SSCP · topic practice

Incident Response and Recovery practice questions

Practise Systems Security Certified Practitioner SSCP Incident Response and Recovery practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Incident Response and Recovery

What the exam tests

What to know about Incident Response and Recovery

Incident Response and Recovery questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Incident Response and Recovery exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Incident Response and Recovery questions

20 questions · select your answer, then reveal the explanation

During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?

An organization's security team detects a potential data breach. After confirming the incident, they classify it as P2 (high severity) and begin containment. Which action should be performed FIRST to preserve evidence for forensic analysis?

A security analyst receives a chain of custody form for a hard drive that was seized from a suspected insider threat. The form shows that the drive was handled by three individuals over two days. Which of the following is the PRIMARY reason for maintaining a chain of custody?

During incident response, a team needs to isolate an infected workstation that is part of a critical manufacturing network. Which containment method is MOST appropriate to minimize disruption while preventing the spread of malware?

After a ransomware incident, an organization decides to restore data from backups. The RPO (Recovery Point Objective) is 4 hours. What does this RPO indicate?

Which DR testing type involves running recovery systems in parallel with production systems to verify functionality without impacting live operations?

During the eradication phase of a malware incident, a security analyst removes malicious files and cleans registry persistence. What is the MOST critical additional step to prevent reinfection through the same vector?

A security team is collecting evidence from a compromised server. They need to create a forensic image. Which of the following is the CORRECT procedure to ensure data integrity?

What is the PRIMARY purpose of a lessons learned meeting after an incident?

An analyst detects suspicious outbound traffic from a workstation to a known command-and-control IP. Which IoC blocking method is MOST appropriate as an immediate containment measure?

During a forensic investigation, an examiner needs to preserve volatile evidence. Which of the following lists the correct order of collection for volatile data?

A company is developing a DR plan for a critical database. The maximum acceptable downtime is 2 hours, and the maximum data loss is 1 hour. What are the RTO and RPO?

A security analyst is investigating a phishing incident that led to credential theft. Which TWO actions are appropriate during the containment phase? (Select TWO)

During a ransomware incident, the incident response team needs to recover encrypted servers. Which THREE steps are essential for successful recovery? (Select THREE)

Which TWO metrics are commonly tracked to measure the effectiveness of the incident response process? (Select TWO)

During which phase of the NIST SP 800-61 incident response lifecycle are lessons learned meetings conducted and metrics such as MTTD and MTTR tracked?

Which of the following is the FIRST step in the volatile evidence collection order when responding to an incident on a live system?

A security analyst receives an alert from the EDR system indicating that a workstation has been communicating with a known malicious IP address. The analyst confirms the alert and notes that the user is still logged in. Which immediate containment action should the analyst take FIRST?

During the eradication phase of incident response, which of the following actions is MOST critical to ensure the threat is completely removed from a compromised system?

An organization's disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. Which of the following DR site configurations BEST meets these requirements?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Incident Response and Recovery sessions

Start a Incident Response and Recovery only practice session

Every question in these sessions is drawn from the Incident Response and Recovery domain — nothing else.

Related practice questions

Related SSCP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SSCP exam test about Incident Response and Recovery?
Incident Response and Recovery questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Incident Response and Recovery questions in a focused session?
Yes — the session launcher on this page draws every question from the Incident Response and Recovery domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SSCP topics?
Use the topic links above to move to related areas, or go back to the SSCP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SSCP exam covers. They are not copied from any real exam or dump site.