Question 6 - CompTIA SecurityX / CASP+ CAS-005 Real Exam Questions [March 2026 Update]

Q: 6

[Governance, Risk, and Compliance (GRC)] A compliance officer isfacilitating abusiness impact analysis (BIA)and wantsbusiness unit leadersto collect meaningful dat a. Several business unit leaders want more information about the types of data the officer needs. Which of the following data types would be the most beneficial for the compliance officer?(Select two)

Options

Discussion

Leo O. Feb 13, 2026 6:15 pm

Why is this even a question for BIA, seems obvious it's C and F.

Amelia L. Feb 16, 2026 4:33 am

Probably C and F here. BIA needs you to identify your critical processes and measure the impact or costs if they go down. B (contract obligations) seems tempting but that's more for compliance audits than the actual impact analysis. Anyone see it different?

Luke Feb 28, 2026 6:20 pm

C/F. BIA's always about figuring out your critical processes and what downtime will cost you, so C and F are the data types that actually help drive decisions here. B (contract obligations) feels compliance focused but it's less helpful for the impact analysis side. Someone disagree?

Mia U. Feb 23, 2026 5:36 pm

C F tbh, B is a compliance trap here, costs and critical processes are core for BIAs.

Chris P. Feb 17, 2026 2:35 am

C and F, that's what the official CASP+ guide covers for BIAs. You see those in practice sets too, pretty standard.

Jamie Mar 2, 2026 9:07 pm

C and F, that matches what I’ve seen in official study guides about BIAs. Critical processes (F) tell you what’s essential to keep running, and costs associated with downtime (C) help quantify impact for the business. Practice questions and labs focus on these two data types a lot. Pretty sure these are the best picks here, but open to other thoughts if someone’s used a different source.

Nathan G. Feb 27, 2026 9:18 pm

I don't think it's C and F. I'd pick B and F since contract obligations seem important for a compliance officer’s impact analysis, not just the costs. Pretty sure B is a common trap but still seems valid to me. Anyone got another take?

Nathan M. Mar 2, 2026 1:25 am

Its C and F. B looks tempting because of the compliance angle, but for BIA you really need those impact and process details.

Sara P. Feb 14, 2026 10:09 am

C/F tbh. Critical processes and downtime costs are the main data points you want for a BIA, since that's how you measure impact. The compliance reference might throw you but I'm pretty sure it's still C and F.

Rowan B. Mar 3, 2026 11:17 am

C/F? The question mixes compliance and BIA, so part of me thinks B could be in play, but critical processes and downtime costs (C, F) usually drive the impact analysis. Not 100% sure though, open to being convinced otherwise.

Be respectful. No spam.

Correct Answer:

C, F

Explanation

A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations. The two most fundamental data types required from business unit leaders are the identification of critical processes (F) and the quantification of the costs associated with downtime (C) for those processes. Identifying critical processes is the foundational step, establishing what the BIA will analyze. Quantifying the financial and operational costs of a disruption (e.g., lost revenue, penalties, reputational damage) is the core of the "impact" analysis, which is essential for prioritizing recovery efforts and defining Recovery Time Objectives (RTOs).

Why Incorrect

A. Inventory details: This is a component of asset management or a technical risk assessment, not a primary input from business leaders for a BIA, which focuses on processes and impact.

B. Applicable contract obligations: While important, these obligations (like SLAs) are a component of the overall impact, which is more comprehensively captured by the total costs associated with downtime.

D. Network diagrams: These are technical artifacts used in the subsequent disaster recovery planning phase to design solutions, not a primary business-level input for the BIA itself.

E. Contingency plans: These are an output of the business continuity process. They are created after the BIA has been completed to address the identified risks and impacts.

References

1. NIST Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems.

Section 3.2

Business Impact Analysis (BIA)

Step 1 (Page 16): "The first BIA step is to identify the organization’s mission/business processes and determine their recovery criticality." This directly supports the selection of F. Critical processes.

Section 3.2

Business Impact Analysis (BIA)

Step 2 (Page 17): This step involves identifying outage impacts. The guide states

"Impacts may include... financial

loss of revenue..." This directly supports the collection of data on C. Costs associated with downtime.

2. Herbane

B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Business History

52(6)

978-1002.

Page 985: The article describes the BIA process as involving the identification of "the critical processes which are essential for survival" and assessing "the business impact of a failure of these processes

which is usually measured in financial terms." This supports both F. Critical processes and C. Costs associated with downtime as central to the BIA. DOI: https://doi.org/10.1080/00076791.2010.511185

3. University of Illinois at Urbana-Champaign

CS 461/ECE 422: Computer Security I

Lecture 23: Business Continuity.

Slide 6

"Business Impact Analysis": The lecture material defines the BIA as the process to "Identify critical business functions" and "Determine tangible and intangible impact of the loss of that function." Tangible impacts are explicitly listed as financial losses

directly corresponding to F. Critical processes and C. Costs associated with downtime.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE