CISA Certified Information Systems Auditor – Question1734

Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test?

A.
Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year.
B. During the test it was noticed that some of the backup systems were defective or not working, causing the test of these systems to fail.
C. The procedures to shut down and secure the original production site before starting the backup site required far more time than planned.
D. Every year, the same employees perform the test. The recovery plan documents are not used since every step is well known by all participants.

Correct Answer: D

Explanation:

Explanation:
A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff since a disaster can occur when they are not available. It is common that not all systems can be tested in a limited test time frame. It is important, however, that those systems which are essential to the business are tested, and that the other systems are eventually tested throughout the year. One aim of the test is to identify and replace defective devices so that all systems can be replaced in the case of a disaster. Choice B would only be a concern if the number of discovered problems is systematically very high, in a real disaster, there is no need for a clean shutdown of the original production environment since the first priority is to bring the backup site up.