Which of the following should be of MOST concern to an IS auditor reviewing the BCP?
The disaster levels are based on scopes of damaged functions, but not on duration.
The difference between low-level disaster and software incidents is not clear.
The overall BCP is documented, but detailed recovery steps are not specified.
The responsibility for declaring a disaster is not identified.
If nobody declares the disaster, the response and recovery plan would not be invoked, making all
other concerns mute. Although failure to consider duration could be a problem, it is not as significant
as scope, and neither is as critical as the need to have someone invoke the plan. The difference
between incidents and low-level disasters is always unclear and frequently revolves around the
amount of time required to correct the damage. The lack of detailed steps should be documented,
but their absence does not mean a lack of recovery, if in fact someone has invoked the plan.