CISSP Mastery
All domains
Domain 116% of exam

Security and Risk Management

12 lessons ~6h

0%
0/12

The foundation of the entire CBK and the most heavily weighted domain. It establishes the language of security — the CIA triad and its extensions, governance, law and compliance, risk management, and the human program (ethics, BCP, personnel, awareness). Master the risk vocabulary here; it recurs in every other domain.

Start studying Practice this domain

Recommended reading

Official Study Guide (Sybex) 10eCh. 1–4Eleventh Hour CISSPDomain 1Sunflower SummaryDomain 1

Lessons

  1. 1.1

    Understand, adhere to, and promote professional ethics

    Know the ISC2 Code of Professional Ethics — especially the four mandatory canons and their order, which governs how to resolve conflicts. Organizations layer their own code of ethics on top.

    ~20 min

  2. 1.2

    Understand and apply security concepts

    The 5 Pillars of Information Security extend the classic CIA triad. Be able to define each pillar and give a control that supports it.

    ~25 min

  3. 1.3

    Evaluate and apply security governance principles

    Security must align to business strategy, goals, mission, and objectives. Know the major control frameworks and the difference between due care (doing the right thing) and due diligence (researching/verifying it).

    ~40 min

  4. 1.4

    Legal, regulatory, and compliance issues (holistic context)

    Understand the major categories of computer crime, intellectual property protections, and the global privacy landscape (GDPR, CCPA, PIPL, POPIA). Know transborder data flow constraints.

    ~45 min

  5. 1.5

    Requirements for investigation types

    The standard of proof and procedures differ by investigation type. Administrative (lowest bar), civil (preponderance of evidence), criminal (beyond a reasonable doubt), regulatory, and industry-standards investigations.

    ~25 min

  6. 1.6

    Develop, document, and implement security documentation

    Know the document hierarchy: policy (mandatory, high-level) → standards (mandatory specifics) → procedures (step-by-step) → guidelines (recommended). Baselines set minimums.

    ~25 min

  7. 1.7

    Business Continuity (BC) requirements

    The BIA is the cornerstone of BCP: it identifies critical functions and sets recovery metrics (RTO, RPO, MTD, WRT). Distinguish BCP (keep the business running) from DRP (restore IT).

    ~35 min

  8. 1.8

    Contribute to and enforce personnel security policies

    Security follows the employee lifecycle: screening/hiring, agreements (NDA, AUP), onboarding/transfers/termination, and third-party controls. Separation of duties and least privilege start here.

    ~30 min

  9. 1.9

    Understand and apply risk management concepts

    The most testable lesson in Domain 1. Know quantitative formulas (AV, EF, SLE = AV×EF, ARO, ALE = SLE×ARO) vs qualitative analysis, the four risk responses (mitigate, transfer, avoid, accept), residual risk, and control types/categories.

    ~55 min

  10. 1.10

    Threat modeling concepts and methodologies

    Threat modeling identifies and rates threats systematically. Know STRIDE (Microsoft), PASTA, DREAD, and attack trees, and where reduction analysis fits.

    ~30 min

  11. 1.11

    Apply Supply Chain Risk Management (SCRM) concepts

    Third-party and product supply chains introduce tampering, counterfeit, and implant risks. Mitigate with third-party assessment/monitoring, minimum security and SLA requirements, silicon root of trust, PUF, and an SBOM.

    ~30 min

  12. 1.12

    Security awareness, education, and training program

    Distinguish awareness (what), training (how), and education (why). Keep content fresh against emerging tech, and measure program effectiveness.

    ~25 min