Browse CompTIA Certification Guides

Design Resilience and Recovery for Security+ (SY0-701)

Fuad Efendi March 28, 2026 4 min read

Understand high availability, backup strategy, site models, testing, power protection, and continuity decisions for Security+.

On this page

Security+ treats resilience as part of security because availability failures are security failures when critical systems cannot support the business. The exam wants you to understand how redundancy, backup design, site strategy, testing, and recovery objectives fit together rather than treating continuity as a separate topic.

What the exam is really testing

CompTIA is usually checking whether you can separate:

  • high availability during normal operations from recovery after disruption
  • replication from backup
  • low RTO from low RPO
  • site readiness from testing and validation

The strongest answer usually matches the recovery design to the business requirement instead of picking the most expensive continuity model automatically.

What this objective group covers

This objective group combines:

  • high availability and fault tolerance
  • site considerations such as hot, warm, and cold models
  • backup and restoration planning
  • continuity of operations and disaster recovery testing
  • power protection and environmental resilience
  • platform diversity and reduction of single points of failure

Recovery chooser

RequirementStrongest first concept
Fastest restoration with highest costHot site
Balanced readiness and costWarm site
Lowest cost with longest setup timeCold site
Minimal data lossLower RPO
Minimal service downtimeLower RTO

Availability and recovery are not the same thing

NeedStrongest first conceptWhy
Keep service running if one node failsFault tolerance, clustering, or load balancingThis protects live availability
Restore deleted or corrupted dataBackup and tested restoreReplication can copy damage as well as good data
Resume service at another location after major outageSite recovery plan plus failover designThis is broader than local redundancy
Reduce dependence on one platform or providerPlatform diversityIt lowers systemic concentration risk

Continuity model

    flowchart TD
	  A["Critical service"] --> B["Availability design"]
	  B --> C["Backup or replication strategy"]
	  C --> D["Restore and failover testing"]
	  D --> E["Recovery execution"]

What to notice:

  • redundancy and recovery planning both matter
  • backups alone do not prove recoverability
  • testing is part of resilience, not a separate afterthought
  • the right site model depends on business recovery targets

Backup and site strategy map

ScenarioStrongest first fitWhy
Critical workload must be restored almost immediatelyHot site or very mature warm siteReadiness matters more than cost
Business can tolerate moderate delay but not full rebuildWarm siteBalances readiness and spend
Long outage is acceptable if cost stays lowCold siteLowest standby cost, slowest recovery
Corruption or ransomware must be reversibleOffline or protected backup with restore testingReplication alone can carry the damage forward
Local power instability threatens uptimeUPS for short-term continuity plus generator planning where neededPower resilience is part of availability design

Key terms to separate cleanly

  • RTO is how quickly service must return
  • RPO is how much data loss the business can tolerate
  • MTTR is how long repair actually takes
  • SLA is the promised service level, not the recovery design itself

If a question emphasizes a critical service that cannot be down for long, answers that ignore RTO or site readiness are usually weaker. If the scenario emphasizes irreplaceable or fast-changing data, the stronger answer usually protects RPO as well.

Power and platform diversity still count

Security+ does not limit resilience to backups and site labels. You should also recognize:

  • UPS for short-term power continuity and clean shutdown
  • generator support for longer power interruption where the business needs it
  • geographic separation to reduce shared physical risk
  • platform diversity to reduce one vendor, one hypervisor, or one environment becoming a total single point of failure

These controls do not replace backups or failover. They close other availability gaps that the exam may test in plain operational language.

Small continuity example

 1service: payroll-portal
 2rto: "2 hours"
 3rpo: "15 minutes"
 4primary_controls:
 5  - load_balanced_app_tier
 6  - replicated_database
 7  - nightly_backup_plus_point_in_time_recovery
 8site_model: warm
 9power:
10  - ups
11  - generator
12test_frequency: quarterly

What to notice:

  • RTO and RPO are both explicit
  • the site model fits the required readiness
  • backups and replication both appear
  • power and testing are treated as part of the design

Common traps

  • confusing backups with high availability
  • assuming replication automatically replaces backups
  • choosing the most expensive recovery model when the business requirement does not justify it
  • forgetting to test recovery procedures

Harder scenario question

A hospital uses a patient-record system that cannot be down for long and cannot tolerate much recent data loss. The team already replicates the database to another site, but no one has tested restoration from backup in months. Which answer is strongest?

A. Replication is enough because the data already exists in two places B. Add a login banner to the system and keep the current recovery model C. Keep the replication design, but also validate backup restoration and confirm the site strategy meets the required RTO and RPO D. Replace the whole environment with a cold site to reduce cost

Best answer: C. The scenario is about recoverability, not just duplication. Security+ favors answers that protect both availability and restoration integrity.

Quiz

Loading quiz…

Continue with 4. Security Operations to move from architecture choices into day-to-day defensive operations.

3.3 Data Protection & Classification