CISA Certified Information Systems Auditor – Question1707
An IS auditor reviewing an organization's IS disaster recovery plan should verify that it is: A. tested every six months. B. regularly reviewed and updated. C. approved by the chief executive officer (CEO). D. communicated to every department head in the organization.
Correct Answer: B
Explanation:
Explanation:
The plan should be reviewed at appropriate intervals, depending upon the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effective. The plan must be subjected to regular testing, but the period between tests will again depend on the nature of the organization and the relative importance of IS. Three months or even annually may be appropriate in different circumstances. Although the disaster recovery plan should receive the approval of senior management, it need not be the CEO if another executive officer is equally or more appropriate. For a purely IS-related plan, the executive responsible for technology may have approved the plan. Similarly, although a business continuity plan is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical document and only relevant to IS and communications staff.
Please disable your adblocker or whitelist this site!