1|Page
CSA Z1600 Emergency Management and Business
Continuity Exam Practice Questions And Correct
Answers||Verified Exam!! (Verified Answers) Plus
Rationale 2026/2027 Q&A| Instant Download Pdf
A financial services organization is developing and
documenting business continuity
measures. In which of the following cases would an IS
auditor MOST likely raise an issue?
A. The organization uses good practice guidelines instead
of industry standards and relies
on external advisors to ensure the adequacy of the
methodology.
B. The business continuity capabilities are planned around
a carefully selected set of
scenarios which describe events that might happen with a
reasonable probability.
C. The recovery time objectives (RTOs) do not take IT
disaster recovery constraints into
account, such as personnel or system dependencies
during the recovery phase.
D. The organization plans to rent a shared alternate site
with emergency workplaces which
,2|Page
has only enough room for half of the normal staff. -
Answer-B. The business continutiy capabilities are
planned around a carefully selected set of scenarios which
describe events that might happen with a reasonable
probability.
Answer: B
Explanation:
It is a common mistake to use scenario planning for
business continuity. The problem is
that it is impossible to plan and document actions for every
possible scenario. Planning for
just selected scenarios denies the fact that even
improbable events can cause an
organization to break down. Best practice planning
addresses the four possible areas of
impact in a disaster: premises, people, systems, and
suppliers and other dependencies. All
scenarios can be reduced to these four categories and
can be handled simultaneously.
There are very few special scenarios which justify an
additional separate analysis, it is a
good idea to use best practices and external advice for
such an important topic, especially
,3|Page
since knowledge of the right level of preparedness and the
judgment about adequacy of the
measures taken is not available in every organization. The
recovery time objectives (RTOs)
are based on the essential business processes required to
ensure the organization's
survival, therefore it would be inappropriate for them to be
based on IT capabilities. Best
practice guidelines recommend having 20%-40% of
normal capacity available at an
emergency site; therefore, a value of 50% would not be a
problem if there are no additional
factors.
As part of the business continuity planning process, which
of the following should be
identified FIRST in the business impact analysis?
A. Organizational risks, such as single point-of-failure and
infrastructure risk
B. Threats to critical business processes
C. Critical business processes for ascertaining the priority
for recovery
, 4|Page
D. Resources required for resumption of business -
Answer-C. Critical business processes for ascertaining the
priority for recovery.
Answer: C
Explanation:
The identification of the priority for recovering critical
business processes should be
addressed first. Organizational risks should be identified
next, followed by the identification
of threats to critical business processes. Identification of
resources for business resumption
will occur after the tasks mentioned.
Which of the following disaster recovery/continuity plan
components provides the
GREATEST assurance of recovery after a disaster?
A. The alternate facility will be available until the original
information processing facility is
restored.
B. User management is involved in the identification of
critical systems and their associated
CSA Z1600 Emergency Management and Business
Continuity Exam Practice Questions And Correct
Answers||Verified Exam!! (Verified Answers) Plus
Rationale 2026/2027 Q&A| Instant Download Pdf
A financial services organization is developing and
documenting business continuity
measures. In which of the following cases would an IS
auditor MOST likely raise an issue?
A. The organization uses good practice guidelines instead
of industry standards and relies
on external advisors to ensure the adequacy of the
methodology.
B. The business continuity capabilities are planned around
a carefully selected set of
scenarios which describe events that might happen with a
reasonable probability.
C. The recovery time objectives (RTOs) do not take IT
disaster recovery constraints into
account, such as personnel or system dependencies
during the recovery phase.
D. The organization plans to rent a shared alternate site
with emergency workplaces which
,2|Page
has only enough room for half of the normal staff. -
Answer-B. The business continutiy capabilities are
planned around a carefully selected set of scenarios which
describe events that might happen with a reasonable
probability.
Answer: B
Explanation:
It is a common mistake to use scenario planning for
business continuity. The problem is
that it is impossible to plan and document actions for every
possible scenario. Planning for
just selected scenarios denies the fact that even
improbable events can cause an
organization to break down. Best practice planning
addresses the four possible areas of
impact in a disaster: premises, people, systems, and
suppliers and other dependencies. All
scenarios can be reduced to these four categories and
can be handled simultaneously.
There are very few special scenarios which justify an
additional separate analysis, it is a
good idea to use best practices and external advice for
such an important topic, especially
,3|Page
since knowledge of the right level of preparedness and the
judgment about adequacy of the
measures taken is not available in every organization. The
recovery time objectives (RTOs)
are based on the essential business processes required to
ensure the organization's
survival, therefore it would be inappropriate for them to be
based on IT capabilities. Best
practice guidelines recommend having 20%-40% of
normal capacity available at an
emergency site; therefore, a value of 50% would not be a
problem if there are no additional
factors.
As part of the business continuity planning process, which
of the following should be
identified FIRST in the business impact analysis?
A. Organizational risks, such as single point-of-failure and
infrastructure risk
B. Threats to critical business processes
C. Critical business processes for ascertaining the priority
for recovery
, 4|Page
D. Resources required for resumption of business -
Answer-C. Critical business processes for ascertaining the
priority for recovery.
Answer: C
Explanation:
The identification of the priority for recovering critical
business processes should be
addressed first. Organizational risks should be identified
next, followed by the identification
of threats to critical business processes. Identification of
resources for business resumption
will occur after the tasks mentioned.
Which of the following disaster recovery/continuity plan
components provides the
GREATEST assurance of recovery after a disaster?
A. The alternate facility will be available until the original
information processing facility is
restored.
B. User management is involved in the identification of
critical systems and their associated
