Page 1 of 92
Develop Security Incident Response Plans
| 2026 Update with complete solutions.
Q1
Which NIST Special Publication is the primary standard for
computer security incident handling?
A) SP 800-53
B) SP 800-61 (Revision 2)
C) SP 800-30
D) SP 800-171
Rationale: NIST SP 800-61 (Rev. 2, 2012) provides guidelines
for incident response lifecycle, teams, and handling.
Answer: B
Q2
,Page 2 of 92
According to NIST SP 800-61, the four phases of incident
response are:
A) Identify, Protect, Detect, Respond
B) Preparation, Detection & Analysis, Containment &
Eradication & Recovery, Post-Incident Activity
C) Plan, Do, Check, Act
D) Triage, Investigate, Remediate, Close
Rationale: NIST’s four-phase lifecycle is widely adopted.
Answer: B
Q3
The SANS Institute’s PICERL model includes which six phases?
A) Plan, Investigate, Contain, Eradicate, Restore, Learn
B) Preparation, Identification, Containment, Eradication,
Recovery, Lessons Learned
,Page 3 of 92
C) Protect, Detect, Respond, Recover, Report, Review
D) Scan, Analyze, Patch, Verify, Document, Close
Rationale: PICERL (sometimes PICERL) is SANS’s incident response
process.
Answer: B
Q4
ISO/IEC 27035 is the international standard for:
A) Risk management
B) Information security incident management
C) Business continuity
D) Access control
Rationale: ISO 27035 (parts 1-3) provides principles and
processes for incident management.
Answer: B
, Page 4 of 92
Q5
Which of the following is NOT a primary goal of an incident
response plan?
A) Minimize damage from incidents
B) Eliminate all future security incidents (impossible)
C) Restore normal operations quickly
D) Improve security posture through lessons learned
Rationale: IR plans aim to reduce impact, not prevent all
incidents (that’s prevention).
Answer: B
Q6-Q25
<details> <summary><strong>Expand for Section 1 answers
(Q6-Q25)</strong></summary>
Develop Security Incident Response Plans
| 2026 Update with complete solutions.
Q1
Which NIST Special Publication is the primary standard for
computer security incident handling?
A) SP 800-53
B) SP 800-61 (Revision 2)
C) SP 800-30
D) SP 800-171
Rationale: NIST SP 800-61 (Rev. 2, 2012) provides guidelines
for incident response lifecycle, teams, and handling.
Answer: B
Q2
,Page 2 of 92
According to NIST SP 800-61, the four phases of incident
response are:
A) Identify, Protect, Detect, Respond
B) Preparation, Detection & Analysis, Containment &
Eradication & Recovery, Post-Incident Activity
C) Plan, Do, Check, Act
D) Triage, Investigate, Remediate, Close
Rationale: NIST’s four-phase lifecycle is widely adopted.
Answer: B
Q3
The SANS Institute’s PICERL model includes which six phases?
A) Plan, Investigate, Contain, Eradicate, Restore, Learn
B) Preparation, Identification, Containment, Eradication,
Recovery, Lessons Learned
,Page 3 of 92
C) Protect, Detect, Respond, Recover, Report, Review
D) Scan, Analyze, Patch, Verify, Document, Close
Rationale: PICERL (sometimes PICERL) is SANS’s incident response
process.
Answer: B
Q4
ISO/IEC 27035 is the international standard for:
A) Risk management
B) Information security incident management
C) Business continuity
D) Access control
Rationale: ISO 27035 (parts 1-3) provides principles and
processes for incident management.
Answer: B
, Page 4 of 92
Q5
Which of the following is NOT a primary goal of an incident
response plan?
A) Minimize damage from incidents
B) Eliminate all future security incidents (impossible)
C) Restore normal operations quickly
D) Improve security posture through lessons learned
Rationale: IR plans aim to reduce impact, not prevent all
incidents (that’s prevention).
Answer: B
Q6-Q25
<details> <summary><strong>Expand for Section 1 answers
(Q6-Q25)</strong></summary>
