CISA Certified Information Systems Auditor – Question1769 - CISA Certified Information Systems Auditor

An organization has outsourced its wide area network (WAN) to a third-party service provider. Under these circumstances, which of the following is the PRIMARY task the IS auditor should perform during an audit of business continuity (BCP) and disaster recovery planning (DRP)?

A. Review whether the service provider's BCP process is aligned with the organization's BCP and contractual obligations.
B. Review whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster.
C. Review the methodology adopted by the organization in choosing the service provider.
D. Review the accreditation of the third-party service provider's staff.

Correct Answer: A

Explanation:

Explanation:
Reviewing whether the service provider’s business continuity plan (BCP) process is aligned with the organization’s BCP and contractual obligations is the correct answer since an adverse effect or disruption to the business of the service provider has a direct bearing on the organization and its customers. Reviewing whether the service level agreement (SLA) contains a penalty clause in case of failure to meet the level of service in case of a disaster is not the correct answer since the presence of penalty clauses, although an essential element of a SLA, is not a primary concern.
Choices C and D are possible concerns, but of lesser importance.