A financial services organization is developing and documenting business continuity measures. In which of the
following cases would an IS auditor MOST likely raise an issue?
A.
The organization uses good practice guidelines instead of industry standards and relies on external advisors
to ensure the adequacy of the methodology.
B.
The business continuity capabilities are planned around a carefully selected set of scenarios which describeevents that might happen with a reasonable probability.
C.
The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such as
personnel or system dependencies during the recovery phase.
D.
The organization plans to rent a shared alternate site with emergency workplaces which has only enough
room for half of the normal staff.
Explanation:
It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to
plan and document actions for every possible scenario. Planning for just selected scenarios denies the fact that
even improbable events can cause an organization to break down. Best practice planning addresses the four
possible areas of impact in a disaster: premises, people, systems, and suppliers and other dependencies. All
scenarios can be reduced to these four categories and can be handled simultaneously. There are very few
special scenarios which justify an additional separate analysis, it is a good idea to use best practices and
external advice for such an important topic, especially since knowledge of the right level of preparedness and
the judgment about adequacy of the measures taken is not available in every organization. The recovery time
objectives (RTOs) are based on the essential business processes required to ensure the organization’s
survival, therefore it would be inappropriate for them to be based on IT capabilities. Best practice guidelines
recommend having 20%-40% of normal capacity available at an emergency site; therefore, a value of 50%
would not be a problem if there are no additional factors.