🛡️Domain 1

Security and Risk Management

15%Exam Weight

12Subdomains

1.1

Understand, adhere to, and promote professional ethics

Key Concepts

ISC2 Code of Professional EthicsOrganizational code of ethics

1.2

Understand and apply security concepts

Key Concepts

CIA triadAuthenticityNonrepudiation5 Pillars of Information Security

1.3

Evaluate and apply security governance principles

Key Concepts

Business alignmentOrganizational processesSecurity control frameworksISONISTCOBITSABSAPCIFedRAMPDue care/due diligence

1.4

Understand legal, regulatory, and compliance issues

Key Concepts

CybercrimesData breachesLicensingIP requirementsImport/export controlsTransborder data flowGDPRCCPAIndustry standards

1.5

Understand requirements for investigation types

Key Concepts

AdministrativeCriminalCivilRegulatoryIndustry standards

1.6

Develop, document, and implement security policy, standards, procedures, and guidelines

Key Concepts

Policy developmentStandardsProceduresGuidelines

1.7

Identify, analyze, assess, prioritize, and implement Business Continuity requirements

Key Concepts

Business impact analysisExternal dependencies

1.8

Contribute to and enforce personnel security policies and procedures

Key Concepts

Candidate screeningEmployment agreementsOnboardingTransfersTerminationVendor controls

1.9

Understand and apply risk management concepts

Key Concepts

Threat identificationVulnerability identificationRisk analysisRisk responseControl typesContinuous monitoringRisk frameworks

1.10

Understand and apply threat modeling concepts and methodologies

Key Concepts

Threat modelingMethodologies

1.11

Apply Supply Chain Risk Management (SCRM) concepts

Key Concepts

Product tamperingCounterfeitsImplantsThird-party assessmentMinimum security requirementsSoftware bill of materials

1.12

Establish and maintain a security awareness, education, and training program

Key Concepts

Social engineeringPhishingSecurity championsGamificationEmerging technologiesProgram effectiveness