Which of the following activities would not be included in the contingency planning process phase?

A.
Prioritization of applications

B.
Development of test procedures

C.
Assessment of threat impact on the organization

D.
Development of recovery scenarios

Explanation:
When an incident strikes, more is required than simply knowing how to restore data from backups. Also
necessary are the detailed procedures that outline the activities to keep the critical systems available and
ensure that operations and processing are not interrupted. Contingency management defines what should take
place during and after an incident. Actions that are required to take place for emergency response, continuity of
operations, and dealing with major outages must be documented and readily available to the operations staff.
Development of test procedures is not part of contingency planning. This has nothing to do with recovering from
an incident.
Incorrect Answers:
A: Prioritization of applications is used to determine which applications are most important to the company and
should be recovered first. This should be part of your contingency planning.
C: Assessment of threat impact on the organization should be part of the contingency plan to determine what
affect an incident would have. This should be part of your contingency planning.
D: Development of recovery scenarios are the most obvious part of a contingency plan. You need to plan how
to recover from an incident. This should be part of your contingency planning.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1276