During a business continuity audit an IS auditor found that the business continuity plan (BCP) covered only
critical processes. The IS auditor should:
A.
recommend that the BCP cover all business processes.
B.
assess the impact of the processes not covered.
C.
report the findings to the IT manager.
D.
redefine critical processes.
Explanation:
The business impact analysis needs to be either updated or revisited to assess the risk of not covering all
processes in the plan. It is possible that the cost of including all processes might exceed the value of those
processes; therefore, they should not be covered. An IS auditor should substantiate this by analyzing the risk.