An organization has just completed their annual risk assessment. Regarding the business
continuity plan, what should an IS auditor recommend as the next step for the organization?

A.
Review and evaluate the business continuity plan for adequacy

B.
Perform a full simulation of the business continuity plan

C.
Train and educate employees regarding the business continuity plan

D.
Notify critical contacts in the business continuity plan

Explanation:
The business continuity plan should be reviewed every time a risk assessment is completed for the
organization. Training of the employees and a simulation should be performed after the business
continuity plan has been deemed adequate for the organization. There is no reason to notify the
business continuity plan contacts at this time.