CISM Question #972: Real Exam Question with Answer & Explanation

Question

Which of the following processes should be done NEXT after completing a business impact analysis (BIA)?

Options

• ADevelop the requirements for the incident response plan.
• BEvaluate the disaster recovery plan (DRP).
• CIdentify resources for business recovery.
• DDevelop a business continuity plan (BCP).

Explanation

After completing a BIA - which identifies critical business functions, their dependencies, and the impact of disruptions - the logical next step is to develop a Business Continuity Plan (D), because the BIA's findings (recovery time objectives, recovery point objectives, critical assets) directly feed into and shape the BCP framework.

Why the distractors are wrong:

• (A) Incident response plan addresses how to detect and respond to security incidents, which is a separate discipline from business continuity and not the direct output of a BIA.
• (B) Evaluating an existing DRP comes after the BCP is established, since the DRP is a subset of the BCP focused on IT/system recovery - you can't meaningfully evaluate it before the overarching plan exists.
• (C) Identifying resources for recovery happens during BCP development, not as a standalone step between the BIA and BCP.

Memory tip: Think of it as a pipeline - BIA → BCP → DRP. The BIA tells you what matters and how much, the BCP tells you how to keep the business alive, and the DRP tells you how to restore IT systems. Each step builds on the previous one in that order.

No community discussion yet for this question.