A financial services organization is developing and documenting business continuity measures. In
which of the following cases would an IS auditor MOST likely raise an issue?
The organization uses good practice guidelines instead of industry standards and relies on external
advisors to ensure the adequacy of the methodology.
The business continuity capabilities are planned around a carefully selected set of scenarios which
describe events that might happen with a reasonable probability.
The recovery time objectives (RTOs) do not take IT disaster recovery constraints into account, such
as personnel or system dependencies during the recovery phase.
The organization plans to rent a shared alternate site with emergency workplaces which has only
enough room for half of the normal staff.
It is a common mistake to use scenario planning for business continuity. The problem is that it is
impossible to plan and document actions for every possible scenario. Planning for just selected
scenarios denies the fact that even improbable events can cause an organization to break down.
Best practice planning addresses the four possible areas of impact in a disaster: premises, people,
systems, and suppliers and other dependencies. All scenarios can be reduced to these four
categories and can be handled simultaneously. There are very few special scenarios which justify
an additional separate analysis, it is a good idea to use best practices and external advice for such
an important topic, especially since knowledge of the right level of preparedness and the judgment
about adequacy of the measures taken is not available in every organization. The recovery time
objectives (RTOs) are based on the essential business processes required to ensure the
organization’s survival, therefore it would be inappropriate for them to be based on IT capabilities.
Best practice guidelines recommend having 20%-40% of normal capacity available at an
emergency site; therefore, a value of 50% would not be a problem if there are no additional factors.