# Incident Response Lifecycle (NIST-Style) One-sentence definition: A structured process to prepare, detect, contain, eradicate, recover, and learn from incidents. ## Key Facts - Preparation: policies, tools, comms, training, playbooks. - Detection/Analysis: triage, scope, evidence capture, classification. - Containment: short/long-term; isolation, blocks, password resets. - Eradication/Recovery: remove root cause; restore; monitor for reoccurrence. - Lessons learned: timeline, gaps, CAPs; feed to controls. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Sequence and evidence handling are frequent exam targets. **Mnemonic:** “**Prep → Detect → Contain → Fix → Learn**.” ## Mini Scenario Q: Pull plug vs monitor stealthily—which when? A: Short-term containment vs intel gathering; choose by risk and scope. ## Revision Checklist - Six phases. - One containment tactic. - Lessons output. ## Related [[Incident Classification Severity and SLAs]] · [[Playbooks and SOAR Automation]] · [[Digital Forensics in Operations (Triage First Response)]] · [[Business Continuity Operations and Crisis Communications]] · [[Ransomware Readiness Assessment]] · [[Domain 7 - Index]]