| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
Business Continuity Plan (Part 2 of 2)
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series continues from Part 1 and focuses on the practical side of business continuity planning. The session covers at a topic level how the plan is developed and structured, who must be involved, how testing and maintenance work, the role of insurance, and how IS auditors review the entire program.
What this episode covers
- Developing the plan — what factors deserve attention, how to write it in plain language organized by team, and the importance of keeping copies offsite.
- Who must be involved — why management, users, support services, business operations, and information processing staff must all participate.
- Plan components — core and supplementary documents such as the continuity of operations plan, disaster recovery plan, business resumption plan, and crisis communications plan.
- Call tree and supply considerations — how crisis contact lists work and what supplies and equipment must be pre-positioned at recovery sites.
- Insurance coverage — the modular types of technology insurance and the two key limits every auditor should understand.
- Testing types and measurement — tabletop, preparedness, and full operational tests measured by time, throughput, recovery counts, and data accuracy.
- Maintenance and auditor review — how a coordinator keeps the plan current and what documents, applications, teams, testing records, and contracts an auditor examines.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the core components of a business continuity plan?
A continuity plan may be several documents, with three core components: a continuity of operations plan, a disaster recovery plan, and a business resumption plan. Others may join them, including a crisis communications plan, an incident response plan, and an evacuation plan. The plan should be written in plain language that anyone can follow, organized by team, and copies kept offsite.
What are the main types of BCP tests and how do they differ?
BCP tests climb in intensity from a tabletop test that walks through the plan on paper, to a preparedness test that simulates a crash with real resources in increments, to a full operational test that shuts down operations entirely. Each test should run in three phases: pretest to set the stage, the test itself where staff perform tasks, and a posttest for cleanup and honest evaluation. Organizations are advised to start simple and grow more challenging over time.
What role does a call tree play in a business continuity plan?
A call tree is a ranked contact list for the people who make decisions during a crisis, listing who to call in priority order and how to reach them. It must be kept highly redundant, updated regularly, and held on hard copy because systems may be down during a real event. The call tree should also include vendors, suppliers, recovery sites, and insurers, with a method to confirm how many people were actually reached.
What types of insurance coverage are relevant to business continuity?
Technology insurance is typically built from modules assembled to match the environment, covering areas such as equipment and facilities, media and software reconstruction, extra-expense coverage to keep operating after damage, business interruption for lost profit, valuable papers and records, errors and omissions, fidelity for dishonest employee acts, and media in transit. Two important limits are that most policies pay for historical rather than current performance, and none of them restores lost reputation or goodwill.
How does an auditor review a business continuity plan?
An auditor starts by obtaining the current policy, plan, and impact analysis findings, then confirms that distributed copies are current and that the plan supports the strategy. The review then covers critical applications to confirm they are prioritized and that secondary sites have compatible software versions, followed by team lists and backup-facility agreements. The auditor also examines testing documentation, offsite storage for current synchronized media, physical and environmental security of the facility, and the alternative processing contract to confirm it guarantees access and testing rights.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Business Continuity Plan (Part 2 of 2).