CC · topic practice

Business Continuity, Disaster Recovery, and Incident Response practice questions

Practise ISC2 Certified in Cybersecurity CC Business Continuity, Disaster Recovery, and Incident Response practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Business Continuity, Disaster Recovery, and Incident Response

What the exam tests

What to know about Business Continuity, Disaster Recovery, and Incident Response

Business Continuity, Disaster Recovery, and Incident Response questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Business Continuity, Disaster Recovery, and Incident Response exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Business Continuity, Disaster Recovery, and Incident Response questions

20 questions · select your answer, then reveal the explanation

A company is developing a business continuity plan. Which document identifies critical business functions and their dependencies, including the maximum acceptable downtime?

An organization's recovery time objective (RTO) for its customer database is 4 hours, and the recovery point objective (RPO) is 1 hour. The database is backed up every hour using full backups. A disaster occurs at 2:00 PM, and the last successful backup was at 1:00 PM. The system is restored and operational at 5:30 PM, but data from 1:00 PM to 2:00 PM is lost. Which statement is correct?

During a disaster recovery test, an organization uses a warm site. The site has partially configured servers and network infrastructure but lacks recent data. The recovery team expects to have the system operational within 2 days. Which recovery metric is most directly addressed by the warm site's capabilities?

An organization stores backup data on a tape drive (onsite) and also replicates critical data to a cloud storage service. This practice best exemplifies which backup rule?

Which recovery site strategy provides the shortest recovery time objective (RTO), typically measured in hours, by maintaining a fully mirrored environment that can be activated immediately?

A security analyst detects unusual outbound network traffic from a server that typically only handles internal file sharing. The traffic appears to be exfiltrating sensitive data. Which phase of the incident response process should the analyst initiate next?

A company experiences a ransomware attack that encrypts all files on a file server. The IT team decides to restore the server from the most recent full backup taken 24 hours ago, followed by all differential backups taken since then. If the last full backup was on Sunday at midnight, and the attack occurs on Wednesday at 6:00 AM, with differential backups taken daily at noon, how many differential backups must be restored?

During a data breach incident, the incident response team discovers that personally identifiable information (PII) of European Union residents was compromised. According to GDPR, what is the maximum time frame for notifying the supervisory authority?

Which type of backup copies all data that has changed since the last full backup, regardless of any subsequent incremental or differential backups?

A financial institution's incident response team is handling a denial-of-service (DoS) attack that is affecting customer access. The team has identified the attack source IPs and implemented filtering rules on the perimeter firewall. Which phase of incident response is being performed?

An organization's business continuity plan designates a maximum tolerable downtime (MTD) of 8 hours for its order processing system. The system's recovery time objective (RTO) is set at 4 hours, and work recovery time (WRT) is estimated at 2 hours. If a disaster occurs at 10:00 AM and the system is restored at 2:00 PM, but additional configuration and data validation take until 3:30 PM to complete, what is the total downtime and is the MTD met?

Which incident category involves an attacker tricking an employee into revealing their login credentials through a fraudulent email?

A company is creating a backup strategy for its critical database. The database is updated continuously, and the company can tolerate up to 2 hours of data loss. Which TWO backup methods would best help achieve a recovery point objective (RPO) of 2 hours? (Select TWO.)

During a security incident, the crisis communication team must notify stakeholders. According to best practices, which THREE groups should always be included in initial notifications? (Select THREE.)

An organization is evaluating recovery site options. Which TWO factors are most critical when selecting between a hot site and a warm site? (Select TWO.)

An organization is developing a Business Continuity Plan (BCP). Which analysis is performed first to identify critical business functions and their dependencies?

During a disaster recovery test, the IT team successfully restored systems from backups and achieved the recovery time objective (RTO). However, users could not resume normal work because additional configuration and data validation were needed. Which metric was NOT met?

A company’s disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. The database is backed up every hour using incremental backups. After a catastrophic failure, restoration takes 3 hours, but the database must be rolled forward using transaction logs. The total time to make the database fully operational is 5 hours. Which statement is correct?

Which recovery site strategy provides the fastest recovery time, typically within hours, and is a fully mirrored environment ready to take over operations immediately?

An organization adopts the 3-2-1 backup rule. Which combination of backups satisfies this rule?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Business Continuity, Disaster Recovery, and Incident Response sessions

Start a Business Continuity, Disaster Recovery, and Incident Response only practice session

Every question in these sessions is drawn from the Business Continuity, Disaster Recovery, and Incident Response domain — nothing else.

Related practice questions

Related CC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CC exam test about Business Continuity, Disaster Recovery, and Incident Response?
Business Continuity, Disaster Recovery, and Incident Response questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Business Continuity, Disaster Recovery, and Incident Response questions in a focused session?
Yes — the session launcher on this page draws every question from the Business Continuity, Disaster Recovery, and Incident Response domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CC topics?
Use the topic links above to move to related areas, or go back to the CC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CC exam covers. They are not copied from any real exam or dump site.