Business Continuity and Disaster Recovery: What the ISC2 CC Exam Actually Tests

If you’re preparing for the ISC2 Certified in Cybersecurity (CC) exam, business continuity and disaster recovery (BC/DR) is one topic you can’t afford to skim. It falls under Domain 2 — Business Continuity, Disaster Recovery & Incident Response — which accounts for 10% of your 100-question, 120-minute exam. While that might sound like a smaller slice compared to Network Security (24%) or Security Principles (26%), the concepts tested here are deeply interconnected with every other domain. More importantly, they represent the kind of real-world thinking the exam rewards: not just knowing definitions, but understanding how organizations survive when things go wrong.

What Is Business Continuity and Why Does It Matter?

Business continuity planning (BCP) is the proactive process of ensuring that critical business functions can continue during and after a disruption. Think of it as the organization’s survival blueprint. Disaster recovery planning (DRP), while closely related, focuses specifically on restoring IT systems and data after a disruption has occurred.

Here’s how to think about the distinction:

• BCP = keeping the business running (people, processes, facilities)
• DRP = getting systems and data back online after an incident

The CC exam expects you to know both concepts and how they relate to each other. You’ll also need to understand the tools organizations use to build these plans — particularly the Business Impact Analysis (BIA).

Business Impact Analysis: The Foundation of BC/DR Planning

Before you can build a recovery plan, you need to understand what you’re protecting and why. That’s the job of the Business Impact Analysis (BIA). A BIA identifies critical business functions, quantifies the impact of their disruption (in time, money, and reputation), and helps prioritize recovery efforts.

Two key metrics come directly from the BIA and appear frequently on the CC exam:

• Recovery Time Objective (RTO): The maximum acceptable length of time a system can be offline. If your RTO is 4 hours, your recovery plan must bring systems back within that window.
• Recovery Point Objective (RPO): The maximum acceptable amount of data loss, measured in time. If your RPO is 1 hour, your backups must be recent enough that you never lose more than one hour of data.

These aren’t just theoretical — they directly drive decisions about backup frequency, redundant systems, and the cost of recovery infrastructure. A tighter RTO means more expensive solutions (like real-time failover). A looser RPO means you can get away with less frequent backups.

Redundancy and Backup Strategies

The CC exam tests your understanding of how organizations build resilience into their systems. Key redundancy concepts include:

• RAID (Redundant Array of Independent Disks): Provides disk-level redundancy, protecting against drive failure.
• Server clustering: Multiple servers work together so that if one fails, others take over — minimizing service interruption.
• NIC teaming (also called NIC bonding): Combines multiple network interface cards so that if one NIC fails, the others maintain network connectivity. This is different from load balancing, which distributes traffic across resources rather than providing pure failover.
• Backup types: Full, incremental, and differential backups each have different trade-offs in terms of storage space and recovery time. Know the differences.

When studying redundancy, focus on what failure each technique protects against. The exam likes to present scenarios where you need to match the right solution to the right problem.

Incident Response: The Process Side of Recovery

Disaster recovery doesn’t happen in a vacuum — it’s part of a broader incident response (IR) lifecycle. The CC exam references the NIST incident response framework, which defines four phases:

1. Preparation: Building the team, tools, and procedures before an incident occurs. This is always first — you can’t respond effectively without preparation.
2. Detection and Analysis: Identifying that an incident has occurred and understanding its scope and impact.
3. Containment, Eradication, and Recovery: Stopping the spread, removing the threat, and restoring systems.
4. Post-Incident Activity: Reviewing what happened, documenting lessons learned, and improving the process for next time.

A common exam trap is presenting the phases out of order and asking you to identify the correct sequence. Remember: Preparation always comes first, and Post-Incident Activity is how you close the loop and improve.

Test Your Knowledge

Let’s put these concepts to work with a couple of exam-style scenarios.

Scenario 1: An e-commerce company’s BIA reveals their platform generates $50,000 in revenue per hour. Their RTO is set to 2 hours. What is the maximum potential revenue loss from an outage?

• A) $25,000
• B) $50,000
• C) $100,000
• D) $250,000

Answer: C — $100,000. The RTO defines the maximum acceptable downtime. At $50,000/hour with a 2-hour RTO, the worst-case revenue loss is $100,000. This is exactly why tighter RTOs justify higher infrastructure investment — you’re quantifying risk.

Scenario 2: A security engineer wants to ensure network connectivity is maintained even if one network interface card fails. Which technique should they implement?

• A) RAID
• B) Load balancing
• C) Server clustering
• D) NIC teaming

Answer: D — NIC teaming. NIC teaming bonds multiple NICs together so failure of one doesn’t disrupt connectivity. RAID handles disk redundancy, server clustering handles server-level failover, and load balancing distributes traffic — none of those address a single NIC failure directly.

Want more practice? Try free ISC2 CC practice questions on Certcy — with 110+ expert-written questions covering all five domains.

Study Tips for the BC/DR Domain

• Don’t just memorize RTO and RPO — apply them. Practice calculating potential losses given an hourly cost and an RTO value. The exam presents scenarios, not just definitions.
• Know the NIST IR phases in order. Write them out. Quiz yourself on what happens in each phase. Getting them out of sequence is a common mistake.
• Understand what each redundancy technique protects against. RAID ≠ NIC teaming ≠ server clustering. The exam will try to blur these lines.
• Connect BC/DR to the CIA Triad. Business continuity is fundamentally about protecting Availability — one of the three pillars tested heavily across all five CC domains.
• Remember: DRP is a subset of BCP. Disaster recovery is specifically about IT restoration. Business continuity is broader, covering all critical operations.

Frequently Asked Questions

How much of the ISC2 CC exam covers Business Continuity and Disaster Recovery?

Domain 2 — Business Continuity, Disaster Recovery & Incident Response — accounts for 10% of the CC exam. With 100 total questions, you can expect roughly 10 questions from this domain. While it’s not the largest domain, the concepts overlap with Security Principles and Security Operations, so a strong understanding here pays dividends across the entire exam.

What’s the difference between RTO and RPO on the CC exam?

RTO (Recovery Time Objective) is about time — specifically, how long a system can be down before it becomes unacceptable. RPO (Recovery Point Objective) is about data — specifically, how much data loss (measured in time) the organization can tolerate. For example, an RPO of 4 hours means backups must be taken at least every 4 hours. The exam often tests these in financial or scenario-based questions, so practice applying them rather than just reciting definitions.

Do I need prior IT experience to pass the ISC2 CC exam?

No — the CC has no prerequisites, which makes it one of the most accessible entry-level cybersecurity certifications available. You don’t need work experience or a degree. The exam is 100 multiple-choice questions, 120 minutes, and requires a passing score of 700 out of 1000. That said, the concepts do require genuine understanding, not just surface-level memorization. Building your knowledge through structured practice is the most effective preparation strategy.

What is the NIST incident response lifecycle, and how is it tested on the CC exam?

The NIST incident response lifecycle has four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The CC exam tests both the names of these phases and their correct order. A common question format presents the phases scrambled and asks you to identify the correct sequence. Remember that Preparation always comes first — you build your response capability before an incident, not during one.

Ready to turn this knowledge into exam confidence? Download Certcy free and practice BC/DR concepts alongside all five ISC2 CC domains. With gamified quizzes, spaced-repetition flashcards, and an AI-personalized study plan that adapts to your weak areas, Certcy gives you everything you need to walk into exam day prepared. Start free — no credit card, no commitment, just results.