(ISC)² CBK Objectives
The 13 official learning areas of Domain 1. Click an objective for detail.
Understand, adhere to and promote Professional Ethics
(ISC)² ethics boils down to 4 ordered canons: protect society first; act honourably; serve principals diligently; advance and protect the profession. The order is prescriptive: in case of conflict, the higher canon wins.
Key points
- 4 ISC² canons + oath signed upon certification
- Prescriptive order (not optional)
- Compare with other codes: IEEE, ACM, ISACA
Understand and apply security concepts
CIA triad (Confidentiality, Integrity, Availability), its mirror DAD (Disclosure, Alteration, Destruction), and the IAAAA access-control cycle. Every security decision is a trade-off among these pillars; strengthening one at the expense of another is an anti-pattern.
Key points
- CIA + CIAAN (add Authenticity, Non-repudiation)
- IAAAA: Identification → Authentication → Authorization → Accountability → Auditing
- Non-repudiation via digital signatures
Evaluate and apply security governance principles
Governance aligns security with the business. It sets roles (board, CISO, DPO, owners), responsibilities (RACI), high-level policies, and steering metrics (KPI/KRI). Key frameworks: ISO 27001 (ISMS), NIST CSF, COBIT (IT governance), COSO (internal control).
Key points
- Governance = WHAT. Management = HOW. Operations = DO.
- Top management is ACCOUNTABLE; the CISO is RESPONSIBLE
- Business alignment via COBIT and executive dashboards
Determine compliance and other requirements
Identify applicable obligations: laws (GDPR, HIPAA, SOX, FISMA), contracts (PCI-DSS, SLA), industry standards (ISO 27001, SOC 2). Non-compliance exposes to: regulatory fines, contractual penalties, customer loss, lawsuits.
Key points
- Map obligations by asset and jurisdiction
- GDPR: 72-h breach notification, fines up to 4 % revenue
- SOC 2: Trust Services Criteria (5: security, availability, integrity, confidentiality, privacy)
Understand legal and regulatory issues
Three law categories: criminal (State vs individual, imprisonment), civil (individual vs individual, damages), administrative (regulators). Three systems: common law (Anglo-Saxon), civil law (continental Europe), religious. IP: copyright, patent, trademark, trade secret.
Key points
- Burden of proof: criminal = beyond reasonable doubt; civil = balance of probabilities
- International data transfers (e.g. outside EU): Standard Contractual Clauses
- IP: 4 types, different durations
Understand requirements for investigation types
4 investigation types: administrative (internal HR), criminal (police, proof beyond doubt), civil (damages), regulatory (regulator). Each has its own evidence rules and chain of custody. Locard's principle: every contact leaves a trace.
Key points
- Chain of custody: evidence traceability (who, when, where, why)
- Evidence: authentic, accurate, complete, convincing, admissible
- Forensics: order of volatility (RAM, cache, disk, backup)
Develop, document and implement security policy, standards, procedures, guidelines
Normative hierarchy: Policy (intent, what) > Standard (mandatory, precise what) > Procedure (how, step-by-step) > Guideline (recommended). A baseline = minimum to meet. Policies are reviewed yearly and upon major changes.
Key points
- Policy signed by top management = binding effect
- Procedure = executable by any qualified person
- Guideline is non-binding, Standard is binding
Identify, analyze and prioritize business continuity requirements
BCP covers enterprise survival during a major incident. It relies on the BIA (Business Impact Analysis) which assesses the criticality and impact of each process. The DRP is the fast IT recovery subplan.
Key points
- BIA before BCP: no planning without measuring first
- RTO (restore) ≤ MTD (max tolerance). RPO (data loss) = upper bound
- Tests: desk check, table-top, simulation, parallel, full-interruption
Contribute to and enforce personnel security policies and procedures
HR security: pre-hire controls (background check, references), during (training, NDA, SoD), at exit (offboarding, access revocation, exit interview, gear return). Humans remain the #1 incident vector.
Key points
- Offboarding is more critical than onboarding for leaks
- NDA before exposure, not after
- Privileged candidates: enhanced background check
Understand and apply risk management concepts
Full cycle: identify (assets + threats + vulnerabilities), assess (qualitative P×I or quantitative SLE/ALE), treat (MART: Mitigate, Accept, Reject, Transfer), monitor. Risk register = single source of truth, reviewed regularly.
Key points
- SLE = AV × EF ; ALE = SLE × ARO
- Residual risk = Inherent - Controls. Must be under risk appetite.
- Acceptance = signed by risk owner, not ignored
Understand threat modeling concepts and methodologies
Model threats at design time. Methods: STRIDE (categorize 6 types), DREAD (scoring), PASTA (7-step process), Attack trees. Best ROI when applied early in the SDLC.
Key points
- STRIDE = categories; DREAD = scoring
- Earlier = cheaper to fix (shift-left)
- A data flow diagram is the foundation of threat modeling
Apply Supply Chain Risk Management (SCRM)
Assess and control risks from vendors and subcontractors: pre-onboarding security audit, contractual clauses (SLA, audit rights, notification), continuous monitoring. Crucial since SolarWinds.
Key points
- Vendor questionnaires (SIG, CAIQ) + SOC 2 Type II
- SBOM (Software Bill of Materials) to trace components
- 4th parties: subcontractors of your subcontractors
Security awareness, education and training program
Three levels: Awareness (broad, short reminders), Training (skills, role-oriented), Education (deep understanding, certifications). Measure effectiveness via phishing tests, quizzes, clear KPIs.
Key points
- Awareness ≠ Training ≠ Education (deeper in that order)
- Role-targeted: dev ≠ HR ≠ exec
- KPIs: phishing click rate, completion rate, quiz results
Key concepts
CIA Triad
Confidentiality (access restrictions, encryption), Integrity (non-repudiation, authenticity), Availability (reliable, timely access). Primary goal of any security programme.
DAD opposite
Disclosure, Alteration, Destruction - mirror opposite of CIA; what security tries to prevent.
I-AAAA
Identification → Authentication → Authorization → Accountability → Auditing. Full access-control lifecycle: who are you, are you really you, may you do this, who owns it, what did you do.
Asset / Vulnerability / Threat / Risk
Asset = anything of value. Vulnerability = weakness. Threat = potential harmful event. Threat Agent = who carries it out. Exploit = concrete compromise instance. Risk = likelihood × impact.
Risk treatments
Mitigate, Accept, Reject/Avoid, Transfer (e.g. insurance). Mnemonic: MART.
SoD, Least Privilege, Job Rotation
Separation of Duties (prevent single-person total power), Least Privilege (strict minimum), Job Rotation (periodic rotation to surface fraud), Dual Control (two people required).
STRIDE & DREAD threat models
STRIDE (Microsoft) = Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege. DREAD = Damage, Reproducibility, Exploitability, Affected users, Discoverability (scoring).
Data classification
Assess data sensitivity to decide protection level. Controls follow classification, never the other way round.
Governance frameworks
ISO 27001/27002 (controls), NIST RMF (risk mgmt), COBIT (IT governance), COSO (internal control), ITIL (IT operations), OCTAVE (self-directed risk).
ISC² Code of Ethics - 4 canons
1) Protect society, the common good, public trust and infrastructure. 2) Act honourably, honestly, justly, responsibly and legally. 3) Provide diligent and competent service to principals. 4) Advance and protect the profession.
Frameworks & standards
| Framework | Role |
|---|---|
| ISO/IEC 27001 | Information security management system (ISMS). |
| ISO/IEC 27002 | Catalogue of security controls. |
| NIST SP 800-30 | Risk assessment methodology (qualitative + quantitative). |
| NIST RMF (800-37) | Full IT risk management lifecycle. |
| COBIT | Business-aligned IT governance. |
| COSO | Internal control and financial reporting. |
| ITIL | IT service management best practices. |
| OCTAVE | Self-directed organisational risk assessment. |
Acronyms
| Acronym | Meaning |
|---|---|
| CIA | Confidentiality, Integrity, Availability |
| DAD | Disclosure, Alteration, Destruction |
| IAAAA | Identification, Authentication, Authorization, Accountability, Auditing |
| AV | Asset Value |
| EF | Exposure Factor (loss % if event) |
| SLE | Single Loss Expectancy = AV × EF |
| ARO | Annualized Rate of Occurrence |
| ALE | Annualized Loss Expectancy = SLE × ARO |
| RTO | Recovery Time Objective |
| RPO | Recovery Point Objective |
| MTD | Maximum Tolerable Downtime |
| MTBF | Mean Time Between Failures |
| STRIDE | Spoofing, Tampering, Repudiation, Info disclosure, DoS, Elevation |
| DREAD | Damage, Reproducibility, Exploitability, Affected, Discoverability |
| MART | Mitigate, Accept, Reject, Transfer |
Mnemonics
CIA = Confidentiality · Integrity · Availability. Its opposite: DAD (Disclosure, Alteration, Destruction).
IAAAA, in order: Identification → Authentication → Authorization → Accountability → Auditing.
MART = 4 options for a risk: Mitigate · Accept · Reject (avoid) · Transfer.
STRIDE: Spoofing · Tampering · Repudiation · Information disclosure · DoS · Elevation of privilege.
DREAD (threat scoring): Damage · Reproducibility · Exploitability · Affected users · Discoverability.
SLE = AV × EF (per event). ALE = SLE × ARO (per year). 3 letters unlock the 5.
4 canons, prescriptive order: Society > Honour > Service (principals) > Profession. Society wins if canons conflict.
Due DILIGENCE = D for DISCOVER (investigate first). Due CARE = C for CARRY OUT (act reasonably).
RTO = Restore Time (when are we back?). RPO = Restore Point (how much data lost?). Golden rule: RTO ≤ MTD.
Formulas
SLE = AV × EF
Expected loss from a single event.
ALE = SLE × ARO
Annualized expected loss.
Risk = P × I
Probability × impact.
Exam pitfalls
Don't confuse SLE, ALE and ARO
SLE is per event, ALE is per year, ARO is yearly frequency. The exam swaps them to trip you.
Strategic ≠ Tactical ≠ Operational
Strategic ≈ 5y, Tactical ≈ 1y, Operational ≈ months/daily. S-T-O = long, mid, short.
Due care vs Due diligence
Due care = act reasonably (doing). Due diligence = investigate/verify before acting (researching). Action vs research.
Risk transfer ≠ risk elimination
Buying insurance transfers financial impact - not legal liability or reputational harm.
Real-world cases
ALE of a flood-exposed datacentre
Datacentre valued at €1,000,000. A flood damages 40% of equipment (EF = 0.4). Local studies: one flood every 5 years (ARO = 0.2). SLE = €400,000, ALE = €80,000/yr. Reasonable mitigation budget: up to ~€80,000/yr (elevation, drainage, insurance).
Banking separation of duties
In a bank, the clerk who enters a transfer never approves it. Mnemonic: "one asks, one OKs." Single-person fraud is neutralised - modelled on SOX post-Enron controls.
10-second recap
10-second recap
- CIA is the mission, DAD is the threat.
- Risk = P × I; ALE = SLE × ARO; SLE = AV × EF.
- 4 treatments: MART (Mitigate, Accept, Reject, Transfer).
- Governance: ISO 27001, NIST RMF, COBIT, COSO, ITIL.
- Threat modelling: STRIDE (categories), DREAD (scoring).
- ISC² ethics = 4 canons: society, honour, service, profession.
Domain quiz
Three levels available. Pick one based on the time you have.
🔒 Sign-up required for quizzes
Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.