Home/isc2/Free ISC2 CISSP Actual Exam Questions/Question 5

Free ISC2 CISSP Actual Exam Questions - Question 5 Discussion

Question No. 5Drag & Drop

DRAG DROP During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant. What is the best approach for the CISO? Below are the common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan. Drag the remaining BC\DR phases to the appropriate corresponding location. CISSP practice exam questions

Options

ARisk Assessment

BBusiness Impact Analysis

CMitigation Strategy Development

DBC\DR Plan Development

ETraining, Testing & Auditing

FPlan Maintenance

Drag an item to a target. Click × to remove.

Answer Area

Bucket 1

Drop item here

Bucket 2

Drop item here

Bucket 3

Drop item here

Bucket 4

Drop item here

Bucket 5

Drop item here

Bucket 6

Drop item here

Rayan S.

2026-02-16

I think the key is the CISO confirming the risk assessment findings first, then moving to the BIA to figure out how critical the PHI data is for recovery priorities. Since the college is already HIPAA compliant, the next logical step is to use that BIA output to develop or update the BC/DR plan accordingly. So it's less about enforcing new standards and more about integrating existing compliance info into the recovery planning phases. Makes sense to treat it as a generic BC/DR sequence—risk assessment, then BIA, then strategy and implementation phases—without needing a special framework.

Karan N.

2026-02-14

Since the college is compliant with HIPAA, the CISO should focus on ensuring ongoing monitoring and incident response plans are in place rather than starting new compliance checks. So, after risk assessment, BIA makes sense to set recovery priorities.

Imran F.

2026-01-24

Since risk assessment is done, next should be Business Impact Analysis (BIA) to prioritize PHI data recovery.

Imran F.

2026-01-20

I think the key here is that even though the college is HIPAA compliant, the CISO still needs to make sure the BC/DR plan includes all relevant phases for handling PHI data securely. Since Risk Assessment is already done, the next logical step should be Business Impact Analysis to figure out how disruptions affect PHI availability and confidentiality. That way, the strategy development and plan creation will be targeted and effective. So I’d confirm that the sequence flows from assessing risks to impact analysis before jumping into solutions. Option C fits this logical workflow well.

Imran F.

2026-01-15

C) Risk Assessment first, then Business Impact Analysis, followed by Strategy Development and Plan Development.