nerdexam
ExamsCISMQuestions#111
IsacaIsaca

CISM · Question #111

CISM Question #111: Real Exam Question with Answer & Explanation

The correct answer is C: a business impact analysis (BIA).. The resilience requirements of an application are best determined by a business impact analysis (BIA), which identifies critical functions and their recovery time objectives (RTO) and recovery point objectives (RPO).

Submitted by priya_blr· Apr 18, 2026Information Security Risk Management

Question

The resilience requirements of an application are BEST determined by:

Options

  • Aa cost-benefit analysis.
  • Ba threat assessment.
  • Ca business impact analysis (BIA).
  • Da risk assessment.

Explanation

The resilience requirements of an application are best determined by a business impact analysis (BIA), which identifies critical functions and their recovery time objectives (RTO) and recovery point objectives (RPO).

Common mistakes.

  • A. A cost-benefit analysis helps justify investments but doesn't primarily define the technical requirements for resilience.
  • B. A threat assessment identifies potential threats but doesn't quantify the business impact or recovery objectives associated with application downtime or data loss.
  • D. A risk assessment identifies risks and their likelihood/impact, but a BIA specifically focuses on the impact of disruptions to business functions, which directly informs resilience requirements like RTO/RPO.

Concept tested. Business impact analysis for resilience

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Topics

#Business Impact Analysis (BIA)#Resilience#Business Continuity#Recovery Objectives

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CISM PracticeBrowse All CISM Questions