CISA Certified Information Systems Auditor – Question1750

During a business continuity audit, an IS auditor found that the business continuity plan (BCP) covers only critical processes. The IS auditor should::

A.
recommend that the BCP cover all business processes.
B. assess the impact of the processes not covered.
C. report the findings to the IT manager.
D. redefine the critical processes.

Correct Answer: B

Explanation:

Explanation:
The business impact analysis needs to be either updated or revisited to assess the risk of not covering all processes in the plan. It is possible that the cost of including all processes might exceed the value of those processes; therefore, they should not be covered. An IS auditor should substantiate this by analyzing the risk.