CC · topic practice

Business Continuity, DR & Incident Response practice questions

Practise ISC2 Certified in Cybersecurity CC Business Continuity, DR & Incident Response practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Business Continuity, DR & Incident Response

What the exam tests

What to know about Business Continuity, DR & Incident Response

Business Continuity, DR & Incident Response questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Business Continuity, DR & Incident Response exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Business Continuity, DR & Incident Response questions

20 questions · select your answer, then reveal the explanation

During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?

An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?

A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?

Question 4easymultiple choice
Read the full NAT/PAT explanation →

A company's business continuity plan includes an alternate work site with full IT capabilities. Which type of recovery site does this describe?

An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?

Which TWO actions are appropriate during the identification phase of incident response?

Which THREE elements are essential components of a business continuity plan (BCP)?

Based on the incident log, at which step did the incident response team contain the threat?

Exhibit

Refer to the exhibit.

---
Incident #1023 - Malware Infection
Detection: Antivirus alert on workstation WKS-045
Time: 2024-03-15 14:22 UTC
Actions:
  14:25 - Isolated WKS-045 from network
  14:30 - Scanned system, detected Trojan.Downloader
  14:35 - Escalated to incident handler
  14:45 - Removed malware via AV
  15:00 - System back online
---

Based on the backup schedule, what is the maximum potential data loss?

Exhibit

Refer to the exhibit.

---
Backup Configuration (extract):
- Full backup: Every Sunday at 01:00
- Differential backup: Monday-Saturday at 01:00
- Retention: 30 days
---
A server fails on Wednesday at 10:00. The administrator restores from the most recent full backup and applies the latest differential backup. How much data loss is expected?
Question 10hardmultiple choice
Read the full NAT/PAT explanation →

You are the incident response lead for a financial services company. At 09:00, the SOC detects unusual outbound traffic from a server in the DMZ to an external IP known to be a command-and-control (C2) server. The server runs a legacy application that cannot be patched. The server is critical for customer transactions, but an alternate manual process can sustain operations for up to 4 hours. The CTO wants to keep the server online to avoid customer impact. The CEO is concerned about data exfiltration. The compliance officer reminds you of regulatory requirements to report breaches within 72 hours. Which action should you take FIRST?

An organization experiences a ransomware attack that encrypts critical file servers. The backups are stored on a separate network segment but are also encrypted. The incident response team suspects the attacker compromised the backup system using stored credentials. Which best practice should have been implemented to prevent this?

During a tabletop exercise for a data center outage, the IT manager realizes that the disaster recovery plan does not specify how to failover the database cluster. The primary data center fails completely. The standby site has a replica of the database, but the application team cannot promote it because they lack the necessary privileges. What is the most likely cause of this gap?

Which TWO actions are most effective in reducing the mean time to detect (MTTD) a security incident?

The exhibit shows a syslog-ng client configuration and a firewall rule on the central logging server (IP 10.0.0.10). The client (192.168.1.100) is not sending logs to the server. What is the most likely cause?

Exhibit

Refer to the exhibit.

syslog-ng configuration:
@version: 3.35
destination d_remote { syslog("10.0.0.10" transport("tls") port(6514)); };
log { source(s_sys); destination(d_remote); };

Firewall rule on logging server:
permit tcp host 10.0.0.10 eq 6514 host 192.168.1.100
Question 15easymultiple choice
Read the full DNS explanation →

A mid-sized e-commerce company has a primary data center in New York and a disaster recovery site in Dallas. The application stack includes a web server, application server, and a PostgreSQL database. The database uses synchronous replication to the DR site. During a routine failover test, the IT team discovers that after failing over to Dallas, the web servers in New York continue to attempt connections to the original database IP, causing application errors. The DNS records have been updated to point to the DR database IP, but the web servers are not refreshing their DNS cache. The company uses a standard TTL of 300 seconds. The IT manager needs a solution that ensures minimal disruption during future failovers. Which action should be taken?

A company's primary data center experiences a complete power failure, and operations are shifted to a secondary site. The failover process takes 4 hours, but the recovery point objective (RPO) is set to 1 hour. Which of the following is the most likely consequence of this incident?

Which TWO of the following are primary objectives of an incident response plan? (Choose two.)

Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?

Exhibit

Refer to the exhibit.

! Configuration snippet from router R1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip any any log
!
interface GigabitEthernet0/0
 ip access-group 100 in
!

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps for the proper disposal of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Business Continuity, DR & Incident Response sessions

Start a Business Continuity, DR & Incident Response only practice session

Every question in these sessions is drawn from the Business Continuity, DR & Incident Response domain — nothing else.

Related practice questions

Related CC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CC exam test about Business Continuity, DR & Incident Response?
Business Continuity, DR & Incident Response questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Business Continuity, DR & Incident Response questions in a focused session?
Yes — the session launcher on this page draws every question from the Business Continuity, DR & Incident Response domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CC topics?
Use the topic links above to move to related areas, or go back to the CC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CC exam covers. They are not copied from any real exam or dump site.