of the following is the IS auditor’s BEST course of action?

A.
Determine if lessons learned from the activation were incorporated into the plan.
B. Determine if the business impact analysis (BIA) is still accurate.
C. Determine if a follow-up BCP audit is required to identify future gaps.
D. Determine if the annual BCP training program is in need of a review.

Correct Answer: C