PracticeStudy GuidesBlogFlashcardsEspañol
All Practice Exams

200+ Free CBCP Practice Questions

Pass your CBCP Certified Business Continuity Professional exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
200+ Questions
100% Free
1 / 200
Question 1
Score: 0/0

What is the primary purpose of a business continuity policy approved by senior management?

A
B
C
D
to track
2026 Statistics

Key Facts: CBCP Exam

148

Official Q-Exam Questions

DRI Q-Exam page

75%

Passing Score

DRI CBCP and Q-Exam pages

3.5h

Time Limit

DRI Q-Exam page

$500

Standalone Q-Exam

DRI Q-Exam page

$400

CBCP Application Fee

DRI CBCP page

2 years

Experience Requirement

DRI CBCP page

As of March 12, 2026, DRI's dedicated Q-Exam page lists 148 multiple-choice questions in 3.5 hours with a 75% passing score. DRI's current CBCP page lists a $400 certification application fee, a $225 annual renewal fee, and at least two years of significant practical experience in five of the Professional Practice subject areas, with two references required per selected subject matter area. I did not find a separate 2026 DRI blueprint change announcement beyond the current ten-domain Professional Practices structure introduced with the 2023 version.

Sample CBCP Practice Questions

Try these sample questions to test your CBCP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1What is the primary purpose of a business continuity policy approved by senior management?
A.To replace department recovery procedures
B.To establish executive direction, authority, and expectations for the continuity program
C.To document every step of each technical recovery script
D.To serve as the organization’s vendor contract template
Explanation: A continuity policy gives the program legitimacy by defining management’s intent, scope, and support. Detailed recovery steps belong in procedures and plans, not in the high-level policy statement.
2A continuity manager is drafting a program charter. Which element is most important to include?
A.A detailed media script for public statements
B.The program’s scope, roles, objectives, and governance structure
C.A list of all employee vacation balances
D.A line-by-line server backup log
Explanation: A charter defines what the program covers, who is accountable, and how work will be governed. Without that foundation, later work such as BIAs, strategies, and exercises often becomes fragmented or contested.
3A department head keeps delaying BIA interviews because continuity work is not in the annual budget. Which action best reflects strong program sponsorship?
A.Cancel the interviews until next fiscal year
B.Ask the help desk to complete the BIA instead
C.Have the executive sponsor reinforce priorities and resource expectations with the department head
D.Remove the department from the continuity program permanently
Explanation: Executive sponsorship is what turns continuity from an optional activity into a business requirement. When leaders reinforce priorities and resource commitments, participation improves without undermining ownership.
4Which metric would be most useful for reporting continuity-program health to senior leadership?
A.The color of emergency flip charts in each office
B.The percentage of critical processes with current BIAs, approved strategies, and updated plans
C.The number of desktop wallpapers using the company logo
D.The average length of employee email signatures
Explanation: Leadership needs metrics tied to readiness, coverage, and gaps, not cosmetic details. Tracking current BIAs, strategies, and plans shows whether critical activities are actually supported by usable recovery capability.
5A company outsources payroll processing to a third party. Which governance approach best integrates that dependency into the continuity program?
A.Exclude payroll because it is no longer an internal process
B.Assume the vendor’s cyber insurance eliminates continuity risk
C.Treat the vendor as a critical dependency, define recovery requirements in contracts, and validate them periodically
D.Rely only on the vendor’s marketing brochure as proof of recoverability
Explanation: Outsourcing transfers execution, not accountability for business impact. The organization should define continuity expectations contractually and verify them through reviews, attestations, or joint testing.
6What is the first step in a sound risk assessment process?
A.Choose alternate recovery sites
B.Identify relevant threats, vulnerabilities, and assets in scope
C.Publish the final crisis communication plan
D.Purchase additional insurance coverage
Explanation: A risk assessment starts by identifying what could affect the organization and what is exposed. Strategy and treatment decisions come after the organization understands the threat landscape and vulnerable assets or activities.
7In risk analysis, likelihood primarily refers to:
A.How expensive the response team is
B.How often or how probably a threat scenario may occur
C.How many pages are in the continuity plan
D.How many executives attend the annual review meeting
Explanation: Likelihood addresses the probability or expected frequency of a disruptive scenario. It is different from impact, which focuses on the consequences if the event actually occurs.
8A data center flood risk remains moderate even after new barriers and pumps are installed. How should the remaining exposure be documented?
A.Delete it from the risk register because controls were added
B.Classify it as residual risk and track ownership and treatment decisions
C.Move it to the training log because it is no longer a risk issue
D.Ignore it unless the flood actually happens
Explanation: Residual risk is the exposure that remains after controls are applied. Recording ownership and decisions in the risk register helps leadership understand what is accepted, transferred, or still needs further treatment.
9A manufacturing site faces a high-impact but low-likelihood chemical release scenario. Which treatment option is most directly aimed at reducing consequences if the event occurs?
A.Avoidance by shutting down the entire company permanently
B.Risk reduction through containment, response procedures, and trained emergency teams
C.Acceptance without documentation
D.Changing the company logo on emergency signage
Explanation: Risk reduction focuses on lowering either the likelihood or the impact of a scenario through controls and preparedness. Containment measures, procedures, and trained responders directly reduce the severity of consequences.
10An organization wants one risk-assessment method that can compare cyber, facility, and supplier disruptions across business units. What is the best approach?
A.Let each unit invent its own scoring scale with no shared definitions
B.Use a consistent methodology with common impact criteria, scoring definitions, and documented assumptions
C.Score only technology risks because they are easiest to quantify
D.Base all ratings only on the most recent incident that occurred
Explanation: A shared methodology makes risk results comparable and defensible across different threat types and business units. Common criteria and assumptions reduce confusion and improve prioritization at the enterprise level.

About the CBCP Exam

CBCP is DRI International's professional business continuity credential. The current body of knowledge uses ten Professional Practices covering program management, risk assessment, business impact analysis, continuity strategies, incident response, plan development, awareness and training, exercising and maintenance, crisis communications, and coordination with external agencies and resources. Candidates pass the Qualifying Exam first and then complete a certification application documenting practical experience, references, and mapped subject matter essays.

Assessment

Current DRI Q-Exam page lists 148 multiple-choice questions across the ten Professional Practices. DRI's public pages do not publish official percentage weightings by domain.

Time Limit

3.5 hours

Passing Score

75%

Exam Fee

$500 standalone Q-Exam; $400 CBCP certification application after passing (DRI International)

CBCP Exam Content Outline

Professional Practice 1

Program Management

Governance, policy, program scope, sponsorship, funding, metrics, integration, and management oversight for the continuity program.

Professional Practice 2

Risk Assessment

Risk-assessment methodology, threat and vulnerability analysis, control evaluation, residual risk, and treatment decisions.

Professional Practice 3

Business Impact Analysis

Critical activities, dependencies, impact criteria, maximum tolerable downtime, and recovery requirements such as RTO and RPO.

Professional Practice 4

Business Continuity Strategies

Recovery strategies for people, workspace, technology, data, vital records, suppliers, outsourcing, and manual workarounds.

Professional Practice 5

Incident Preparedness and Response

Incident command roles, life-safety priorities, escalation, activation, damage assessment, logistics, and early response coordination.

Professional Practice 6

Plan Development and Implementation

Plan structure, document control, activation and deactivation criteria, recovery procedures, contacts, notification paths, and accessibility.

Professional Practice 7

Awareness and Training Programs

Role-based training, onboarding, refresher cycles, awareness campaigns, records, and cross-functional readiness.

Professional Practice 8

Business Continuity Plan Exercise/Test, Assessment, and Maintenance

Exercise objectives, test types, after-action reviews, corrective actions, audits, assessments, and plan maintenance through change management.

Professional Practice 9

Crisis Communications

Stakeholder identification, message approval, media handling, spokesperson control, redundant channels, and rumor monitoring.

Professional Practice 10

Coordination with External Agencies and Resources

Emergency services, regulators, mutual aid, memoranda of understanding, public-sector coordination, and external resource requests.

How to Pass the CBCP Exam

What You Need to Know

  • Passing score: 75%
  • Assessment: Current DRI Q-Exam page lists 148 multiple-choice questions across the ten Professional Practices. DRI's public pages do not publish official percentage weightings by domain.
  • Time limit: 3.5 hours
  • Exam fee: $500 standalone Q-Exam; $400 CBCP certification application after passing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CBCP Study Tips from Top Performers

1Study the ten Professional Practices as one end-to-end continuity lifecycle rather than ten isolated chapters.
2Be precise about the differences between risk assessment, business impact analysis, strategy development, incident response, and plan maintenance.
3Use scenario questions to practice sequencing: identify the issue, classify the stage, choose the right governance owner, then select the most proportionate action.
4Know the practical meaning of MTD, RTO, RPO, dependencies, workarounds, vital records, and external-resource assumptions.
5Pay special attention to crisis communications and external coordination because those areas are easy to under-study but heavily affect real-world response quality.
6Review after-action reporting and corrective-action tracking so you can distinguish one-time exercise observations from formal maintenance controls.

Frequently Asked Questions

How many questions are on the CBCP exam and how long do you get?

DRI's current dedicated Q-Exam page states that the Qualifying Examination has 148 multiple-choice questions and a 3.5-hour time limit. DRI also states that a score of 75% or better is required before you can move on to the CBCP certification application.

What are the official CBCP domains and are they publicly weighted?

DRI's current body of knowledge uses ten Professional Practices: Program Management; Risk Assessment; Business Impact Analysis; Business Continuity Strategies; Incident Preparedness and Response; Plan Development and Implementation; Awareness and Training Programs; Business Continuity Plan Exercise/Test, Assessment, and Maintenance; Crisis Communications; and Coordination with External Agencies and Resources. On the public pages reviewed March 12, 2026, DRI lists the domains but does not publish official percentage weightings for each one.

What experience is required for CBCP certification?

DRI's CBCP page states that applicants must have at least two years of significant practical experience in five of the Professional Practice subject areas. After passing the exam, candidates complete the online application, map their experience to the Professional Practices through subject matter essays, and provide two references per selected subject matter area.

Did the CBCP exam change in 2026?

I did not find a separate official DRI announcement showing a new 2026 CBCP blueprint, question-count, or passing-score change. As of March 12, 2026, the current public structure still reflects the ten Professional Practices used in DRI's 2023-version Professional Practices materials and Q-Exam listings.

How much does CBCP cost in 2026?

The current DRI Q-Exam page reviewed March 12, 2026, lists the standalone Qualifying Exam at $500. DRI's CBCP certification page separately lists a $400 CBCP application fee after passing and a $225 annual renewal fee for maintaining the certification.

What should you focus on most while studying?

Because DRI does not publish public domain percentages, prepare across the full continuity lifecycle rather than trying to game a weighting table. In practice, strong candidates are fluent in the distinctions between risk assessment, business impact analysis, strategy selection, incident response, crisis communications, and exercise-driven maintenance, because scenario questions often hinge on choosing the right continuity activity at the right stage.