Domain 4: Incident Management Review — 39 of 47

Domain 4 – Section A Review: Incident Management Readiness

CISM Domain 4 — Incident Management Section A Review 15–20 min

This section integrates:

  • Incident Response Planning
  • Business Impact Analysis
  • Business Continuity Planning
  • Disaster Recovery Planning
  • Incident Classification
  • Training and Testing

CISM evaluates whether you can build structured readiness before an incident occurs.

1. Structure Before Chaos

An Incident Response Plan must:

  • Define roles and responsibilities
  • Establish severity levels
  • Define escalation pathways
  • Integrate regulatory reporting
  • Include post-incident review

Without structure, escalation fails.

2. BIA Drives Priorities

BIA defines:

  • Critical business processes
  • Financial and operational impact
  • RTO (maximum downtime)
  • RPO (maximum data loss)

Recovery priorities must align with business impact — not technical convenience.

3. BCP Preserves Operations

Business Continuity Planning ensures:

  • Essential processes continue
  • Alternate strategies are defined
  • Communication plans are clear
  • Leadership is involved

BCP focuses on operations — not just IT.

4. DRP Restores Infrastructure

Disaster Recovery Planning ensures:

  • Systems are restored according to RTO/RPO
  • Backup strategies align with RPO
  • Recovery sequencing aligns with BIA
  • Restoration testing is conducted

Backups without restoration testing are weak governance.

5. Classification Drives Escalation

Incident categorization must:

  • Be impact-based
  • Define severity levels
  • Trigger regulatory notifications
  • Standardize reporting
  • Align with enterprise risk tolerance

Misclassification creates governance and legal risk.

6. Testing Validates Capability

Plans must be:

  • Trained
  • Exercised
  • Updated
  • Reviewed
  • Improved

Readiness without validation is assumption.

Section A – Practice Questions

Question 1

An organization restores low-priority systems before revenue-generating systems during an outage.

What is the MOST likely root cause?

  1. Misalignment with BIA-defined priorities
  2. Encryption weakness
  3. Vendor inefficiency
  4. Monitoring delay
Answer & Explanation
Correct Answer: A
BIA defines recovery sequencing.

Question 2

An IRP does not clearly define regulatory notification responsibilities.

What is the PRIMARY risk?

  1. Encryption gap
  2. Monitoring delay
  3. Vendor inefficiency
  4. Missed reporting deadlines and legal exposure
Answer & Explanation
Correct Answer: D
Notification requirements must be predefined.

Question 3

A BCP exists but lacks alternate process strategies.

What is the MOST significant weakness?

  1. Reduced automation
  2. Inability to maintain operations during disruption
  3. Encryption deficiency
  4. Vendor oversight
Answer & Explanation
Correct Answer: B
BCP must define continuity strategies.

Question 4

Daily backups are performed but restoration has never been tested.

What is the PRIMARY concern?

  1. Reduced automation
  2. Encryption weakness
  3. Unverified recovery capability
  4. Vendor inefficiency
Answer & Explanation
Correct Answer: C
Backup integrity must be validated through testing.

Question 5

Incident severity is determined by technical staff discretion.

What is the PRIMARY governance issue?

  1. Lack of standardized classification criteria
  2. Encryption deficiency
  3. Vendor oversight
  4. Monitoring delay
Answer & Explanation
Correct Answer: A
Severity must be defined objectively.

Question 6

An organization has not updated its BIA after expanding into new markets.

What is the MOST significant risk?

  1. Reduced automation
  2. Vendor inefficiency
  3. Encryption gap
  4. Misalignment between business exposure and recovery objectives
Answer & Explanation
Correct Answer: D
BIA must reflect current operations.

Question 7

Executives do not participate in incident response exercises.

What is the PRIMARY concern?

  1. Encryption weakness
  2. Vendor inefficiency
  3. Leadership unpreparedness during crisis
  4. Monitoring delay
Answer & Explanation
Correct Answer: C
Executive readiness ensures coordinated decision-making.

Question 8

An organization treats BCP and DRP as interchangeable documents.

What is the PRIMARY misunderstanding?

  1. Encryption deficiency
  2. Confusion between operational continuity and technical recovery
  3. Vendor oversight
  4. Monitoring delay
Answer & Explanation
Correct Answer: B
BCP preserves operations; DRP restores systems.

Question 9

A high-impact breach is categorized as medium severity to avoid executive escalation.

What is the MOST significant risk?

  1. Governance breakdown and regulatory exposure
  2. Encryption weakness
  3. Vendor inefficiency
  4. Reduced automation
Answer & Explanation
Correct Answer: A
Misclassification undermines governance.

Question 10

After a tabletop exercise, identified gaps are not tracked.

What is the PRIMARY issue?

  1. Encryption gap
  2. Monitoring delay
  3. Vendor inefficiency
  4. Failure to integrate lessons learned into program improvement
Answer & Explanation
Correct Answer: D
Exercises must drive documented improvement.

Section A Pattern Summary

In Domain 4 Section A:

  • BIA defines impact.
  • BCP preserves business.
  • DRP restores systems.
  • IRP structures response.
  • Classification drives escalation.
  • Testing validates readiness.

CISM rewards structured preparedness — not reactive firefighting.

Up Next Module 30: Incident Management Tools and Techniques