DumpsBox
Home/isaca/Free Isaca Cybersecurity Audit Certificate Actual Exam Questions/Question 7
← Back to Exam

Free Isaca Cybersecurity Audit Certificate Actual Exam Questions - Question 7 Discussion

Question No. 7
During which incident response phase is evidence obtained and preserved?
Select one option, then reveal solution.
US
UI
Usman I.
2026-02-21

B, because you need to secure the scene before making any changes.

0
UI
Usman I.
2026-02-19

B evidence must be preserved early to ensure integrity before cleanup starts.

0
UI
Usman I.
2026-02-19

C imo, eradication usually involves removing the threat, so by that time, evidence should already be secured to avoid tampering or loss. Gathering evidence during eradication might risk altering or destroying important data. Preservation is more about capturing the initial state, which logically happens right before or during containment when you’re trying to understand and limit the incident. Recovery and lessons learned come too late since they focus on restoring systems and reviewing the incident rather than collecting data.

0
UI
Usman I.
2026-02-11

Good point about containment. I’d add that evidence gathering can start as soon as the incident is confirmed, which often overlaps with containment activities, so B still seems like the best fit here.

0
UI
Usman I.
2026-02-09

B. Containment is the phase where you stabilize the situation, so it makes sense to collect and preserve evidence before anything is changed or wiped out. Later phases focus more on fixing things.

0
TG
Tom G.
2026-02-01

Option A doesn’t seem right since lessons learned is more about reviewing what happened, not collecting evidence. Evidence gathering needs to happen earlier to avoid contamination.

0
TG
Tom G.
2026-01-29

I think the best fit here is B. Containment feels like the moment you lock things down to prevent further damage, and that’s when you’d secure and start preserving evidence. Waiting until eradication or recovery could risk losing critical data since the environment might change or get cleaned up. So securing evidence during containment makes the most practical sense.

0
NN
Noah N.
2026-01-26

Makes sense to focus on containment (B) because you need to secure the scene before evidence gets messed up. Collecting evidence too late risks losing key info. So I'm with B on this one.

0
JG
Jason G.
2026-01-26

A imo, lessons learned includes reviewing and preserving evidence for future use. The actual collection might start earlier, but the formal preservation and documentation is part of lessons learned.

0
JG
Jason G.
2026-01-21

C/D? Eradication focuses on removing threats, but evidence should already be preserved before this phase.

0
JG
Jason G.
2026-01-18

B imo. Containment is when you stop the attack and secure the environment, which is the critical moment to gather and preserve evidence before it can be altered or lost. Options like eradication or recovery happen later and focus more on fixing the issue, not collecting proof. Lessons learned is obviously after everything’s done. So containment fits best here since you’d want to capture evidence right after detecting the incident but before cleaning up.

0
DR
David R.
2026-01-15

B

0