# Incident Response Lifecycle Backlink: [[Domain 1 - Index]] **Definition:** A structured approach to prepare for, detect, analyze, contain, eradicate, and recover from incidents, followed by lessons learned. ## Key Facts - Phases: Prepare → Detect/Analyze → Contain → Eradicate → Recover → Post-incident. - Playbooks define steps incl. comms/legal and evidence handling. - Metrics: MTTA, MTTD, MTTR; report to leadership. - Coordinate with BCP/DR for major disruptions. - Regular training/exercises drive improvement. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Choose correct next step in lifecycle - Evidence vs. containment trade-offs >[!note] **Mnemonic** - “P D C E R L.” ### Example Q: Malware identified; what before reimaging? A: Preserve evidence as needed, then eradicate. ## Revision Checklist - [ ] List phases in order - [ ] Define MTTD/MTTR - [ ] Tie to legal holds/notifications - [ ] Containment vs. evidence decision ## Related [[Evidence Handling and Chain of Custody]] · [[E-Discovery (EDRM)]] · [[Business Continuity Planning (BCP) Overview]] · [[Security Control Types]] · [[Security Awareness and Training]] #cisSP #domain-1 #concept