In the context of incident response, what is the correct order of phases?

Correct answer: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned

Option A is correct because the NIST SP 800-61 incident response lifecycle, widely adopted in CISSP, defines six phases in order: Preparation (establishing policies, tools, and team readiness), Detection and Analysis (identifying and validating the incident), Containment (limiting the spread), Eradication (removing the threat), Recovery (restoring systems), and Lessons Learned (post-incident review to improve future response). Option B is incorrect because it omits Preparation, which is the foundational first phase, and places Eradication before Containment, reversing two critical steps. Option C is incorrect because it inserts Analysis as a standalone second phase, omits Eradication, and replaces Lessons Learned with Documentation, which is an activity within phases rather than a standalone phase. Option D is incorrect because it omits Preparation entirely and starts with Detection, skipping the phase that enables all subsequent response activities.