nerdexam
(ISC)2

CISSP · Question #4

Which of the following is the FIRST step in the incident response process?

The correct answer is D. Investigate all symptoms to confirm the incident. The first step in incident response is to investigate and confirm that an actual incident has occurred before taking any remediation actions. Acting without confirmation risks disrupting normal operations unnecessarily.

Submitted by zhang_li· Mar 5, 2026Security Operations

Question

Which of the following is the FIRST step in the incident response process?

Options

  • ADetermine the cause of the incident
  • BDisconnect the system involved from the network
  • CIsolate and contain the system involved
  • DInvestigate all symptoms to confirm the incident

How the community answered

(14 responses)
  • A
    7% (1)
  • C
    7% (1)
  • D
    86% (12)

Why each option

The first step in incident response is to investigate and confirm that an actual incident has occurred before taking any remediation actions. Acting without confirmation risks disrupting normal operations unnecessarily.

ADetermine the cause of the incident

Determining the root cause is part of the later analysis or post-incident activity phase, not the first step, as you must first confirm an incident exists before performing root cause analysis.

BDisconnect the system involved from the network

Disconnecting a system from the network is a containment action that occurs after the incident has been identified and confirmed, and premature disconnection can destroy volatile forensic evidence.

CIsolate and contain the system involved

Isolating and containing the affected system is the second major phase of incident response, which only begins after the incident has been identified and verified through initial investigation.

DInvestigate all symptoms to confirm the incidentCorrect

Before any containment or remediation action is taken, the incident response process requires that all symptoms be investigated to confirm a real incident is occurring. This identification phase ensures responders are not reacting to false positives and allows them to understand the scope and nature of the incident, which informs all subsequent steps such as containment, eradication, and recovery.

Concept tested: Incident response lifecycle identification phase order

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#incident response#incident handling#preparation#detection

Community Discussion

No community discussion yet for this question.

Full CISSP Practice