Exam CISA topic 1 question 458 discussion

A BCP that has not been updated in several years presents the greatest risk because the organization's business environment, technology infrastructure, and potential threats (e.g., cyber risks, regulatory changes, or operational processes) likely have evolved since the last update. An outdated plan may no longer be relevant or effective in responding to current risks or disasters. The primary purpose of a BCP is to ensure the organization can continue operating or recover quickly in the event of a disruption, so it is essential that the plan reflects the latest information, resources, and strategies

Regular updates to the BCP are essential to ensure its relevance and effectiveness in mitigating disruptions and maintaining business operations during emergencies. Without updates, the plan may lack critical information, fail to address new threats or vulnerabilities, and be unable to support the organization's recovery efforts effectively. While conducting tabletop exercises (option C) is important for testing the BCP and enhancing preparedness, the absence of updates to the plan represents a fundamental weakness that could undermine its overall effectiveness. Therefore, the finding that the plan has not been updated in several years should be of greater concern during an IS audit or review of a business continuity plan.

Tabletop exercises are critical components of business continuity planning as they simulate various disaster scenarios and test the effectiveness of the BCP in response to those scenarios. Conducting tabletop exercises helps identify weaknesses, gaps, and areas for improvement in the plan, as well as assess the organization's readiness to respond to different types of disruptions. The absence of tabletop exercises suggests that the organization has not tested its BCP in a real-world scenario, leaving it unvalidated and potentially ineffective during an actual disaster or crisis situation. Therefore, this finding should be of the MOST concern to an IS auditor, as it indicates a significant deficiency in the organization's preparedness for business continuity.

If the plan is not approved by Mang.do you have a BCP?

In this scenario there's an existing BCP. That rules out option B, as no such plan would existing without being approved in the first place Option A could be fixed by ensuting that the plan is updated each time a change to operations is implemented such as addressing any new risks or cyber threats etc. Option D can't be considered because only the members of the Business Continuity Management team are privy to the plan (including making sure that the BCP plans align with the company's objectives etc) The option that should be of most concern to the Auditor is Option C. An untested plan is just as bad as having no plan at all. Without testing, there's no guarantee that this approach would enable the company to recover from a disaster

Why Not D

should be B

I think correct answer is C

Do you think answer is B?