Incident Response Process: CISSP CIB vs SANS/Generic

in SSCP
Hi all.
So I'm studying for my CISSP exam and I came across something I'm unclear on. In my daily duties, I abide by the SANS Incident Response process, which is referenced in a number of materials (both study material and other InfoSec stuff) as such:
Acronym: PICERL
1. Preparation
2. (Identification) Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. (Lessons Learned) Post-Incident Activity
However, on page 19 of the CISSP CIB, it explicitly lists the process steps as:
1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review
You can view this at: https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-cib.pdf
It appear the CIB leaves the first step (Preparation) out and classifies the Eradication step as Reporting.
Any comments? I just don't like inconsistency and want to have all phases for all processes right in my mind for the exam.
Thanks,
Jon
So I'm studying for my CISSP exam and I came across something I'm unclear on. In my daily duties, I abide by the SANS Incident Response process, which is referenced in a number of materials (both study material and other InfoSec stuff) as such:
Acronym: PICERL
1. Preparation
2. (Identification) Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. (Lessons Learned) Post-Incident Activity
However, on page 19 of the CISSP CIB, it explicitly lists the process steps as:
1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review
You can view this at: https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-cib.pdf
It appear the CIB leaves the first step (Preparation) out and classifies the Eradication step as Reporting.
Any comments? I just don't like inconsistency and want to have all phases for all processes right in my mind for the exam.
Thanks,
Jon
Comments
That's as may be. But a number of CISSP resources reference the SANS process (not by name, as it's not owned by SANS, it's the industry-standard approach). The fact is. ISC2 usually abide by industry-standard processes; they're vendor-neutral. I just don't get why they invent their own process when the rest of the industry uses the other process (and the industry process makes more sense - removing preparation doesn't make sense).
-Preparation
-Detection and Analysis
-Containment, Eradication, and Recovery
-Post-Incident Activity