CISSP PRACTICE QUESTIONS – 20220219

Posted on by
Effective CISSP Questions

According to ISO 22300, business continuity is the capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption. Which of the following statements about business impact analysis is inappropriate? (Wentz QOTD)
A. Prioritized activities and supporting resources should be identified.
B. The recovery time objective (RTO) and recovery point objective (RPO) for all prioritized activities should be set.
C. Losses due to fines or penalties should be considered.
D. The minimum acceptable capacities of activities should be determined


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. The recovery time objective (RTO) and recovery point objective (RPO) for all prioritized activities should be set.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Common BIA Terminologies
Common BIA Terminologies

According to ISO 22300, business continuity is the capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption. RTO refers to “the time frame for resuming an activity.”

Information systems are one type of the activities and resource that support the delivery of products and services, so not all disruptive incidents require data restoration. In other words, not all prioritized activities need to identify the Recovery Point Objective (RPO), the point in time to which data must be recovered after an outage.

The minimum acceptable capacities of activities or service delivery objectives (SDO) should also be determined. SDO is mentioned in CISM, but not highlighted in CISSP.

Reference

根據 ISO 22300,業務連續性是組織在中斷期間以預定義的能力在可接受的時間範圍內繼續交付產品和服務的能力。 以下哪項關於業務影響分析(BIA)的陳述是不恰當的? (Wentz QOTD)
A. 應確定優先活動和支持資源。
B. 應設置所有優先活動的恢復時間目標 (RTO) 和恢復點目標 (RPO)。
C. 應考慮罰款或處罰造成的損失。
D. 應確定活動的最低可接受能力

Leave a Reply