CISSP Study Guide · Domain 7
CISSP Domain 7 Explained: Security Operations
Domain 7 (~13%) is the day-to-day defense domain: investigations, incident response, operations, and keeping the business running through disruption.
A practical guide with free practice questions · by Domain8
The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.
Security Operations covers how you run security in practice — from digital forensics and incident response to change management and disaster recovery. Expect process-order questions and precise definitions.
Want to drill Domain 7? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.
Study free at Domain8 →1. Investigations and forensics
Preserve evidence correctly:
- Maintain chain of custody so evidence is admissible.
- Collect by the order of volatility — most volatile first (memory/cache before disk).
- Follow legal and regulatory requirements for the investigation type.
2. Incident response
Know the phases and their order:
- Preparation → Detection & analysis → Containment → Eradication → Recovery → Lessons learned.
- Contain first to stop the bleeding before eradicating.
- Lessons learned feed back into preparation.
3. Logging and detection
See what is happening:
- Centralize logs; protect their integrity; review them.
- Use SIEM/SOAR for correlation and automated response.
- Detective controls only help if alerts are acted upon.
4. Operations discipline
Reduce self-inflicted risk:
- Patch management, change management, and configuration management keep systems known and current.
- Most outages and breaches trace to unmanaged change.
- Separation of duties and least privilege apply to operations too.
5. Business continuity and disaster recovery
Survive disruption:
- The BIA comes first and identifies critical functions and their RTO (how fast to recover) and RPO (acceptable data loss).
- BCP keeps the business running; DRP restores IT specifically.
- Recovery sites range from cold to hot; choose by RTO and cost.
Free practice questions
Try these in the exam's "best answer" style, then expand for the explanation.
1. During evidence collection on a live system, which data should be captured FIRST?
- Archived backups
- Data on disk
- Volatile data in memory and cache
- Printed documents
Show answer
C. Follow the order of volatility: capture the most volatile data (memory, cache, running state) first, because it disappears when the system changes or powers off.
2. A new incident is confirmed and actively spreading. According to the incident response process, what is the immediate priority?
- Lessons learned
- Containment
- Recovery
- Preparation
Show answer
B. After detection and analysis, contain the incident to stop it spreading before eradicating the cause and recovering. Containment limits the damage first.
3. Which metric defines the maximum acceptable amount of data loss, measured as a point in time?
- RTO (Recovery Time Objective)
- RPO (Recovery Point Objective)
- MTBF
- SLE
Show answer
B. RPO is the maximum acceptable data loss (how far back you can afford to lose data). RTO is how quickly a function must be restored.
Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.
Study free at Domain8 →Frequently asked questions
What is the most tested BCP/DR concept?
RTO vs RPO, and that the BIA comes first to identify critical functions and their recovery objectives.
What order should incident response follow?
Preparation, detection and analysis, containment, eradication, recovery, lessons learned. Contain before you eradicate.
More CISSP domain guides
D1 · D2 · D3 · D4 · D5 · D6 · D8 · All guides