Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts
Drill 15 practice questions focused entirely on Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts for the ISC2 CC exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A regional flood forces a retail company to close its main office for several days. Before the disruption, the company had documented alternate work locations, prioritized which business functions must keep running, and identified backup suppliers so it could continue serving customers throughout the outage. Which type of plan primarily provides this capability to keep essential operations running during the disruption?
A company created a business continuity plan two years ago. Since then, it has moved several critical applications to a new cloud provider, hired a new operations manager, and changed office locations. During a recent power outage, staff discovered the emergency contact list was outdated and several documented recovery steps referenced systems that no longer exist. What key practice did the organization most likely fail to perform?
A regional bank is finalizing its business continuity plan (BCP). During a review, a manager notices the plan lists critical processes, recovery priorities, and required resources, but no one is sure how staff, executives, and vendors will be reached and coordinated if the primary office phone and email systems are unavailable during a disruption. Which component should be added to address this gap?
During the early stages of building a business continuity program, a company's continuity coordinator is trying to determine, for each business process, the longest period the process can be unavailable before the organization suffers unacceptable or irreversible harm. Which business impact analysis output is the coordinator identifying?
A mid-sized logistics company is beginning to develop its business continuity program. The continuity coordinator wants to know which business functions must be restored first after a disruption and how much downtime each function can tolerate before the company suffers unacceptable losses. Which activity should the coordinator perform to obtain this information?
A regional flood destroys a company's primary data center. The business continuity team has already shifted critical customer-facing operations to a manual workaround so orders can still be taken. Now leadership wants to restore the full IT environment at the alternate site and bring systems back to normal. Which plan governs this specific effort to rebuild and restore the technology environment?
A security analyst at a mid-sized firm notices an unusual spike in outbound network traffic from an internal database server late at night. She reviews the SIEM alerts, correlates the logs, and confirms that the traffic matches known data-exfiltration patterns. She has not yet isolated the server or removed any malware. According to the incident response process, which phase is the analyst currently performing?
A company has just finished containing and recovering from a phishing-based email compromise. The incident response team reconvenes to review how the incident was handled, document what worked and what didn't, and recommend updates to the response plan and employee training. Which phase of the incident response process are they performing?
During a malware outbreak, the incident response team has already isolated the affected workstations from the network to stop the spread. The team lead now directs analysts to remove the malicious files, delete created registry entries, and close the exploited vulnerability before returning systems to service. Which incident response phase does this activity BEST represent?
A retailer's security team has identified a compromised point-of-sale server, isolated it from the network, and confirmed all malware has been removed and the vulnerability patched. They now need to reconnect the server, restore its services, and closely monitor it to ensure the system operates normally without signs of reinfection. Which incident response phase does this activity represent?
A mid-sized company is assembling its incident response team. The security manager insists that beyond IT and security analysts, a representative from the legal department must be a standing member of the team. What is the primary reason legal counsel should be included on the incident response team?
A security analyst at a logistics company notices unusual outbound traffic from an internal file server late at night. She suspects malware is exfiltrating data. According to a typical incident response plan, which activity should the incident response team prioritize immediately after the incident is detected and confirmed?
A retail company's IT team is defining recovery objectives for its order-processing database. Management states that in a disaster, the business can tolerate losing at most 15 minutes of transaction data. Which recovery objective does this 15-minute limit define?
A retail company's disaster recovery plan states that the online order-processing system must be back up and running within 4 hours of any disruptive event. During a planning meeting, a new analyst asks what this 4-hour figure represents. Which recovery objective is being described?
A mid-sized company has just finished writing its disaster recovery plan. Management wants to confirm that the response steps and team roles are clear and workable, but they are worried about disrupting live production systems during any validation activity. Which testing approach best meets this goal?
More CC practice
Keep going with the other ISC2 CC — Certified in Cybersecurity domains, or take a full timed mock exam.
← Back to CC overview