Practice CC Business Continuity, DR & Incident Response questions with full explanations on every answer.
Start practicing
Business Continuity, DR & Incident Response — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?
2An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?
3A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?
4A company's business continuity plan includes an alternate work site with full IT capabilities. Which type of recovery site does this describe?
5An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?
6Which TWO actions are appropriate during the identification phase of incident response?
7Which THREE elements are essential components of a business continuity plan (BCP)?
8Based on the incident log, at which step did the incident response team contain the threat?
9Based on the backup schedule, what is the maximum potential data loss?
10You are the incident response lead for a financial services company. At 09:00, the SOC detects unusual outbound traffic from a server in the DMZ to an external IP known to be a command-and-control (C2) server. The server runs a legacy application that cannot be patched. The server is critical for customer transactions, but an alternate manual process can sustain operations for up to 4 hours. The CTO wants to keep the server online to avoid customer impact. The CEO is concerned about data exfiltration. The compliance officer reminds you of regulatory requirements to report breaches within 72 hours. Which action should you take FIRST?
11An organization experiences a ransomware attack that encrypts critical file servers. The backups are stored on a separate network segment but are also encrypted. The incident response team suspects the attacker compromised the backup system using stored credentials. Which best practice should have been implemented to prevent this?
12During a tabletop exercise for a data center outage, the IT manager realizes that the disaster recovery plan does not specify how to failover the database cluster. The primary data center fails completely. The standby site has a replica of the database, but the application team cannot promote it because they lack the necessary privileges. What is the most likely cause of this gap?
13Which TWO actions are most effective in reducing the mean time to detect (MTTD) a security incident?
14The exhibit shows a syslog-ng client configuration and a firewall rule on the central logging server (IP 10.0.0.10). The client (192.168.1.100) is not sending logs to the server. What is the most likely cause?
15A mid-sized e-commerce company has a primary data center in New York and a disaster recovery site in Dallas. The application stack includes a web server, application server, and a PostgreSQL database. The database uses synchronous replication to the DR site. During a routine failover test, the IT team discovers that after failing over to Dallas, the web servers in New York continue to attempt connections to the original database IP, causing application errors. The DNS records have been updated to point to the DR database IP, but the web servers are not refreshing their DNS cache. The company uses a standard TTL of 300 seconds. The IT manager needs a solution that ensures minimal disruption during future failovers. Which action should be taken?
16A company's primary data center experiences a complete power failure, and operations are shifted to a secondary site. The failover process takes 4 hours, but the recovery point objective (RPO) is set to 1 hour. Which of the following is the most likely consequence of this incident?
17Which TWO of the following are primary objectives of an incident response plan? (Choose two.)
18Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?
19Drag and drop the steps for the TCP three-way handshake into the correct order.
20Drag and drop the steps for the proper disposal of a hard drive containing sensitive data into the correct order.
21Match each access control model to its key characteristic.
22Match each cryptographic concept to its definition.
23A company's backup strategy involves daily full backups only. What is the primary risk associated with this approach?
24An organization discovers a ransomware infection on a critical server. According to the incident response phases, what should be the first action after detection?
25Which metric defines the maximum acceptable amount of data loss measured in time?
26A primary data center is destroyed. The disaster recovery plan calls for activation of a hot standby site. If the RTO is 2 hours, what is the expected recovery time?
27During a disaster recovery test, backup tapes fail to restore data due to format incompatibility. Which element of the Business Continuity Plan should be updated?
28Which is a key benefit of a cold site as a recovery location?
29During a disaster recovery exercise, the system fails to achieve the RTO. Analysis shows that restoring the database from tape takes 3 hours, but the RTO is 2 hours. Which is the most effective solution?
30According to the NIST 800-61 incident response lifecycle, after containment and eradication have been performed, what is the next phase?
31Which statement best describes a warm site in disaster recovery?
32Which TWO are primary objectives of a Business Continuity Plan (BCP)? (Select two.)
33Which TWO are true about a differential backup? (Select two.)
34Which THREE are differences between a hot site and a cold site? (Select three.)
35Refer to the exhibit. Based on the backup log, what is the most likely corrective action?
36Refer to the exhibit. Which statement best describes compliance with the recovery objectives?
37Refer to the exhibit. Based on the report, which improvement is most appropriate?
38A company has a disaster recovery plan that includes a hot site. Which of the following is the PRIMARY advantage of a hot site over a cold site?
39During an incident, an organization needs to preserve volatile data. Which of the following should be collected FIRST?
40During a disaster recovery exercise, the team discovers that the backup site does not have the latest security patches applied. Which of the following steps should be taken FIRST?
41Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?
42After a security incident has been contained and eradicated, which of the following should be done to improve future incident response?
43An organization uses a warm site for disaster recovery. Which of the following is the MOST significant risk of this approach?
44During a disaster recovery test, the team discovers that the backup generator fails to start. What is the BEST immediate action?
45An organization has detected a ransomware infection. What is the FIRST step in the incident response process?
46During a disaster recovery exercise, the backup systems are not available because the storage array failed. Which of the following should be done FIRST?
47Refer to the exhibit. An SOC analyst pulled this log snippet. Which type of attack is most likely in progress?
48Refer to the exhibit. An administrator needs to restore a database file from two weeks ago, but the backup log shows success. What is the most likely reason the file cannot be restored?
49Refer to the exhibit. A DBA is investigating a replication issue. What should be the FIRST action?
50Which TWO are phases of the NIST incident response life cycle? (Select exactly 2.)
51Which THREE are commonly defined in a disaster recovery plan? (Select exactly 3.)
52In incident response, which TWO are considered volatile data that should be collected first? (Select exactly 2.)
53A company's primary data center is destroyed by a natural disaster. The backup site has been fully synchronized but needs to be activated. Which process addresses the activation of the backup site?
54A security analyst receives an alert of unusual network traffic from an internal host to an external IP known for command-and-control. After isolating the host, what should be the next step?
55During a tabletop exercise, the IT team realizes that the backup tapes are stored in the same building as the servers. Which risk does this highlight?
56After a ransomware attack, which team is primarily responsible for coordinating the response?
57A company's BCP requires that critical systems be restored within 2 hours of disruption. Which metric defines this?
58In a cloud environment, the security team discovers that a misconfigured S3 bucket has made customer data publicly accessible. After securing the bucket, what is the most important next step?
59Which document outlines the procedures for maintaining critical business functions during a disruption?
60An organization's backup strategy includes daily full backups. However, recovery tests show that restoring from tape takes 6 hours longer than expected. What is the most likely cause?
61During an incident, the IR team identifies that the root cause is a zero-day vulnerability. Which of the following is the best immediate action?
62Which TWO are key outputs of a Business Impact Analysis (BIA)?
63Which THREE are primary phases of the incident response lifecycle?
64Which TWO are best practices for managing backup media?
65Refer to the exhibit. What is the first action the incident responder should take?
66Refer to the exhibit. What does this indicate?
67Refer to the exhibit. What is the effect of this ACL?
68A company's primary data center is located in a region prone to hurricanes. The IT team is designing a disaster recovery plan to ensure critical applications resume within 4 hours of a declared disaster. Which of the following is the MOST appropriate recovery strategy?
69Refer to the exhibit. A security analyst observes repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port. What is the MOST likely interpretation?
70A company's business continuity plan requires a maximum tolerable downtime of 2 hours for the ERP system. The current backup process takes 3 hours to restore. Which of the following is the BEST corrective action?
71During an incident, the incident response team discovers that an attacker has exfiltrated sensitive customer data. According to incident response best practices, whose approval is REQUIRED before contacting law enforcement?
72A company is developing a disaster recovery plan for its database server. The database is updated transactionally and cannot tolerate any data loss. Which backup strategy meets this requirement?
73An organization's incident response plan specifies containment, eradication, and recovery phases. During containment, the team isolates a compromised server from the network. However, the server is a domain controller. What is the PRIMARY risk of this action?
74Which metric is used to define the maximum amount of data loss an organization can tolerate during a disaster?
75A small business with limited budget wants to ensure critical business functions can resume within 24 hours of a disaster. Their data changes infrequently. Which recovery solution is MOST cost-effective?
76Which TWO are essential elements of a business impact analysis (BIA)?
77Which TWO are appropriate methods to test a disaster recovery plan?
78Which THREE are phases of the incident response process according to NIST SP 800-61?
79Your organization runs a critical e-commerce platform on a private cloud. The database server is located in a data center in a seismic zone. The current DR plan uses a warm site with daily differential backups and a 12-hour RTO. A recent earthquake caused a power outage but no physical damage. The database corruption was discovered after 6 hours. The backups from last night are intact but restoring involves applying transaction logs. The RTO is now at risk. What should be done FIRST?
80A healthcare organization experiences a ransomware attack that encrypts all files on file servers and workstations. The incident response team has isolated the infected systems. The backup policy includes daily incremental backups and weekly full backups stored on a separate network segment. The most recent full backup is 5 days old. The incremental backups from the past 4 days are available but are stored on the same backup server that might be compromised. To restore data with minimal loss, what should the team do?
81A small manufacturing company's IT infrastructure consists of a single server running ERP and file services, with a nightly backup to an external hard drive. The server fails due to hardware failure. The company's BCP states that the ERP system must be restored within 8 hours. The backup is 12 hours old. The IT administrator has a spare server of similar configuration. What is the BEST course of action?
82An online retailer has a DR plan that includes active-active data centers. During a major DDoS attack, one data center's external connectivity is saturated. The internal network is operational. The security team has identified the attack traffic pattern and is working with the ISP to filter. To maintain service availability, what action should be taken?
83A company is developing a business continuity plan (BCP). Which TWO of the following are essential components that must be included in a BCP?
84You are the cybersecurity lead for a mid-sized retail company. One morning, employees report that they cannot access files on the shared drive, and a ransom note appears on several screens demanding $50,000 in Bitcoin. The company has a formal incident response plan that was last updated two years ago and has never been tested. Backups are taken nightly to an on-premises tape library and also replicated to a cloud storage service but have not been verified recently. The CEO is insisting on paying the ransom to avoid business disruption. Which of the following is the MOST appropriate first course of action?
85A multinational financial services organization operates three data centers in different geographic regions. Each data center runs a mix of critical and non-critical applications. The DR plan specifies Recovery Time Objectives (RTOs) ranging from 4 hours for critical applications to 72 hours for non-critical. During a scheduled DR test, the team attempts to fail over the primary customer database to the secondary site. The failover fails because the replication link between sites was saturated due to a large data synchronization job running concurrently. The test is declared a failure, and senior management is concerned about the DR plan's reliability. The IT director suggests increasing bandwidth between sites. The security architect proposes implementing network prioritization for replication traffic. The business continuity manager recommends revising the RTOs to be more realistic based on current bandwidth. The system administrator thinks the issue will resolve if the test is repeated during off-peak hours. Which of the following is the BEST course of action to address the root cause of the failure?
The Business Continuity, DR & Incident Response domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 85 questions in the Business Continuity, DR & Incident Response domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Business Continuity, DR & Incident Response domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included