Exam SY0-501 topic 1 question 1063 discussion

He is reading a procedure how the company mitigated the incident

zero-day malware attacks are being poorly executed ; that is already a lesson , so it is lesson learned

My first thought was also Prepartion. But after further consideration, I change my mind to Lesson Learned. Here's my reasoning and please correct me if I'm wrong. Lessons learned. After personnel handles an incident, security personnel perform a lessons learned review. --> "(CSO) is reviewing the company's IRP " It’s very possible the incident provides some valuable lessons and the organization might modify procedures or add additional controls to prevent a reoccurrence of the incident. --> CSO “notices the procedures for zero-day malware attacks are being poorly executed” Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide (p. 493). Kindle Edition.

Looks like lessons learned to me. I'd go with B. Preparation—making the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and establishing confidential lines of communication. It also implies creating a formal incident response plan. Identification—determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders. Containment, Eradication, and Recovery—limiting the scope and impact of the incident. The typical response is to "pull the plug" on the affected system, but this is not always appropriate. Once the incident is contained, the cause can then be removed and the system brought back to a secure state. Lessons Learned—analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.

Lessons learned are documented after an incident. We should not wait unit after an incident happens to make changes. Since an incident has not yet occurred, this is the Preparation phase, not the Lessons Learned phase.