Exam CISA topic 1 question 1 discussion

I went to the CISA review manual to solve this, and the main concern should be the lack of testing. First: Senior management create a "business continuity policy" (Ref: Review Manual 27th edition 4.15.4). In general, senior management makes policies, and the plebs below make plans and procedures. Therefore a business continuity plan is not necessarily senior management approved. Furthermore there is a passage in the review manual (4.15.11) regarding auditing business continuity. The passage does not really mention senior management, but it does mention plan testing and obtaining historical results of tests during an audit.

Approval by Senior Management: The approval of the BCP by senior management is a fundamental step in ensuring that the BCP is considered a valid and authoritative document within the organization. Without senior management's buy-in and approval, it may not receive the necessary resources and attention it requires for effective implementation. While the other issues mentioned (A, B, and C) are important and should also be addressed, the lack of senior management approval can indicate a more significant problem with the BCP's overall effectiveness and organizational commitment to business continuity planning. This oversight may result in inadequate support, testing, or maintenance of the BCP, ultimately reducing its ability to ensure business continuity during disruptions.

The answer is A, the BCP plan will not be of use and effective if it is not tested. The remaining three answers are vital, but the most effective control for a BCP is to test and confirm whether the plan is working or not.

BCP is only effective if it has been tested to identify any potential flaws and ensure the organisation can recover during crisis

Its important to test the BCP to give assuarance to the management that should dissaster occour the plan works

Correct Answer: A Thanks to Certs4Future I successfully cleared my CISA exam today.

Lack of senior management approval is the greatest concern because it implies that the BCP might not have the necessary authority, visibility, or funding. Approval by senior management ensures that the plan is officially recognized and supported at the highest levels, which is critical for effective implementation and prioritization during a crisis. Comparisons: A. Not tested – This is very serious, as untested plans may not work as expected. However, a plan with no approval might not even be implemented at all, making this a secondary concern. B. Not version-controlled – This is a procedural issue that can lead to confusion, but it doesn’t invalidate the plan’s authority or effectiveness as severely as lack of approval. C. Outdated contact information – While this can delay response efforts, it is a minor, easily fixable issue compared to structural concerns like lack of approval or testing.

D seems to be correct as without managements approval nothing goes forward, governance always follows top down approach.

The correct answer is A. The BCP has not been tested since it was first issued. A business continuity plan (BCP) is only effective if it has been properly tested to ensure that the organization can recover from disruptions. If the BCP has never been tested, the organization may not be aware of gaps, inefficiencies, or failures in the plan, which could severely impact its ability to recover during a crisis. Testing is crucial to verify the plan’s effectiveness and readiness.

D is Correct. ISACA would see A as a major concern, not necessarily the greatest—especially if the plan hasn't even been formally approved yet.

Going with D. Without MGMT approval, wont have anything valid to test to exam4lead.com

Going with D. Without MGMT approval, wont have anything valid to test to begin with.

When an IS auditor is reviewing an organization's Business Continuity Plan (BCP), the greatest concern should be the effectiveness and clarity of the recovery strategies and procedures. Specifically, the auditor would focus on

The correct answer is: D. The BCP has not been approved by senior management. Explanation: A Business Continuity Plan (BCP) is critical for ensuring that an organization can continue operations during and after a disruption. The lack of senior management approval is the most significant concern because: Governance & Authority – Without senior management approval, the BCP may lack legitimacy, authority, and organizational commitment. Resource Allocation – Approval ensures that necessary resources (budget, personnel, technology) are allocated for business continuity efforts. Accountability & Enforcement – Senior management's endorsement reinforces compliance with regulatory requirements and internal policies.

how will the management approve it if its not even tested? so logically would go for A

testing is very crucial in this case

This is because a BCP that has not been tested is unproven and may not be effective in an actual disaster or business interruption scenario. Testing is essential to identify gaps, ensure that all components of the plan work as intended, and that staff are familiar with their roles in the event of an incident. Without testing, there is no assurance that the BCP will function correctly, which poses a significant risk to the organization's ability to recover from an incident.