In evaluating an organization's business continuity plan, an auditor finds that Recovery Time Objective (RTO) is 4 hours but current recovery capabilities require 12 hours. What should be the auditor's PRIMARY recommendation?

Home › MCQs › CISA › Question #6827

CISA QUESTION #6827

Question 1

Update the BCP document to reflect 12-hour RTO
Assess the gap between RTO requirement and actual capability then develop remediation plan✔️
Reduce RTO to 2 hours
Cancel the BCP

Correct Answer Explanation

When a gap exists between required and actual recovery capabilities, the organization faces unmitigated risk. The auditor should highlight this gap and recommend analysis of whether to: improve capabilities to meet the 4-hour RTO, accept the risk of longer recovery, or adjust business requirements. Simply updating documentation without addressing the gap provides no risk reduction.

More Options