Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSSCPDomainsIncident Response and Recovery
SSCPFree — No Signup

Incident Response and Recovery

Practice SSCP Incident Response and Recovery questions with full explanations on every answer.

64questions

Start practicing

Incident Response and Recovery — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SSCP Domains

Access ControlsRisk Identification, Monitoring, and AnalysisIncident Response and RecoverySecurity Operations and AdministrationCryptographyNetwork and Communications SecuritySystems and Application SecurityRisk Identification, Monitoring and Analysis

Practice Incident Response and Recovery questions

10Q20Q30Q50Q

All SSCP Incident Response and Recovery questions (64)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?

2

An organization's security team detects a potential data breach. After confirming the incident, they classify it as P2 (high severity) and begin containment. Which action should be performed FIRST to preserve evidence for forensic analysis?

3

A security analyst receives a chain of custody form for a hard drive that was seized from a suspected insider threat. The form shows that the drive was handled by three individuals over two days. Which of the following is the PRIMARY reason for maintaining a chain of custody?

4

During incident response, a team needs to isolate an infected workstation that is part of a critical manufacturing network. Which containment method is MOST appropriate to minimize disruption while preventing the spread of malware?

5

After a ransomware incident, an organization decides to restore data from backups. The RPO (Recovery Point Objective) is 4 hours. What does this RPO indicate?

6

Which DR testing type involves running recovery systems in parallel with production systems to verify functionality without impacting live operations?

7

During the eradication phase of a malware incident, a security analyst removes malicious files and cleans registry persistence. What is the MOST critical additional step to prevent reinfection through the same vector?

8

A security team is collecting evidence from a compromised server. They need to create a forensic image. Which of the following is the CORRECT procedure to ensure data integrity?

9

What is the PRIMARY purpose of a lessons learned meeting after an incident?

10

An analyst detects suspicious outbound traffic from a workstation to a known command-and-control IP. Which IoC blocking method is MOST appropriate as an immediate containment measure?

11

During a forensic investigation, an examiner needs to preserve volatile evidence. Which of the following lists the correct order of collection for volatile data?

12

A company is developing a DR plan for a critical database. The maximum acceptable downtime is 2 hours, and the maximum data loss is 1 hour. What are the RTO and RPO?

13

A security analyst is investigating a phishing incident that led to credential theft. Which TWO actions are appropriate during the containment phase? (Select TWO)

14

During a ransomware incident, the incident response team needs to recover encrypted servers. Which THREE steps are essential for successful recovery? (Select THREE)

15

Which TWO metrics are commonly tracked to measure the effectiveness of the incident response process? (Select TWO)

16

During which phase of the NIST SP 800-61 incident response lifecycle are lessons learned meetings conducted and metrics such as MTTD and MTTR tracked?

17

Which of the following is the FIRST step in the volatile evidence collection order when responding to an incident on a live system?

18

A security analyst receives an alert from the EDR system indicating that a workstation has been communicating with a known malicious IP address. The analyst confirms the alert and notes that the user is still logged in. Which immediate containment action should the analyst take FIRST?

19

During the eradication phase of incident response, which of the following actions is MOST critical to ensure the threat is completely removed from a compromised system?

20

An organization's disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. Which of the following DR site configurations BEST meets these requirements?

21

Which of the following is the PRIMARY purpose of establishing a chain of custody when handling digital evidence?

22

An incident responder is tasked with collecting forensic evidence from a compromised Linux server. Which command would the responder use to capture the contents of volatile memory (RAM) for analysis?

23

After containing a ransomware incident, the incident response team identifies that the attacker gained initial access through a phishing email that installed a backdoor. Which of the following eradication steps is MOST critical to prevent re-infection?

24

During the detection and analysis phase, an analyst classifies an incident as P1 (critical) because it involves a breach of sensitive customer data. What is the IMMEDIATE next step the analyst should take?

25

Which type of disaster recovery test involves running the DR systems alongside the production systems to validate functionality without impacting live operations?

26

An incident responder needs to create a forensic image of a suspect hard drive. Which of the following steps is ESSENTIAL to ensure the integrity of the evidence?

27

During a malware containment operation, the incident response team decides to isolate an infected endpoint using network access controls. However, the malware is spreading via removable media. Which additional containment measure should the team implement?

28

An organization has suffered a ransomware attack that encrypted files on several file servers. The incident response team is planning recovery. Which TWO actions should be performed to verify that the restored systems are clean before returning them to production? (Select TWO)

29

A forensic investigator is collecting evidence from a compromised Windows server. According to the order of volatility, which THREE pieces of evidence should be collected FIRST? (Select THREE)

30

During the preparation phase of incident response, which TWO components are essential for an effective incident response plan? (Select TWO)

31

An organization is developing its incident response plan. According to NIST SP 800-61, which phase should include establishing a communication plan, acquiring necessary tools, and conducting exercises?

32

A security analyst detects a workstation communicating with a known command-and-control server. The workstation is running critical applications. What should be the analyst's first step according to the NIST incident response lifecycle?

33

During a forensic investigation, a responder must collect evidence from a live Windows system. Which of the following represents the correct order for collecting volatile data?

34

An organization has experienced a ransomware attack. After containing the incident, the response team plans to restore systems from backups. Which step is most critical before restoring production systems?

35

Which of the following is the primary purpose of a chain of custody form in digital forensics?

36

An incident responder needs to create a forensic image of a suspect hard drive. What is the correct procedure to ensure evidence integrity?

37

A security team detects lateral movement within the network. Which containment strategy should be applied first to limit the spread of the threat?

38

During a post-incident review, the incident response team identifies that the mean time to detect (MTTD) was 14 days. Which improvement would most directly reduce MTTD?

39

Which type of disaster recovery test involves running the DR systems alongside production systems to verify functionality without impacting operations?

40

An organization's disaster recovery plan specifies an RPO of 4 hours and an RTO of 24 hours for a critical database. Which of the following best describes these metrics?

41

An incident responder is handling a malware outbreak. The malware has been identified as a fileless threat that persists via registry run keys. Which eradication step is most appropriate?

42

During the detection and analysis phase, an analyst receives a user report of unusual system behavior. The analyst reviews logs and finds several failed login attempts followed by a successful login from an unusual IP address. What is the next step?

43

An incident responder is collecting volatile evidence from a compromised Linux server. Which TWO of the following should be collected first? (Select two.)

44

A company is selecting a disaster recovery site for its critical applications. Which THREE characteristics differentiate a warm site from a cold site? (Select three.)

45

After a security incident, the response team holds a lessons learned meeting. Which TWO are primary objectives of this meeting? (Select two.)

46

During the preparation phase of the incident response lifecycle, which of the following is the MOST important component to establish?

47

An analyst detects suspicious outbound traffic from a server to a known command-and-control IP address. According to NIST SP 800-61, which phase of the incident response lifecycle does this activity fall under?

48

A security analyst receives a user report about a workstation exhibiting unusual behavior, such as unexpected pop-ups and slow performance. The analyst first checks the antivirus logs and finds no alerts. What is the NEXT step in the detection and analysis phase?

49

During a malware outbreak, a security analyst needs to contain the spread. The affected systems are on the same VLAN as critical servers. Which of the following containment actions should be performed FIRST to minimize impact?

50

An incident responder is collecting evidence from a compromised server. Which of the following is the correct order for collecting volatile data?

51

What is the primary purpose of establishing a chain of custody for digital evidence?

52

During a forensic investigation, an examiner creates a bit-for-bit copy of a hard drive using a write blocker. What is the purpose of using a write blocker?

53

An organization is restoring a critical database from a backup after a ransomware attack. Which of the following steps should be performed BEFORE restoring the data to ensure the restoration is successful and secure?

54

Which metric is used to measure the average time it takes to detect an incident?

55

After a security incident, the incident response team holds a lessons learned meeting. What is the PRIMARY outcome of this meeting?

56

A company's disaster recovery plan specifies an RTO of 4 hours for its customer relationship management (CRM) system. Which of the following DR site types is MOST appropriate to meet this RTO?

57

During a full interruption test of the disaster recovery plan, which of the following is the PRIMARY risk?

58

A security analyst is responding to a malware incident on a Windows server. Which TWO actions should be taken to properly collect volatile evidence?

59

During a post-incident review, the incident response team identifies several areas for improvement. According to NIST SP 800-61, which THREE activities are typically part of the post-incident activity phase?

60

A company is conducting a disaster recovery test. Which TWO types of tests involve minimal risk to production operations?

61

During the containment phase of incident response, a security analyst identifies malware on a critical server. Which TWO actions should be taken FIRST to contain the threat and preserve evidence? (Choose two.)

62

After a ransomware incident, the incident response team is conducting recovery. Which THREE steps are essential to ensure a secure restoration and prevent reinfection? (Choose three.)

63

An organization uses a hot disaster recovery (DR) site and has a Recovery Time Objective (RTO) of 4 hours. During a DR test, the team discovers that data replication from the primary site fails. Which TWO actions should the team take to meet the RTO while ensuring data integrity? (Choose two.)

64

During a post-incident review of a data breach, the incident response team is evaluating the chain of custody for forensic evidence. Which THREE practices demonstrate proper evidence handling? (Choose three.)

Practice all 64 Incident Response and Recovery questions

Other SSCP exam domains

Access ControlsRisk Identification, Monitoring, and AnalysisSecurity Operations and AdministrationCryptographyNetwork and Communications SecuritySystems and Application SecurityRisk Identification, Monitoring and Analysis

Frequently asked questions

What does the Incident Response and Recovery domain cover on the SSCP exam?

The Incident Response and Recovery domain covers the key concepts tested in this area of the SSCP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SSCP domains — no account required.

How many Incident Response and Recovery questions are in the SSCP question bank?

The Courseiva SSCP question bank contains 64 questions in the Incident Response and Recovery domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Incident Response and Recovery for SSCP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Incident Response and Recovery questions for SSCP?

Yes — the session launcher on this page draws questions exclusively from the Incident Response and Recovery domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SSCP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCISSPSY0-701