(ISC)2 Certified in Cybersecurity Practice Exam

The correct answer is the Business Impact Analysis. This analysis focuses on identifying the effects of disruption to business operations resulting from unforeseen events, such as natural disasters, cyberattacks, or system failures. It evaluates the criticality of different functions within an organization, assessing how their disruption impacts the overall business objectives.

Through this process, organizations can determine the necessary contingency requirements, including recovery time objectives (RTO) and recovery point objectives (RPO), which help define how quickly the business can maintain or restore operations after an incident. By understanding these impacts, organizations can prioritize resources and implement effective strategies to mitigate risks, ensuring that vital operations remain resilient in the face of challenges.

In contrast, risk assessments are broader in scope, focusing on identifying, evaluating, and prioritizing risks across the entire organization, while security audits examine the effectiveness of existing security controls and compliance reviews assess adherence to relevant laws and regulations. These analyses serve different purposes and inform different aspects of an organization's security strategy but don't specifically characterize the contingency requirements of an information system as effectively as a Business Impact Analysis.