nerdexam
(ISC)2

CISSP · Question #1032

What is the MINIMUM standard for testing a disaster recovery plan (DRP)?

The correct answer is D. As often as necessary depending upon the stability of the environment and business. DRP testing frequency should be driven by environmental stability and business needs rather than fixed calendar schedules. A risk-based, adaptive approach ensures the plan remains relevant and effective.

Submitted by thandi_sa· Mar 5, 2026Security Operations

Question

What is the MINIMUM standard for testing a disaster recovery plan (DRP)?

Options

  • ASemi-annually and in alignment with a fiscal half-year business cycle
  • BAnnually or less frequently depending upon audit department requirements
  • CQuarterly or more frequently depending upon the advice of the information security manager
  • DAs often as necessary depending upon the stability of the environment and business

How the community answered

(42 responses)
  • A
    2% (1)
  • B
    5% (2)
  • C
    2% (1)
  • D
    90% (38)

Why each option

DRP testing frequency should be driven by environmental stability and business needs rather than fixed calendar schedules. A risk-based, adaptive approach ensures the plan remains relevant and effective.

ASemi-annually and in alignment with a fiscal half-year business cycle

A semi-annual schedule tied to fiscal cycles imposes an arbitrary, calendar-driven cadence that ignores environmental changes and risk factors that may require more or less frequent testing.

BAnnually or less frequently depending upon audit department requirements

Tying DRP testing frequency solely to audit department requirements subordinates a critical operational security control to an administrative function, which may result in insufficient testing during periods of high environmental change.

CQuarterly or more frequently depending upon the advice of the information security manager

Quarterly testing may be excessive in highly stable environments and insufficient in rapidly changing ones; prescribing a fixed minimum interval based on a single advisor's recommendation does not reflect a proper risk-based approach.

DAs often as necessary depending upon the stability of the environment and businessCorrect

The minimum standard for DRP testing is not defined by a fixed time interval but rather by the organization's risk environment, system changes, and business requirements. ISACA and NIST guidance emphasizes that testing frequency should increase when significant changes occur (new systems, infrastructure changes, personnel changes) and may decrease in stable, low-risk environments, making 'as often as necessary' the most accurate risk-based minimum standard.

Concept tested: Risk-based disaster recovery plan testing frequency

Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Topics

#Disaster recovery plan (DRP)#DRP testing#Business continuity#Environmental stability

Community Discussion

No community discussion yet for this question.

Full CISSP Practice