ISC2 CC — Certified in Cybersecurity · Domain 2 · 10% of exam

Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts

Drill 15 practice questions focused entirely on Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts for the ISC2 CC exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer15 questions
Question 1 of 15

A regional flood forces a retail company to close its main office for several days. Before the disruption, the company had documented alternate work locations, prioritized which business functions must keep running, and identified backup suppliers so it could continue serving customers throughout the outage. Which type of plan primarily provides this capability to keep essential operations running during the disruption?

Reviewed for accuracy · Report an issue
Question 2 of 15

A company created a business continuity plan two years ago. Since then, it has moved several critical applications to a new cloud provider, hired a new operations manager, and changed office locations. During a recent power outage, staff discovered the emergency contact list was outdated and several documented recovery steps referenced systems that no longer exist. What key practice did the organization most likely fail to perform?

Reviewed for accuracy · Report an issue
Question 3 of 15

A regional bank is finalizing its business continuity plan (BCP). During a review, a manager notices the plan lists critical processes, recovery priorities, and required resources, but no one is sure how staff, executives, and vendors will be reached and coordinated if the primary office phone and email systems are unavailable during a disruption. Which component should be added to address this gap?

Reviewed for accuracy · Report an issue
Question 4 of 15

During the early stages of building a business continuity program, a company's continuity coordinator is trying to determine, for each business process, the longest period the process can be unavailable before the organization suffers unacceptable or irreversible harm. Which business impact analysis output is the coordinator identifying?

Reviewed for accuracy · Report an issue
Question 5 of 15

A mid-sized logistics company is beginning to develop its business continuity program. The continuity coordinator wants to know which business functions must be restored first after a disruption and how much downtime each function can tolerate before the company suffers unacceptable losses. Which activity should the coordinator perform to obtain this information?

Reviewed for accuracy · Report an issue
Question 6 of 15

A regional flood destroys a company's primary data center. The business continuity team has already shifted critical customer-facing operations to a manual workaround so orders can still be taken. Now leadership wants to restore the full IT environment at the alternate site and bring systems back to normal. Which plan governs this specific effort to rebuild and restore the technology environment?

Reviewed for accuracy · Report an issue
Question 7 of 15

A security analyst at a mid-sized firm notices an unusual spike in outbound network traffic from an internal database server late at night. She reviews the SIEM alerts, correlates the logs, and confirms that the traffic matches known data-exfiltration patterns. She has not yet isolated the server or removed any malware. According to the incident response process, which phase is the analyst currently performing?

Reviewed for accuracy · Report an issue
Question 8 of 15

A company has just finished containing and recovering from a phishing-based email compromise. The incident response team reconvenes to review how the incident was handled, document what worked and what didn't, and recommend updates to the response plan and employee training. Which phase of the incident response process are they performing?

Reviewed for accuracy · Report an issue
Question 9 of 15

During a malware outbreak, the incident response team has already isolated the affected workstations from the network to stop the spread. The team lead now directs analysts to remove the malicious files, delete created registry entries, and close the exploited vulnerability before returning systems to service. Which incident response phase does this activity BEST represent?

Reviewed for accuracy · Report an issue
Question 10 of 15

A retailer's security team has identified a compromised point-of-sale server, isolated it from the network, and confirmed all malware has been removed and the vulnerability patched. They now need to reconnect the server, restore its services, and closely monitor it to ensure the system operates normally without signs of reinfection. Which incident response phase does this activity represent?

Reviewed for accuracy · Report an issue
Question 11 of 15

A mid-sized company is assembling its incident response team. The security manager insists that beyond IT and security analysts, a representative from the legal department must be a standing member of the team. What is the primary reason legal counsel should be included on the incident response team?

Reviewed for accuracy · Report an issue
Question 12 of 15

A security analyst at a logistics company notices unusual outbound traffic from an internal file server late at night. She suspects malware is exfiltrating data. According to a typical incident response plan, which activity should the incident response team prioritize immediately after the incident is detected and confirmed?

Reviewed for accuracy · Report an issue
Question 13 of 15

A retail company's IT team is defining recovery objectives for its order-processing database. Management states that in a disaster, the business can tolerate losing at most 15 minutes of transaction data. Which recovery objective does this 15-minute limit define?

Reviewed for accuracy · Report an issue
Question 14 of 15

A retail company's disaster recovery plan states that the online order-processing system must be back up and running within 4 hours of any disruptive event. During a planning meeting, a new analyst asks what this 4-hour figure represents. Which recovery objective is being described?

Reviewed for accuracy · Report an issue
Question 15 of 15

A mid-sized company has just finished writing its disaster recovery plan. Management wants to confirm that the response steps and team roles are clear and workable, but they are worried about disrupting live production systems during any validation activity. Which testing approach best meets this goal?

Reviewed for accuracy · Report an issue

More CC practice

Keep going with the other ISC2 CC — Certified in Cybersecurity domains, or take a full timed mock exam.

← Back to CC overview