YouTube
shieldCISSP Practice Domain 7 — Security Operations Q9 of 120

What is the correct order of phases in the NIST incident response lifecycle (SP 800-61)?

A CISSP practice question covering Domain 7: Security Operations. Try answering before reading the explanation below.

Show options & answer
A
Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity
✓ Correct answer
B
Identification → Containment → Eradication → Recovery → Lessons Learned
C
Plan → Detect → Respond → Document
D
Detection → Analysis → Reporting → Closure
Why "Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity" is the right answer

NIST SP 800-61 defines four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. SANS uses six phases (PICERL). Either may appear; the question asks specifically for NIST.

Study videos for this topic

Want to go deeper on Domain 7? Watch the full breakdown — every video is free, no account, no upsell.

CISSP Domain 7: Digital Forensics & Chain of Custody
Domain 7 — Security Operations
CISSP Domain 7: SIEM, IDS/IPS, Honeypots & UEBA
Domain 7 — Security Operations
CISSP Domain 7: Least Privilege, SoD & Resource Protection
Domain 7 — Security Operations
Take the full CISSP practice test
120 questions, instant explanations, study-video links on every miss. No account.
Start full test →

Other practice tests

All practice tests CISSP videos Glossary