CISSP Domain-1: Security Governance and Risk Management
Consider this domain the essential foundation upon which all your other cybersecurity knowledge will be built. This domain establishes the foundational mindset for security leadership.
1.1 Understand, Adhere to, and Promote Professional Ethics
A strong ethical foundation is the bedrock of any successful security program. For a Certified Information Systems Security Professional (CISSP), ethics are not optional guidelines; they are a mandatory framework for building trust, exercising professional judgment, and making sound decisions when the stakes are high.
This is precisely why ISC2 tests this subject so directly and holds it in the highest regard.
Deconstructing the ISC2 Code of Professional Ethics
Preamble: The safety and welfare of society and the common good, the duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.
The Four Canons (In Order of Priority)
Protect society, the common good, necessary public trust and confidence, and the infrastructure. Think globally first. Your primary duty is to the public good, which takes precedence over any other obligation, including those to your employer.
Act honorably, honestly, justly, responsibly, and legally. This is about your personal and professional integrity. Be the person others can trust. Your actions must always be above reproach.
Provide diligent and competent service to principals. This is your duty to your employer or client. You are expected to do your job competently, professionally, and to the best of your ability.
Advance and protect the profession. This is your duty to the cybersecurity field itself. Uphold the profession's reputation, share knowledge, and mentor others to strengthen our community.
EXAM FOCUS
It is absolutely critical that you memorize the four Canons of the ISC2 Code of Ethics in the order presented. The exam will present scenarios where these ethical duties conflict. To find the correct answer, you must resolve the conflict by applying Canons in their strict hierarchical order. The first Canon always wins.
1.2 Applying Foundational Security Concepts
When you can clearly map a security control back to one of these pillars, you are demonstrating a mature understanding of how security enables and protects the business.
Pillars of Information Security
The traditional CIA triad has been expanded to include two additional principles that are vital in today's interconnected digital landscape.
Pillar | Core Function | Exam-Ready Example |
|---|---|---|
Confidentiality | Prevents the unauthorized disclosure of information. | Encrypting a hard drive to protect data if the laptop is stolen. |
Integrity | Prevents unauthorized or accidental changes to assets, ensuring they are accurate and meaningful. | Using a cryptographic hash (e.g., SHA-256) to verify that a downloaded file has not been altered. |
Availability | Ensures that organizational assets are accessible when required by stakeholders. | Implementing redundant servers in a high-availability cluster to prevent downtime. |
Authenticity | Proves that an asset is legitimate and has a verified origin ("proof of origin"). | Using a digital signature to verify that an email was sent by the claimed sender. |
Non-repudiation | Assures that a party cannot dispute the validity of an action or deny having done something. | A digitally signed contract that legally prevents the signer from later denying they signed it. |
EXAM FOCUS
Expect exam questions that test your deep understanding of how specific controls map back to these core principles. Be prepared to analyze a scenario and identify which pillar a control is designed to support. Furthermore, do not neglect Authenticity and Non-repudiation; you must be able to clearly distinguish their functions and apply them to modern security challenges like digital signatures and identity verification.
1.3 Security Governance Principles
Understanding the precise language of governance is critical for success on the CISSP exam and in your career.
Accountability vs. Responsibility
Accountability is the ultimate ownership of a risk or an asset. It cannot be delegated. The person who is accountable is the one who will ultimately answer for the outcome.
Responsibility refers to the tasks and duties assigned to an individual to manage or protect an asset. Responsibility can be delegated.
Ultimate accountability for security governance rests with senior management and the board.
Due Care vs. Due Diligence
Due Care is the action of acting responsibly to protect assets. It is the implementation of controls and practices that a prudent person would use in a similar situation.
Memory hook: “Due care is the responsible protection of assets.”Due Diligence is the proof that due care was taken. It involves research, investigation, and verification activities.
Memory hook: “Due diligence is the ability to prove due care.”
Scoping vs. Tailoring
Scoping is the process of determining which security controls are applicable to an organization or system.
Tailoring is the process of refining and enhancing the “in-scope” controls to make them more effective and aligned with the specific goals and environment of the organization.
Security Roles and Responsibilities
Role | Primary Security Function (Accountability/Responsibility) |
|---|---|
Owners / Controllers / Functional Leaders / Senior Management | Accountable for ensuring appropriate security controls are implemented, determining sensitivity/classification levels, and determining access privileges. |
Information Systems Security Professionals / IT Security Officer | Responsible for the design, implementation, management, and review of the organization's security policies, standards, baselines, procedures, and guidelines. |
Information Technology (IT) Officer | Responsible for developing and implementing technology solutions, reviewing new IT alternatives, and working with security and BCM teams to ensure operational continuity. |
IT Function | Responsible for implementing and adhering to security policies. |
Operator / Administrator | Responsible for managing systems, applying patches, and managing user permissions per the owner's specifications. |
Network Administrator | Responsible for maintaining computer networks, resolving issues, and configuring networking equipment and systems. |
Users | Responsible for following security policies and procedures in their daily work. |
Information Systems Auditors | Responsible for providing independent assurance that security objectives are appropriate and have been met. |
EXAM FOCUS
Remember this rule: The data owner is always accountable for the data, no matter who is responsible for managing it day-to-day.
1.4 Determine Compliance and Other Requirements
Failure to comply with compliance requirements can result in severe financial penalties, reputational damage, and legal action, making compliance a core driver of security strategy.
Intellectual Property Protections
Intellectual property (IP) is often an organization's most valuable asset. Understanding how to protect it is crucial.
Term | Protects | Disclosure Required | Term of Protection | Protects Against |
|---|---|---|---|---|
Trade Secret | Business information | No | Potentially infinite | Misappropriation |
Patent | Functional innovations, novel ideas, inventions | Yes | Set period | Making, using, or selling an invention |
Copyright | Expression of an idea in a fixed medium (books, songs) | Yes | Set period of time | Copying or substantially similar work |
Trademark | Color, sound, symbol distinguishing a product/company | Yes | Potentially infinite | Creating confusion |
EXAM FOCUS
Focus on clearly distinguishing between the four types of intellectual property and their unique protection.
1.5 Understand Legal and Regulatory Issues that Pertain to Information Security in a Holistic Context
Understanding Data Privacy and Cross-Border Flows
Privacy is the right of an individual to be free from being observed or disturbed. This concept is central to laws governing Personal Data, which is any information that can uniquely identify an individual. This data may be referred to as Personally Identifiable Information (PII), Sensitive Personal Information (SPI), or Personal Health Information (PHI).
When this data moves across national borders, it is subject to Transborder Data Flow laws.
The OECD Privacy Guidelines provide an influential (though not mandatory) framework for handling personal data, based on principles such as:
Collection Limitation
Data Quality
Purpose Specification
Use Limitation
Security Safeguards
Openness
Individual Participation
Accountability
The CISSP exam tests recognition of privacy principles, not memorization of detailed legal text.
Key roles in the privacy realm include:
Data Owners (accountable for data protection)
Data Custodians (responsible for protecting data based on owner input)
Data Processors (process data on behalf of the owner)
Data Subjects (the individuals to whom the data relates)
Analyzing Import/Export Controls
Import and export controls are national laws that manage the movement of products, technologies, and information across borders to protect national security and economic interests.
The Wassenaar Arrangement: An agreement among participating countries to manage the risk of cryptography while facilitating trade, aiming to prevent its acquisition by terrorists.
International Traffic in Arms Regulations (ITAR): A U.S. regulation controlling the export of items on the United States Munitions List (USML), such as missiles and bombs.
Export Administration Regulations (EAR): A U.S. regulation focused on commercial and "dual-use" items (items with both commercial and potential military applications), such as computers and lasers.
EXAM FOCUS
CISSP questions in this area test jurisdiction, accountability, and data handling obligations, not detailed legal statutes.
1.6 Developing and Implementing Security Documentation
Formal documentation is the essential mechanism by which management's intent is translated into actionable security practice. This hierarchy of documents provides clarity, consistency, and the authority needed to operate a security program effectively. Without clear, approved documentation, security efforts can become inconsistent, unauditable, and unenforceable.
Security Governance Documents
Understanding the relationship between these documents is key. They flow from the general to the specific.
Policies — The “Why” - High-level documents that communicate management's goals and objectives. Policies are high-level and mandatory.
Standards — The “What” - Mandatory requirements for specific hardware and software, e.g., “All firewalls must be Cisco ASA”. Standards are specific and mandatory.
Baselines — The “How Much” - A defined minimal level of security for a system, e.g., “All servers must be hardened to this specific configuration level.”
Procedures — The “How” - Detailed, step-by-step instructions for performing a task, e.g., “The procedure for new user onboarding”. Procedures are step-by-step and mandatory.
Guidelines — The “Should” - Recommended actions and best practices that are not mandatory. This is a key distinction.
EXAM FOCUS
Exam questions will test your ability to differentiate between these document types based on a given scenario.
1.7 Enforcing Personnel Security
Personnel security policies are therefore critical for mitigating risks from both malicious insider threats and unintentional human error. These controls must be applied consistently throughout the entire employee lifecycle—from the moment a candidate is screened to long after they have left the organization. These controls are designed to prevent and detect fraud, error, and abuse of privilege.
Key Personnel Security Controls
Job Rotation: Prevent long-term fraud and provide valuable cross-training for staff.
Mandatory Vacation: A powerful detective control that can uncover malicious activity being concealed.
Separation of Duties: A preventive control that ensures no single individual can complete a critical task alone.
Need-to-Know and Least Privilege: Least Privilege grants minimum permissions; Need-to-Know restricts sensitive info to only those who truly need it.
Managing the Employee Lifecycle
Candidate Screening: Background checks and qualification verification before an offer is extended.
Employment Agreements (Onboarding): Review security policies, acceptable use, and sign NDAs before system access.
Employee Termination (Offboarding): Disable all access, retrieve assets, and communicate departure to relevant parties.
EXAM FOCUS
Remember: Separation of Duties is primarily used to prevent fraud. Job Rotation and Mandatory Vacation are primarily used to detect fraud.
1.8 Applying Core Risk Management Concepts
Risk management is the core process for identifying, assessing, and treating threats to organizational assets. It is the engine that drives a mature security program. This is not a one-time technical assessment but a continuous, business-driven cycle that helps leaders make informed decisions. The goal is to apply resources economically to minimize, monitor, and control the probability and impact of risks to a level that is acceptable to the organization.
1. Asset Valuation
Before you can protect something, you must understand its value. This is done through two primary methods:
Qualitative Analysis | Quantitative Analysis |
|---|---|
Does not assign monetary value. | Assigns objective monetary values. |
Uses a relative ranking system (e.g., Low, Medium, High). | Aims for a fully quantitative process. |
Relatively simple and efficient. | Can be difficult and time-consuming. |
2. Risk Analysis
This phase involves identifying the threats and vulnerabilities associated with each asset to determine the overall risk. Risk exists at the intersection of assets, threats, and vulnerabilities. To quantify risk, we use the ALE = SLE × ARO formula:
ALE = SLE x ARO
SLE (Single Loss Expectancy) = AV (Asset Value) x EF (Exposure Factor)
ARO is the Annualized Rate of Occurrence.
3. Risk Treatment/Response
Once risk is analyzed, management must decide how to respond. There are four options:
Avoid: Stop performing the activity that creates the risk.
Transfer: Share the risk with another party, typically through insurance.
Mitigate: Implement controls to reduce the risk to an acceptable level.
Accept: Take no action and accept the risk as it is.
Risk Appetite vs. Risk Tolerance
Risk appetite defines the amount of risk an organization is willing to accept to achieve its objectives, while risk tolerance defines the acceptable deviation from that appetite. Risk appetite is set by senior management and the board.
Classifying Security Controls
Control Type | Primary Function |
|---|---|
Directive | Direct or encourages compliance with policy (e.g., a "No Trespassing" sign). |
Deterrent | Discourages the violation of policy (e.g., a "Guard Dog on Duty" sign). |
Preventive | Prevents an undesired event from occurring (e.g., a locked door, a firewall). |
Detective | Identifies that a risk has occurred after the event (e.g., an audit log, a security camera). |
Corrective | Minimizes the damage after an event has occurred (e.g., an antivirus program cleaning a virus). |
Recovery | Restores systems to normal after an incident (e.g., restoring from backups). |
Compensating | Makes up for a lack in another control (e.g., supervision when separation of duties isn't possible). |
These controls are layered using the Defense-in-Depth strategy, combining Administrative (policies, procedures), Technical/Logical (firewalls, access control lists), and Physical (fences, locks, guards) controls to create a robust security posture.
EXAM FOCUS
Be completely fluent in the ALE formula and its components (AV, EF, SLE, ARO). You must know the four risk responses and be able to choose the appropriate one for a given scenario.
1.9 Applying Threat Modeling Methodologies
Threat modeling is a proactive and systematic approach to security. Instead of waiting for attacks to happen and then reacting, threat modeling allows us to identify, enumerate, and prioritize potential threats and vulnerabilities before a system is even built.
Comparing Threat Modeling Methodologies
For the exam, you should be familiar with these three major methodologies.
Methodology | Focus | Key Elements/Stages |
|---|---|---|
STRIDE | Threat-focused. A model for identifying and categorizing threats. | Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-service, Elevation of privilege. |
PASTA | Attacker-focused. A risk-centric methodology that is more strategic and detailed. | Define objectives, Define scope, Application decomposition, Threat analysis, Vulnerability analysis, Attack modeling, Risk & impact analysis. |
DREAD | Risk-ranking. A model used to measure and rank the severity of threats. | Damage, Reproducibility, Exploitability, Affected users, Discoverability. |
EXAM FOCUS
You must memorize the acronyms for STRIDE and DREAD. Understand the key difference in their approaches: STRIDE is a model for identifying threats, while PASTA is a more comprehensive, attacker-focused process. DREAD is not used to find threats, but to rank the severity of threats that have already been identified, often by a method like STRIDE.
1.10 Applying Supply Chain Risk Management (SCRM)
Supply Chain Risk Management (SCRM) is the critical process of extending your internal risk management practices beyond your own walls to identify, assess, and mitigate the risks introduced by these third-party relationships.
Analyzing Key SCRM Documents
Clear documentation is essential for managing third-party relationships and ensuring security requirements are met.
Service Level Requirements (SLR): The foundational document created before a contract is signed. The SLR outlines the customer's detailed needs, service level targets, and mutual responsibilities.
Service Level Agreement (SLA): The formal, contractual agreement put in place after a service is acquired. The SLA codifies the agreed-upon obligations from the SLR.
Service Level Reports: Ongoing reports issued by the vendor to the client, providing metrics on the provider's ability to deliver services as defined in the SLA.
EXAM FOCUS
Remember the sequence: A Service Level Requirement (SLR) defines the customer's needs before a contract exists. A Service Level Agreement (SLA) codifies the vendor's obligations within the formal contract.
1.11 Maintaining Security Awareness, Education, and Training
It is essential to distinguish between the three components:
Awareness creates sensitivity to security issues
Training teaches specific skills to perform a task securely
Education develops fundamental understanding and decision-making abilities
Common Delivery Methods
Live in-person or online training sessions
Pre-recorded training modules
Regular communications and awareness campaigns (e.g., newsletters, posters)
Phishing simulations and other practical exercises
Requirements/rewards
Key Effectiveness Metrics
Number of employees completing the required training
Tracking of how well staff members performed on assessments or simulations
Number of people reporting suspicious activities after training completion
Reduction in clicks on simulated phishing links and other negative behaviors
Overall reduction in security incidents related to human error
EXAM FOCUS
Remember that the ultimate goal of Awareness programs is to change behavior, not just to check a compliance box. For the exam, the most effective programs are those that are continuous, engaging, tailored to the audience, and have clear metrics to prove their positive impact on the organization's security posture.
Conclusion
You have now worked through the core concepts of CISSP Domain 1. This domain provides the strategic "why" that gives meaning to all the technical controls in the other domains. View these principles—ethics, governance, risk, and compliance—as the framework for your decision-making as a security leader. By mastering this foundational mindset, you have taken a massive step forward in your preparation. Keep this strategic perspective as you move through the rest of your studies, and you will be well on your way to earning your CISSP certification.