Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCDomainsBusiness Continuity, Disaster Recovery, and Incident Response
CCFree — No Signup

Business Continuity, Disaster Recovery, and Incident Response

Practice CC Business Continuity, Disaster Recovery, and Incident Response questions with full explanations on every answer.

95questions

Start practicing

Business Continuity, Disaster Recovery, and Incident Response — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CC Domains

Security PrinciplesBusiness Continuity, Disaster Recovery, and Incident ResponseAccess Controls ConceptsSecurity OperationsNetwork SecurityBusiness Continuity, DR & Incident Response

Practice Business Continuity, Disaster Recovery, and Incident Response questions

10Q20Q30Q50Q

All CC Business Continuity, Disaster Recovery, and Incident Response questions (95)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is developing a business continuity plan. Which document identifies critical business functions and their dependencies, including the maximum acceptable downtime?

2

An organization's recovery time objective (RTO) for its customer database is 4 hours, and the recovery point objective (RPO) is 1 hour. The database is backed up every hour using full backups. A disaster occurs at 2:00 PM, and the last successful backup was at 1:00 PM. The system is restored and operational at 5:30 PM, but data from 1:00 PM to 2:00 PM is lost. Which statement is correct?

3

During a disaster recovery test, an organization uses a warm site. The site has partially configured servers and network infrastructure but lacks recent data. The recovery team expects to have the system operational within 2 days. Which recovery metric is most directly addressed by the warm site's capabilities?

4

An organization stores backup data on a tape drive (onsite) and also replicates critical data to a cloud storage service. This practice best exemplifies which backup rule?

5

Which recovery site strategy provides the shortest recovery time objective (RTO), typically measured in hours, by maintaining a fully mirrored environment that can be activated immediately?

6

A security analyst detects unusual outbound network traffic from a server that typically only handles internal file sharing. The traffic appears to be exfiltrating sensitive data. Which phase of the incident response process should the analyst initiate next?

7

A company experiences a ransomware attack that encrypts all files on a file server. The IT team decides to restore the server from the most recent full backup taken 24 hours ago, followed by all differential backups taken since then. If the last full backup was on Sunday at midnight, and the attack occurs on Wednesday at 6:00 AM, with differential backups taken daily at noon, how many differential backups must be restored?

8

During a data breach incident, the incident response team discovers that personally identifiable information (PII) of European Union residents was compromised. According to GDPR, what is the maximum time frame for notifying the supervisory authority?

9

Which type of backup copies all data that has changed since the last full backup, regardless of any subsequent incremental or differential backups?

10

A financial institution's incident response team is handling a denial-of-service (DoS) attack that is affecting customer access. The team has identified the attack source IPs and implemented filtering rules on the perimeter firewall. Which phase of incident response is being performed?

11

An organization's business continuity plan designates a maximum tolerable downtime (MTD) of 8 hours for its order processing system. The system's recovery time objective (RTO) is set at 4 hours, and work recovery time (WRT) is estimated at 2 hours. If a disaster occurs at 10:00 AM and the system is restored at 2:00 PM, but additional configuration and data validation take until 3:30 PM to complete, what is the total downtime and is the MTD met?

12

Which incident category involves an attacker tricking an employee into revealing their login credentials through a fraudulent email?

13

A company is creating a backup strategy for its critical database. The database is updated continuously, and the company can tolerate up to 2 hours of data loss. Which TWO backup methods would best help achieve a recovery point objective (RPO) of 2 hours? (Select TWO.)

14

During a security incident, the crisis communication team must notify stakeholders. According to best practices, which THREE groups should always be included in initial notifications? (Select THREE.)

15

An organization is evaluating recovery site options. Which TWO factors are most critical when selecting between a hot site and a warm site? (Select TWO.)

16

An organization is developing a Business Continuity Plan (BCP). Which analysis is performed first to identify critical business functions and their dependencies?

17

During a disaster recovery test, the IT team successfully restored systems from backups and achieved the recovery time objective (RTO). However, users could not resume normal work because additional configuration and data validation were needed. Which metric was NOT met?

18

A company’s disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. The database is backed up every hour using incremental backups. After a catastrophic failure, restoration takes 3 hours, but the database must be rolled forward using transaction logs. The total time to make the database fully operational is 5 hours. Which statement is correct?

19

Which recovery site strategy provides the fastest recovery time, typically within hours, and is a fully mirrored environment ready to take over operations immediately?

20

An organization adopts the 3-2-1 backup rule. Which combination of backups satisfies this rule?

21

A small business wants to minimize backup storage space and backup time, knowing that restoration may be slower. Which backup strategy should they choose?

22

During an incident, the security team detects unusual outbound traffic from a server that normally does not communicate externally. The traffic appears to be encrypted and is sent to an unknown IP address. Which incident category best describes this scenario?

23

An organization experiences a ransomware attack that encrypts critical files. The incident response team follows the standard IR phases. After containing the infection and eradicating the malware, what is the next phase?

24

A healthcare organization suffers a data breach involving protected health information (PHI). The incident occurred on Monday, and the organization discovers it on Wednesday. Under GDPR, if the breach affects EU residents, what is the deadline for notifying the supervisory authority?

25

Which of the following best describes a Disaster Recovery Plan (DRP)?

26

A company’s backup strategy: Full backup every Sunday, differential backups Monday through Saturday. On Thursday, the system fails. How many backups are needed to restore the data?

27

An organization determines that its critical financial application has a maximum tolerable downtime (MTD) of 8 hours. The recovery time objective (RTO) is set to 6 hours, and the work recovery time (WRT) is 2 hours. If the application is restored from backup in 5 hours, but additional configuration takes 3 hours, what is the total downtime, and is the MTD met?

28

An organization is developing an incident response plan. Which TWO phases are part of the incident response lifecycle according to the NIST framework? (Select two.)

29

A company is selecting a recovery site strategy. They need to balance cost and recovery time. Which THREE factors should they consider when choosing between hot, warm, and cold sites? (Select three.)

30

An organization experiences a denial-of-service (DoS) attack. Which TWO actions should the incident response team take during the containment phase? (Select two.)

31

An organization is preparing its Business Continuity Plan (BCP). Which process identifies critical business functions and the impact of disruptions?

32

During a BIA, the maximum tolerable downtime for a critical application is determined to be 4 hours. The IT team estimates system recovery will take 2 hours, but additional manual work to reconcile data will take 1 hour. What is the Recovery Time Objective (RTO)?

33

A company has a Recovery Point Objective (RPO) of 1 hour for its financial database. It performs full backups every night at 11 PM and incremental backups every 4 hours. If the system fails at 2:30 PM, what is the maximum data loss in terms of time?

34

Which recovery site strategy provides the fastest Recovery Time Objective (RTO), typically within hours, by maintaining a fully operational mirrored environment?

35

A company uses a reciprocal agreement for disaster recovery. What is a primary risk of this strategy?

36

An organization needs to prioritize recovery of systems after a disaster. Which metric directly indicates the maximum acceptable outage time for a business function?

37

Which backup strategy offers the fastest restore time but requires the most storage space?

38

A company follows the 3-2-1 backup rule. It has two full backups: one on an external hard drive in the server room and one on tape in a safe on-site. Which step should be taken to fully comply with the rule?

39

During which phase of the incident response process would the team identify the root cause of a security incident?

40

A company experiences a data breach involving personal data of EU residents. Under GDPR, what is the maximum time within which the organization must notify the supervisory authority?

41

During an incident, a security analyst identifies a SQL injection attack. The team contains the threat by blocking the attacker's IP. Which step should be performed next in the incident response process?

42

Which incident category involves an attempt to make a system or network resource unavailable to its intended users?

43

A company is implementing a backup strategy. Which TWO of the following are characteristics of incremental backups? (Choose two.)

44

A security team is developing an incident response plan. Which THREE of the following are essential components of crisis communications during a data breach? (Choose three.)

45

Which TWO of the following are common indicators of a potential data breach? (Choose two.)

46

A company is creating a business continuity plan. Which analysis should be performed first to identify critical business functions and their dependencies?

47

After a ransomware attack, the IT team restores systems from backups. The CEO asks how quickly data can be recovered. Which metric addresses the acceptable amount of data loss?

48

An organization's BIA determines that the payroll system has a Maximum Tolerable Downtime (MTD) of 4 hours. The current recovery plan has an RTO of 2 hours and an RPO of 1 hour. What is the maximum Work Recovery Time (WRT) allowed to meet the MTD?

49

Which type of recovery site is pre-configured with hardware and software, but does not have live data, typically requiring days to become operational?

50

A company uses a backup strategy where on Monday a full backup is taken, and on Tuesday only data changed since Monday is backed up. On Wednesday, the backup includes all data changed since Monday. What type of backup is the Wednesday backup?

51

During an incident, the incident response team identifies that a malware infection is spreading. They isolate affected systems to prevent further damage. Which phase of the incident response process are they performing?

52

A security analyst detects unusual outbound traffic from a server that suggests a data breach. According to GDPR, within what timeframe must the organization notify the supervisory authority?

53

An organization is adopting the 3-2-1 backup rule. They currently have data on a primary server and a daily backup to an external hard drive. To comply with the rule, what is the minimum additional requirement?

54

Which incident category involves an attacker tricking an employee into revealing credentials?

55

During a disaster, an organization activates a reciprocal agreement with another company. What is a primary risk associated with this strategy?

56

An organization's backup schedule: Full backup every Sunday, incremental backups Monday-Saturday. If a failure occurs on Thursday, how many backup sets are needed to restore the data?

57

Which phase of the incident response process involves restoring systems to normal operations and confirming they are functioning correctly?

58

A security analyst is prioritizing incidents based on severity. Which TWO factors are most important for determining incident severity?

59

After a major power outage, an organization needs to declare a disaster and activate its DRP. Which THREE elements should be included in the initial crisis communication?

60

An organization is choosing a backup strategy to minimize restore time. Which TWO backup types require only the most recent full backup and the latest differential backup to restore?

61

An organization is creating a Business Continuity Plan (BCP). Which analysis should be performed first to identify critical business functions and their dependencies?

62

A company's critical database must be recovered within 4 hours after a disaster, and they can tolerate losing up to 1 hour of data. During a disaster, after the systems are restored, it takes an additional 30 minutes to verify data integrity and resume normal operations. Which metric is represented by the 4-hour requirement?

63

A financial institution requires near-instantaneous recovery of its trading platform after a disaster. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which recovery site strategy best meets these requirements?

64

During a disaster recovery test, the IT team discovers that restoring all data from full backups takes 48 hours, exceeding the RTO. Which backup strategy would reduce restore time while maintaining a similar backup window?

65

Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental or differential backups?

66

A hospital's electronic health record (EHR) system must be available 24/7. The disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour. Which combination of backup and site strategy best meets these objectives?

67

An organization uses a 3-2-1 backup strategy. They have a primary full backup on a local NAS, a second copy on tape stored offsite, and a third copy in the cloud. During a ransomware attack, the local NAS and the tape library are both encrypted. Which copy should be used for recovery?

68

Which phase of the incident response process involves actions to stop the incident from causing further damage, such as isolating affected systems?

69

A security analyst detects unusual outbound network traffic from a server that normally does not communicate externally. After confirming a malware infection, the analyst isolates the server from the network. Which incident response phase is the analyst performing?

70

During a data breach investigation, the incident response team discovers that personally identifiable information (PII) of EU residents was exfiltrated. Under GDPR, what is the maximum time frame for notifying the supervisory authority?

71

Which type of incident involves an attacker attempting to make a system or network resource unavailable to legitimate users?

72

After an incident is resolved, which phase involves reviewing what happened, documenting lessons learned, and updating procedures?

73

A company is selecting a recovery site strategy. Which TWO factors should be considered when choosing between a hot site and a warm site? (Select TWO.)

74

An organization is updating its incident response plan. Which THREE elements should be included in the preparation phase? (Select THREE.)

75

During a ransomware incident, the incident response team needs to communicate with stakeholders. According to best practices, which TWO groups should be notified immediately? (Select TWO.)

76

An organization wants to ensure that its critical business functions can continue operating during a disruption. Which plan specifically addresses keeping the business running during a disruption?

77

A company's Business Impact Analysis (BIA) determines that its online payment system can tolerate a maximum of 2 hours of downtime. The IT team estimates that restoring the system from backups will take 1 hour, and the team needs another 30 minutes to verify data integrity and resume normal operations. Which metric does the 30-minute verification period represent?

78

An organization is selecting a recovery site strategy that offers the fastest recovery time, measured in hours, to minimize downtime for critical applications. Which recovery site type best meets this requirement?

79

A company performs a full backup every Sunday and incremental backups on other days. On Wednesday, a server failure occurs. Which backups are needed to restore the server to its state at Tuesday's backup?

80

During an incident, a security analyst detects unusual network traffic from a workstation that is exfiltrating data to an external IP address. The analyst isolates the workstation. Which incident response phase does the isolation action belong to?

81

Which backup strategy requires the least amount of time to perform a daily backup but the most time to perform a full restore?

82

A healthcare organization experiences a data breach involving protected health information (PHI). Under GDPR, within how many hours must the organization notify the relevant supervisory authority?

83

An organization has an RTO of 4 hours and an RPO of 1 hour for its customer database. After a disaster, the IT team restores the database from backups that are 2 hours old, and the system becomes operational in 3 hours. Which of the following is true?

84

Which phase of the incident response process involves restoring systems to normal operation and applying patches to prevent recurrence?

85

Which of the following is a key component of the 3-2-1 backup rule?

86

A company has a reciprocal agreement with another organization for disaster recovery. During a major outage, the company attempts to activate the agreement but finds that the partner's facility is also impacted by the same disaster. This scenario highlights a primary disadvantage of which recovery strategy?

87

During a security incident, a company must notify stakeholders without revealing sensitive details that could worsen the situation. Which TWO groups should typically be notified immediately according to incident response best practices? (Select TWO)

88

An organization is implementing backup strategies. Which THREE are characteristics of differential backups? (Select THREE)

89

An incident response team is analyzing a data breach. Which THREE actions are part of the 'Lessons Learned' phase? (Select THREE)

90

A company is planning its backup strategy and wants to minimize storage usage while ensuring fast restores. Which TWO backup types should the company consider as primary and secondary backups? (Select TWO)

91

A financial services company is conducting a Business Impact Analysis (BIA) for its online banking platform. Which TWO of the following are correctly defined metrics used in BIA?

92

During a ransomware incident, the incident response team has completed the containment and eradication phases. According to the NIST incident response framework, which THREE of the following activities are part of the post-incident activity phase?

93

A company is evaluating backup strategies for its critical database. Which TWO of the following are correct statements about backup types?

94

An organization is re-evaluating its disaster recovery site options. Which TWO of the following describe characteristics of a warm site?

95

An organization experiences a data breach involving personally identifiable information (PII) of European Union residents. According to GDPR, which THREE of the following are required actions?

Practice all 95 Business Continuity, Disaster Recovery, and Incident Response questions

Other CC exam domains

Security PrinciplesAccess Controls ConceptsSecurity OperationsNetwork SecurityBusiness Continuity, DR & Incident Response

Frequently asked questions

What does the Business Continuity, Disaster Recovery, and Incident Response domain cover on the CC exam?

The Business Continuity, Disaster Recovery, and Incident Response domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.

How many Business Continuity, Disaster Recovery, and Incident Response questions are in the CC question bank?

The Courseiva CC question bank contains 95 questions in the Business Continuity, Disaster Recovery, and Incident Response domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Business Continuity, Disaster Recovery, and Incident Response for CC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Business Continuity, Disaster Recovery, and Incident Response questions for CC?

Yes — the session launcher on this page draws questions exclusively from the Business Continuity, Disaster Recovery, and Incident Response domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SY0-701CISSPSSCP