With respect to business continuity strategies, an IS auditor interviews key stakeholders in an
organization to determine whether they understand their roles and responsibilities. The IS auditor
is attempting to evaluate the:
clarity and simplicity of the business continuity plans.
adequacy of the business continuity plans.
effectiveness of the business continuity plans.
ability of IS and end-user personnel to respond effectively in emergencies.
The IS auditor should interview key stakeholders to evaluate how well they understand their roles
and responsibilities. When all stakeholders have a detailed understanding of their roles and
responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to
be clear and simple. To evaluate adequacy, the IS auditor should review the plans and compare
them to appropriate standards. To evaluate effectiveness, the IS auditor should review the results
from previous tests. This is the best determination for the evaluation of effectiveness. An
understanding of roles and responsibilities by key stakeholders will assist in ensuring the business
continuity plan is effective. To evaluate the response, the IS auditor should review results of
continuity tests. This will provide the IS auditor with assurance that target and recovery times are
met. Emergency procedures and employee training need to be reviewed to determine whether the
organization had implemented plans to allow for the effective response.