Practice CC Business Continuity, Disaster Recovery, and Incident Response questions with full explanations on every answer.
Start practicing
Business Continuity, Disaster Recovery, and Incident Response — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is developing a business continuity plan. Which document identifies critical business functions and their dependencies, including the maximum acceptable downtime?
2An organization's recovery time objective (RTO) for its customer database is 4 hours, and the recovery point objective (RPO) is 1 hour. The database is backed up every hour using full backups. A disaster occurs at 2:00 PM, and the last successful backup was at 1:00 PM. The system is restored and operational at 5:30 PM, but data from 1:00 PM to 2:00 PM is lost. Which statement is correct?
3During a disaster recovery test, an organization uses a warm site. The site has partially configured servers and network infrastructure but lacks recent data. The recovery team expects to have the system operational within 2 days. Which recovery metric is most directly addressed by the warm site's capabilities?
4An organization stores backup data on a tape drive (onsite) and also replicates critical data to a cloud storage service. This practice best exemplifies which backup rule?
5Which recovery site strategy provides the shortest recovery time objective (RTO), typically measured in hours, by maintaining a fully mirrored environment that can be activated immediately?
6A security analyst detects unusual outbound network traffic from a server that typically only handles internal file sharing. The traffic appears to be exfiltrating sensitive data. Which phase of the incident response process should the analyst initiate next?
7A company experiences a ransomware attack that encrypts all files on a file server. The IT team decides to restore the server from the most recent full backup taken 24 hours ago, followed by all differential backups taken since then. If the last full backup was on Sunday at midnight, and the attack occurs on Wednesday at 6:00 AM, with differential backups taken daily at noon, how many differential backups must be restored?
8During a data breach incident, the incident response team discovers that personally identifiable information (PII) of European Union residents was compromised. According to GDPR, what is the maximum time frame for notifying the supervisory authority?
9Which type of backup copies all data that has changed since the last full backup, regardless of any subsequent incremental or differential backups?
10A financial institution's incident response team is handling a denial-of-service (DoS) attack that is affecting customer access. The team has identified the attack source IPs and implemented filtering rules on the perimeter firewall. Which phase of incident response is being performed?
11An organization's business continuity plan designates a maximum tolerable downtime (MTD) of 8 hours for its order processing system. The system's recovery time objective (RTO) is set at 4 hours, and work recovery time (WRT) is estimated at 2 hours. If a disaster occurs at 10:00 AM and the system is restored at 2:00 PM, but additional configuration and data validation take until 3:30 PM to complete, what is the total downtime and is the MTD met?
12Which incident category involves an attacker tricking an employee into revealing their login credentials through a fraudulent email?
13A company is creating a backup strategy for its critical database. The database is updated continuously, and the company can tolerate up to 2 hours of data loss. Which TWO backup methods would best help achieve a recovery point objective (RPO) of 2 hours? (Select TWO.)
14During a security incident, the crisis communication team must notify stakeholders. According to best practices, which THREE groups should always be included in initial notifications? (Select THREE.)
15An organization is evaluating recovery site options. Which TWO factors are most critical when selecting between a hot site and a warm site? (Select TWO.)
16An organization is developing a Business Continuity Plan (BCP). Which analysis is performed first to identify critical business functions and their dependencies?
17During a disaster recovery test, the IT team successfully restored systems from backups and achieved the recovery time objective (RTO). However, users could not resume normal work because additional configuration and data validation were needed. Which metric was NOT met?
18A company’s disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. The database is backed up every hour using incremental backups. After a catastrophic failure, restoration takes 3 hours, but the database must be rolled forward using transaction logs. The total time to make the database fully operational is 5 hours. Which statement is correct?
19Which recovery site strategy provides the fastest recovery time, typically within hours, and is a fully mirrored environment ready to take over operations immediately?
20An organization adopts the 3-2-1 backup rule. Which combination of backups satisfies this rule?
21A small business wants to minimize backup storage space and backup time, knowing that restoration may be slower. Which backup strategy should they choose?
22During an incident, the security team detects unusual outbound traffic from a server that normally does not communicate externally. The traffic appears to be encrypted and is sent to an unknown IP address. Which incident category best describes this scenario?
23An organization experiences a ransomware attack that encrypts critical files. The incident response team follows the standard IR phases. After containing the infection and eradicating the malware, what is the next phase?
24A healthcare organization suffers a data breach involving protected health information (PHI). The incident occurred on Monday, and the organization discovers it on Wednesday. Under GDPR, if the breach affects EU residents, what is the deadline for notifying the supervisory authority?
25Which of the following best describes a Disaster Recovery Plan (DRP)?
26A company’s backup strategy: Full backup every Sunday, differential backups Monday through Saturday. On Thursday, the system fails. How many backups are needed to restore the data?
27An organization determines that its critical financial application has a maximum tolerable downtime (MTD) of 8 hours. The recovery time objective (RTO) is set to 6 hours, and the work recovery time (WRT) is 2 hours. If the application is restored from backup in 5 hours, but additional configuration takes 3 hours, what is the total downtime, and is the MTD met?
28An organization is developing an incident response plan. Which TWO phases are part of the incident response lifecycle according to the NIST framework? (Select two.)
29A company is selecting a recovery site strategy. They need to balance cost and recovery time. Which THREE factors should they consider when choosing between hot, warm, and cold sites? (Select three.)
30An organization experiences a denial-of-service (DoS) attack. Which TWO actions should the incident response team take during the containment phase? (Select two.)
31An organization is preparing its Business Continuity Plan (BCP). Which process identifies critical business functions and the impact of disruptions?
32During a BIA, the maximum tolerable downtime for a critical application is determined to be 4 hours. The IT team estimates system recovery will take 2 hours, but additional manual work to reconcile data will take 1 hour. What is the Recovery Time Objective (RTO)?
33A company has a Recovery Point Objective (RPO) of 1 hour for its financial database. It performs full backups every night at 11 PM and incremental backups every 4 hours. If the system fails at 2:30 PM, what is the maximum data loss in terms of time?
34Which recovery site strategy provides the fastest Recovery Time Objective (RTO), typically within hours, by maintaining a fully operational mirrored environment?
35A company uses a reciprocal agreement for disaster recovery. What is a primary risk of this strategy?
36An organization needs to prioritize recovery of systems after a disaster. Which metric directly indicates the maximum acceptable outage time for a business function?
37Which backup strategy offers the fastest restore time but requires the most storage space?
38A company follows the 3-2-1 backup rule. It has two full backups: one on an external hard drive in the server room and one on tape in a safe on-site. Which step should be taken to fully comply with the rule?
39During which phase of the incident response process would the team identify the root cause of a security incident?
40A company experiences a data breach involving personal data of EU residents. Under GDPR, what is the maximum time within which the organization must notify the supervisory authority?
41During an incident, a security analyst identifies a SQL injection attack. The team contains the threat by blocking the attacker's IP. Which step should be performed next in the incident response process?
42Which incident category involves an attempt to make a system or network resource unavailable to its intended users?
43A company is implementing a backup strategy. Which TWO of the following are characteristics of incremental backups? (Choose two.)
44A security team is developing an incident response plan. Which THREE of the following are essential components of crisis communications during a data breach? (Choose three.)
45Which TWO of the following are common indicators of a potential data breach? (Choose two.)
46A company is creating a business continuity plan. Which analysis should be performed first to identify critical business functions and their dependencies?
47After a ransomware attack, the IT team restores systems from backups. The CEO asks how quickly data can be recovered. Which metric addresses the acceptable amount of data loss?
48An organization's BIA determines that the payroll system has a Maximum Tolerable Downtime (MTD) of 4 hours. The current recovery plan has an RTO of 2 hours and an RPO of 1 hour. What is the maximum Work Recovery Time (WRT) allowed to meet the MTD?
49Which type of recovery site is pre-configured with hardware and software, but does not have live data, typically requiring days to become operational?
50A company uses a backup strategy where on Monday a full backup is taken, and on Tuesday only data changed since Monday is backed up. On Wednesday, the backup includes all data changed since Monday. What type of backup is the Wednesday backup?
51During an incident, the incident response team identifies that a malware infection is spreading. They isolate affected systems to prevent further damage. Which phase of the incident response process are they performing?
52A security analyst detects unusual outbound traffic from a server that suggests a data breach. According to GDPR, within what timeframe must the organization notify the supervisory authority?
53An organization is adopting the 3-2-1 backup rule. They currently have data on a primary server and a daily backup to an external hard drive. To comply with the rule, what is the minimum additional requirement?
54Which incident category involves an attacker tricking an employee into revealing credentials?
55During a disaster, an organization activates a reciprocal agreement with another company. What is a primary risk associated with this strategy?
56An organization's backup schedule: Full backup every Sunday, incremental backups Monday-Saturday. If a failure occurs on Thursday, how many backup sets are needed to restore the data?
57Which phase of the incident response process involves restoring systems to normal operations and confirming they are functioning correctly?
58A security analyst is prioritizing incidents based on severity. Which TWO factors are most important for determining incident severity?
59After a major power outage, an organization needs to declare a disaster and activate its DRP. Which THREE elements should be included in the initial crisis communication?
60An organization is choosing a backup strategy to minimize restore time. Which TWO backup types require only the most recent full backup and the latest differential backup to restore?
61An organization is creating a Business Continuity Plan (BCP). Which analysis should be performed first to identify critical business functions and their dependencies?
62A company's critical database must be recovered within 4 hours after a disaster, and they can tolerate losing up to 1 hour of data. During a disaster, after the systems are restored, it takes an additional 30 minutes to verify data integrity and resume normal operations. Which metric is represented by the 4-hour requirement?
63A financial institution requires near-instantaneous recovery of its trading platform after a disaster. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which recovery site strategy best meets these requirements?
64During a disaster recovery test, the IT team discovers that restoring all data from full backups takes 48 hours, exceeding the RTO. Which backup strategy would reduce restore time while maintaining a similar backup window?
65Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental or differential backups?
66A hospital's electronic health record (EHR) system must be available 24/7. The disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour. Which combination of backup and site strategy best meets these objectives?
67An organization uses a 3-2-1 backup strategy. They have a primary full backup on a local NAS, a second copy on tape stored offsite, and a third copy in the cloud. During a ransomware attack, the local NAS and the tape library are both encrypted. Which copy should be used for recovery?
68Which phase of the incident response process involves actions to stop the incident from causing further damage, such as isolating affected systems?
69A security analyst detects unusual outbound network traffic from a server that normally does not communicate externally. After confirming a malware infection, the analyst isolates the server from the network. Which incident response phase is the analyst performing?
70During a data breach investigation, the incident response team discovers that personally identifiable information (PII) of EU residents was exfiltrated. Under GDPR, what is the maximum time frame for notifying the supervisory authority?
71Which type of incident involves an attacker attempting to make a system or network resource unavailable to legitimate users?
72After an incident is resolved, which phase involves reviewing what happened, documenting lessons learned, and updating procedures?
73A company is selecting a recovery site strategy. Which TWO factors should be considered when choosing between a hot site and a warm site? (Select TWO.)
74An organization is updating its incident response plan. Which THREE elements should be included in the preparation phase? (Select THREE.)
75During a ransomware incident, the incident response team needs to communicate with stakeholders. According to best practices, which TWO groups should be notified immediately? (Select TWO.)
76An organization wants to ensure that its critical business functions can continue operating during a disruption. Which plan specifically addresses keeping the business running during a disruption?
77A company's Business Impact Analysis (BIA) determines that its online payment system can tolerate a maximum of 2 hours of downtime. The IT team estimates that restoring the system from backups will take 1 hour, and the team needs another 30 minutes to verify data integrity and resume normal operations. Which metric does the 30-minute verification period represent?
78An organization is selecting a recovery site strategy that offers the fastest recovery time, measured in hours, to minimize downtime for critical applications. Which recovery site type best meets this requirement?
79A company performs a full backup every Sunday and incremental backups on other days. On Wednesday, a server failure occurs. Which backups are needed to restore the server to its state at Tuesday's backup?
80During an incident, a security analyst detects unusual network traffic from a workstation that is exfiltrating data to an external IP address. The analyst isolates the workstation. Which incident response phase does the isolation action belong to?
81Which backup strategy requires the least amount of time to perform a daily backup but the most time to perform a full restore?
82A healthcare organization experiences a data breach involving protected health information (PHI). Under GDPR, within how many hours must the organization notify the relevant supervisory authority?
83An organization has an RTO of 4 hours and an RPO of 1 hour for its customer database. After a disaster, the IT team restores the database from backups that are 2 hours old, and the system becomes operational in 3 hours. Which of the following is true?
84Which phase of the incident response process involves restoring systems to normal operation and applying patches to prevent recurrence?
85Which of the following is a key component of the 3-2-1 backup rule?
86A company has a reciprocal agreement with another organization for disaster recovery. During a major outage, the company attempts to activate the agreement but finds that the partner's facility is also impacted by the same disaster. This scenario highlights a primary disadvantage of which recovery strategy?
87During a security incident, a company must notify stakeholders without revealing sensitive details that could worsen the situation. Which TWO groups should typically be notified immediately according to incident response best practices? (Select TWO)
88An organization is implementing backup strategies. Which THREE are characteristics of differential backups? (Select THREE)
89An incident response team is analyzing a data breach. Which THREE actions are part of the 'Lessons Learned' phase? (Select THREE)
90A company is planning its backup strategy and wants to minimize storage usage while ensuring fast restores. Which TWO backup types should the company consider as primary and secondary backups? (Select TWO)
91A financial services company is conducting a Business Impact Analysis (BIA) for its online banking platform. Which TWO of the following are correctly defined metrics used in BIA?
92During a ransomware incident, the incident response team has completed the containment and eradication phases. According to the NIST incident response framework, which THREE of the following activities are part of the post-incident activity phase?
93A company is evaluating backup strategies for its critical database. Which TWO of the following are correct statements about backup types?
94An organization is re-evaluating its disaster recovery site options. Which TWO of the following describe characteristics of a warm site?
95An organization experiences a data breach involving personally identifiable information (PII) of European Union residents. According to GDPR, which THREE of the following are required actions?
The Business Continuity, Disaster Recovery, and Incident Response domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 95 questions in the Business Continuity, Disaster Recovery, and Incident Response domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Business Continuity, Disaster Recovery, and Incident Response domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included