During a business continuity audit an IS auditor found that the business continuity plan (BCP)
covered only critical processes. The IS auditor should:
recommend that the BCP cover all business processes.
assess the impact of the processes not covered.
report the findings to the IT manager.
redefine critical processes.
The business impact analysis needs to be either updated or revisited to assess the risk of not
covering all processes in the plan. It is possible that the cost of including all processes might exceed
the value of those processes; therefore, they should not be covered. An IS auditor should
substantiate this by analyzing the risk.