IT Examiner School eBook May 2025

Procedure 4 Determine whether adequate business impact analyses for all business functions and risk assessments have been completed. Consider the following:  Input from all integral groups (e.g., business line management, risk management, IT, facilities management, and audit) and comprehensiveness of management’s review  Identification of critical business functions and interdependencies across business units

prioritization of processes, systems, and applications for recovery  Analysis of reasonably foreseeable disruptive events, including:  natural events (e.g., fires, floods, severe weather)  technical events (e.g., communication or power failure)  malicious events (e.g., fraud, theft, cyber-attacks)

 international events (e.g., political instability, economic disruptions), and  low likelihood/high impact events (e.g., terrorist acts, pandemics)

 Reasonableness of key recovery metrics, such as allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), and costs associated with downtime  Inclusion of IT services provided by third-party service providers and vendors in the business impact analyses/risk assessments Click here to enter comments

Control Test Review a sample of business impact analyses and risk assessments. Enter Control Test notes here, if performed Procedure 5 Evaluate the adequacy of the business continuity plan. Consider the following:  Authorities, responsibilities, and relocation strategies

 Communication protocols, event management, and business continuity  Incident response, disaster recovery, and crisis (emergency) management  Liquidity concerns before and after an adverse event  Alternatives for payment systems, facilities and infrastructure, data center(s), and branch relocation during a disaster Click here to enter comments Procedure 6 Determine whether the business continuity process includes appropriate recovery operations at the backup location. Consider the following:  Remote access connectivity  Geographic diversity between the backup site and the primary location  Adequacy of backup site hardware, including capacity and compatibility  Sufficient processing time for the anticipated workload based on emergency priorities Click here to enter comments