🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 17.1 - Conducting Incident Management (Part 1 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens incident management within Domain 7, Security Operations. It covers the front half of the incident lifecycle, from defining what counts as an incident through detecting, verifying, and responding to one, so the containment and recovery steps that follow slot cleanly into place.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What actually counts as an incident?

In the broadest sense, an incident is any event that harms the confidentiality, integrity, or availability of your assets, a net wide enough to include storms, cut cables, and honest accidents. In this discipline we care about the narrower computer security incident, meaning harm caused by an attack or by malicious, deliberate, or careless human action. Organizations write this definition into their security policy or incident management plan and back it with concrete examples.

What are the phases of managing an incident?

The certification lays out seven ordered steps: detection, response, mitigation, reporting, recovery, remediation, and lessons learned. Treat it as a loop rather than a straight line, because what you learn at the end feeds better detection at the start. Some other frameworks compress these into four phases, but the elements and the goal are the same.

Why is counterattacking never part of the plan?

Because striking back is counterproductive and often illegal. Attackers hide behind spoofed addresses and hijacked machines in a botnet, so if you hack the source you likely hit an innocent victim. And if you do reach the real attacker, you have made it personal and invited a grudge campaign. The right move is to preserve the scene and call the professionals instead.

How do you detect a possible incident, and who responds first?

Detection signals come from intrusion detection and prevention systems, anti-malware tools, automated log scanners that flag predefined events, and ordinary users reporting trouble. An alert is not proof, so every signal has to be investigated. The first responder arrives first, an IT professional trained to tell a routine glitch apart from a genuine security incident, then escalate to the response stage once an event is confirmed.

How do you handle evidence during a response?

Treat everything as potential evidence, because management may decide to prosecute, and protect the data so it holds up in court. Response scales to severity, and speed matters because time is the attacker’s biggest ally. One rule trips people up: do not power off a compromised machine while containing it. Volatile memory and temporary files vanish the instant power is lost, and forensic tools can only recover that live data while the machine stays running.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 17.1 - Conducting Incident Management (Part 1 of 2).