Exam CISSP topic 1 question 168 discussion

The tricky GOTCHA point here to notice is the "or less frequently" part of C. Regulation requires NO MORE THAN 12 months (1 year) so C can't be correct. D is the BEST (and most annoying CISSP style) answer

According to the CISSP Common Body of Knowledge (CBK), there is no specific minimum frequency stipulated for testing a disaster recovery plan (DRP). However, it is recommended that DRPs should be tested regularly to ensure that they are effective and up-to-date. The frequency of testing should be based on the organization's business requirements, the stability of the environment, and the advice of the information security manager. There are several industry standards and regulations that provide guidance on DRP testing frequency. For example, the National Institute of Standards and Technology (NIST) recommends that DRPs should be tested at least annually. The Payment Card Industry Data Security Standard (PCI DSS) requires annual testing of DRPs as well. However, these are only recommendations and actual testing frequency may vary depending on the organization's needs and risk appetite. Therefore, the answer is "B".

ISC^2 is looking for Annually, regardless of what a "good" policy may be.

Everything in CISSP land goes back to risk tolerance and risk management. So everything is relative to risk and there is no static minimum or maximum answer for a question like this.

Business requirements

Looking at the question, the main crux is asking, the MINIMUM based on the below. C is out at per the word "or less" than per annum as this is against CISSP recoomendation. The rest are all higher than D, so choose the minimum frequency answer along with the best answer.

Business requirements

Depends on your environment

DRP tests are driving by changes (IT or business).

DRP tests are driving by changes.

Correct answer B: Audit requirements and fiscal alignment don't drive DR testing. Business requirements do (as long as it meets at least once a year). In many aspects of CISSP (Risk, BCP, DR etc etc), business requirements drive the decisions.

I am thinking B. "While there is no one standard for how often you should test your DRP and BCP, you should generally conduct functional disaster recovery testing at least once per year." https://www.eccouncil.org/cybersecurity-exchange/disaster-recovery/test-disaster-recovery-plan/#:~:text=While%20there%20is%20no%20one,at%20least%20once%20per%20year. C says annually or less frequently, but that "less frequently" is wrong.

B is correct you do DRP whenever is required. not sure why folks answering C &D :)

B: As often as necessary depending upon the stability of the environment and business requirements

NIST SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems: "The frequency of testing should be determined by the criticality and volatility of the system, and the DR plan should be updated as necessary to reflect changes in the system and its environment." DRI International Professional Practices for Business Continuity Management: "The frequency of testing should be determined by the criticality of the process, the complexity of the recovery, and the frequency of change to the process or supporting technology. The frequency of testing should be sufficient to ensure that the plan remains effective and relevant in addressing potential disasters."

DRP Testing should follow a policy that meets the business requirement.

Should be C. It mentions "MINIMUM". Reference : https://www.skillset.com/questions/how-often-must-disaster-recovery-drills-be-performed-12320