Incident response (IR) is the organised process for managing the aftermath of a security incident to limit damage, reduce recovery time, and prevent recurrence. The CISSP exam tests incident response extensively in Domain 7, focusing on the lifecycle model, the correct sequence of activities, and the governance decisions that distinguish effective IR from reactive firefighting. Order matters enormously in IR questions — the exam will test whether you know that containment comes before eradication, and evidence preservation comes before cleanup.

The NIST Incident Response Lifecycle

The NIST Special Publication 800-61 defines a four-phase incident response lifecycle that is the dominant framework tested on the CISSP exam.

Preparation is the phase that occurs before any incident. It involves developing and testing incident response plans, establishing communication trees and escalation procedures, deploying detection tools (SIEM, EDR, IDS), training responders, establishing relationships with external resources (law enforcement contacts, forensic firms, legal counsel, cyber insurance), and maintaining evidence collection capabilities (forensic workstations, documentation templates, write blockers).

Detection and Analysis is the phase where the organisation identifies that an incident has occurred and understands its nature and scope. Detection may come from automated tools (SIEM alerts, IDS notifications, antivirus alerts), external notification (law enforcement, customers, vendors), or manual discovery. Analysis involves confirming the incident (true positive vs false positive), understanding the attack vector, identifying affected systems, and assessing the scope and severity of the incident.

Containment, Eradication, and Recovery is the action phase. These are three separate activities that the exam treats as sequential and distinct.

Lessons Learned is the post-incident review phase. After the incident is resolved, the IR team conducts a structured review to identify what happened, how well the response worked, what should be done differently, and what improvements should be made to prevention, detection, and response capabilities.