Which of the following issues should be the GREATEST concern to the IS auditor when reviewing
an IT disaster recovery test?
Due to the limited test time window, only the most essential systems were tested. The other systems
were tested separately during the rest of the year.
During the test it was noticed that some of the backup systems were defective or not working,
causing the test of these systems to fail.
The procedures to shut down and secure the original production site before starting the backup site
required far more time than planned.
Every year, the same employees perform the test. The recovery plan documents are not used since
every step is well known by all participants.
A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the
plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely
on key staff since a disaster can occur when they arenot available. It is common that not all systems
can be tested in a limited test time frame. It is important, however, that those systems which are
essential to the business are tested, and that the other systems are eventually tested throughout
theyear. One aim of the test is to identify and replace defective devices so that all systems can be
replaced in the case of a disaster. Choice B would only be a concern if the number of discovered
problems is systematically very high, in a real disaster, there is no need for a clean shutdown of
the original production environment since the first priority is to bring the backup site up.