Domaine 1 · 16% Exam weight

Security and Risk Management

Domain 1 lays the foundations: understanding the value of information, measuring risk, knowing applicable laws, and organising security governance. It is the largest exam domain (16%) and the conceptual bedrock for every other.

(ISC)² CBK Objectives

The 13 official learning areas of Domain 1. Click an objective for detail.

Objective A

Understand, adhere to and promote Professional Ethics

Diagramme — Understand, adhere to and promote Professional Ethics

(ISC)² ethics boils down to 4 ordered canons: protect society first; act honourably; serve principals diligently; advance and protect the profession. The order is prescriptive: in case of conflict, the higher canon wins.

Key points

  • 4 ISC² canons + oath signed upon certification
  • Prescriptive order (not optional)
  • Compare with other codes: IEEE, ACM, ISACA
Objective B

Understand and apply security concepts

Diagramme — Understand and apply security concepts

CIA triad (Confidentiality, Integrity, Availability), its mirror DAD (Disclosure, Alteration, Destruction), and the IAAAA access-control cycle. Every security decision is a trade-off among these pillars; strengthening one at the expense of another is an anti-pattern.

Key points

  • CIA + CIAAN (add Authenticity, Non-repudiation)
  • IAAAA: Identification → Authentication → Authorization → Accountability → Auditing
  • Non-repudiation via digital signatures
Objective C

Evaluate and apply security governance principles

Diagramme — Evaluate and apply security governance principles

Governance aligns security with the business. It sets roles (board, CISO, DPO, owners), responsibilities (RACI), high-level policies, and steering metrics (KPI/KRI). Key frameworks: ISO 27001 (ISMS), NIST CSF, COBIT (IT governance), COSO (internal control).

Key points

  • Governance = WHAT. Management = HOW. Operations = DO.
  • Top management is ACCOUNTABLE; the CISO is RESPONSIBLE
  • Business alignment via COBIT and executive dashboards
Objective D

Determine compliance and other requirements

Diagramme — Determine compliance and other requirements

Identify applicable obligations: laws (GDPR, HIPAA, SOX, FISMA), contracts (PCI-DSS, SLA), industry standards (ISO 27001, SOC 2). Non-compliance exposes to: regulatory fines, contractual penalties, customer loss, lawsuits.

Key points

  • Map obligations by asset and jurisdiction
  • GDPR: 72-h breach notification, fines up to 4 % revenue
  • SOC 2: Trust Services Criteria (5: security, availability, integrity, confidentiality, privacy)
Objective E

Understand legal and regulatory issues

Diagramme — Understand legal and regulatory issues

Three law categories: criminal (State vs individual, imprisonment), civil (individual vs individual, damages), administrative (regulators). Three systems: common law (Anglo-Saxon), civil law (continental Europe), religious. IP: copyright, patent, trademark, trade secret.

Key points

  • Burden of proof: criminal = beyond reasonable doubt; civil = balance of probabilities
  • International data transfers (e.g. outside EU): Standard Contractual Clauses
  • IP: 4 types, different durations
Objective F

Understand requirements for investigation types

Diagramme — Understand requirements for investigation types

4 investigation types: administrative (internal HR), criminal (police, proof beyond doubt), civil (damages), regulatory (regulator). Each has its own evidence rules and chain of custody. Locard's principle: every contact leaves a trace.

Key points

  • Chain of custody: evidence traceability (who, when, where, why)
  • Evidence: authentic, accurate, complete, convincing, admissible
  • Forensics: order of volatility (RAM, cache, disk, backup)
Objective G

Develop, document and implement security policy, standards, procedures, guidelines

Diagramme — Develop, document and implement security policy, standards, procedures, guidelines

Normative hierarchy: Policy (intent, what) > Standard (mandatory, precise what) > Procedure (how, step-by-step) > Guideline (recommended). A baseline = minimum to meet. Policies are reviewed yearly and upon major changes.

Key points

  • Policy signed by top management = binding effect
  • Procedure = executable by any qualified person
  • Guideline is non-binding, Standard is binding
Objective H

Identify, analyze and prioritize business continuity requirements

Diagramme — Identify, analyze and prioritize business continuity requirements

BCP covers enterprise survival during a major incident. It relies on the BIA (Business Impact Analysis) which assesses the criticality and impact of each process. The DRP is the fast IT recovery subplan.

Key points

  • BIA before BCP: no planning without measuring first
  • RTO (restore) ≤ MTD (max tolerance). RPO (data loss) = upper bound
  • Tests: desk check, table-top, simulation, parallel, full-interruption
Objective I

Contribute to and enforce personnel security policies and procedures

Diagramme — Contribute to and enforce personnel security policies and procedures

HR security: pre-hire controls (background check, references), during (training, NDA, SoD), at exit (offboarding, access revocation, exit interview, gear return). Humans remain the #1 incident vector.

Key points

  • Offboarding is more critical than onboarding for leaks
  • NDA before exposure, not after
  • Privileged candidates: enhanced background check
Objective J

Understand and apply risk management concepts

Diagramme — Understand and apply risk management concepts

Full cycle: identify (assets + threats + vulnerabilities), assess (qualitative P×I or quantitative SLE/ALE), treat (MART: Mitigate, Accept, Reject, Transfer), monitor. Risk register = single source of truth, reviewed regularly.

Key points

  • SLE = AV × EF ; ALE = SLE × ARO
  • Residual risk = Inherent - Controls. Must be under risk appetite.
  • Acceptance = signed by risk owner, not ignored
Objective K

Understand threat modeling concepts and methodologies

Diagramme — Understand threat modeling concepts and methodologies

Model threats at design time. Methods: STRIDE (categorize 6 types), DREAD (scoring), PASTA (7-step process), Attack trees. Best ROI when applied early in the SDLC.

Key points

  • STRIDE = categories; DREAD = scoring
  • Earlier = cheaper to fix (shift-left)
  • A data flow diagram is the foundation of threat modeling
Objective L

Apply Supply Chain Risk Management (SCRM)

Diagramme — Apply Supply Chain Risk Management (SCRM)

Assess and control risks from vendors and subcontractors: pre-onboarding security audit, contractual clauses (SLA, audit rights, notification), continuous monitoring. Crucial since SolarWinds.

Key points

  • Vendor questionnaires (SIG, CAIQ) + SOC 2 Type II
  • SBOM (Software Bill of Materials) to trace components
  • 4th parties: subcontractors of your subcontractors
Objective M

Security awareness, education and training program

Diagramme — Security awareness, education and training program

Three levels: Awareness (broad, short reminders), Training (skills, role-oriented), Education (deep understanding, certifications). Measure effectiveness via phishing tests, quizzes, clear KPIs.

Key points

  • Awareness ≠ Training ≠ Education (deeper in that order)
  • Role-targeted: dev ≠ HR ≠ exec
  • KPIs: phishing click rate, completion rate, quiz results

Key concepts

CIA Triad

Confidentiality (access restrictions, encryption), Integrity (non-repudiation, authenticity), Availability (reliable, timely access). Primary goal of any security programme.

DAD opposite

Disclosure, Alteration, Destruction - mirror opposite of CIA; what security tries to prevent.

I-AAAA

Identification → Authentication → Authorization → Accountability → Auditing. Full access-control lifecycle: who are you, are you really you, may you do this, who owns it, what did you do.

Asset / Vulnerability / Threat / Risk

Asset = anything of value. Vulnerability = weakness. Threat = potential harmful event. Threat Agent = who carries it out. Exploit = concrete compromise instance. Risk = likelihood × impact.

Risk treatments

Mitigate, Accept, Reject/Avoid, Transfer (e.g. insurance). Mnemonic: MART.

SoD, Least Privilege, Job Rotation

Separation of Duties (prevent single-person total power), Least Privilege (strict minimum), Job Rotation (periodic rotation to surface fraud), Dual Control (two people required).

STRIDE & DREAD threat models

STRIDE (Microsoft) = Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege. DREAD = Damage, Reproducibility, Exploitability, Affected users, Discoverability (scoring).

Data classification

Assess data sensitivity to decide protection level. Controls follow classification, never the other way round.

Governance frameworks

ISO 27001/27002 (controls), NIST RMF (risk mgmt), COBIT (IT governance), COSO (internal control), ITIL (IT operations), OCTAVE (self-directed risk).

ISC² Code of Ethics - 4 canons

1) Protect society, the common good, public trust and infrastructure. 2) Act honourably, honestly, justly, responsibly and legally. 3) Provide diligent and competent service to principals. 4) Advance and protect the profession.

Frameworks & standards

FrameworkRole
ISO/IEC 27001 Information security management system (ISMS).
ISO/IEC 27002 Catalogue of security controls.
NIST SP 800-30 Risk assessment methodology (qualitative + quantitative).
NIST RMF (800-37) Full IT risk management lifecycle.
COBIT Business-aligned IT governance.
COSO Internal control and financial reporting.
ITIL IT service management best practices.
OCTAVE Self-directed organisational risk assessment.

Acronyms

AcronymMeaning
CIA Confidentiality, Integrity, Availability
DAD Disclosure, Alteration, Destruction
IAAAA Identification, Authentication, Authorization, Accountability, Auditing
AV Asset Value
EF Exposure Factor (loss % if event)
SLE Single Loss Expectancy = AV × EF
ARO Annualized Rate of Occurrence
ALE Annualized Loss Expectancy = SLE × ARO
RTO Recovery Time Objective
RPO Recovery Point Objective
MTD Maximum Tolerable Downtime
MTBF Mean Time Between Failures
STRIDE Spoofing, Tampering, Repudiation, Info disclosure, DoS, Elevation
DREAD Damage, Reproducibility, Exploitability, Affected, Discoverability
MART Mitigate, Accept, Reject, Transfer

Mnemonics

Memo · CIA

CIA = Confidentiality · Integrity · Availability. Its opposite: DAD (Disclosure, Alteration, Destruction).

Memo · IAAAA

IAAAA, in order: Identification → Authentication → Authorization → Accountability → Auditing.

Memo · MART

MART = 4 options for a risk: Mitigate · Accept · Reject (avoid) · Transfer.

Memo · STRIDE

STRIDE: Spoofing · Tampering · Repudiation · Information disclosure · DoS · Elevation of privilege.

Memo · DREAD

DREAD (threat scoring): Damage · Reproducibility · Exploitability · Affected users · Discoverability.

Memo · Formules risque

SLE = AV × EF (per event). ALE = SLE × ARO (per year). 3 letters unlock the 5.

Memo · Canons ISC²

4 canons, prescriptive order: Society > Honour > Service (principals) > Profession. Society wins if canons conflict.

Memo · Due care/diligence

Due DILIGENCE = D for DISCOVER (investigate first). Due CARE = C for CARRY OUT (act reasonably).

Memo · RTO/RPO

RTO = Restore Time (when are we back?). RPO = Restore Point (how much data lost?). Golden rule: RTO ≤ MTD.

Formulas

Remember

SLE = AV × EF

Expected loss from a single event.

Remember

ALE = SLE × ARO

Annualized expected loss.

Remember

Risk = P × I

Probability × impact.

Exam pitfalls

Pitfall

Don't confuse SLE, ALE and ARO

SLE is per event, ALE is per year, ARO is yearly frequency. The exam swaps them to trip you.

Pitfall

Strategic ≠ Tactical ≠ Operational

Strategic ≈ 5y, Tactical ≈ 1y, Operational ≈ months/daily. S-T-O = long, mid, short.

Pitfall

Due care vs Due diligence

Due care = act reasonably (doing). Due diligence = investigate/verify before acting (researching). Action vs research.

Pitfall

Risk transfer ≠ risk elimination

Buying insurance transfers financial impact - not legal liability or reputational harm.

Real-world cases

Case · Teaching scenario

ALE of a flood-exposed datacentre

Datacentre valued at €1,000,000. A flood damages 40% of equipment (EF = 0.4). Local studies: one flood every 5 years (ARO = 0.2). SLE = €400,000, ALE = €80,000/yr. Reasonable mitigation budget: up to ~€80,000/yr (elevation, drainage, insurance).

Case · Real-inspired scenario

Banking separation of duties

In a bank, the clerk who enters a transfer never approves it. Mnemonic: "one asks, one OKs." Single-person fraud is neutralised - modelled on SOX post-Enron controls.

10-second recap

10-second recap

  • CIA is the mission, DAD is the threat.
  • Risk = P × I; ALE = SLE × ARO; SLE = AV × EF.
  • 4 treatments: MART (Mitigate, Accept, Reject, Transfer).
  • Governance: ISO 27001, NIST RMF, COBIT, COSO, ITIL.
  • Threat modelling: STRIDE (categories), DREAD (scoring).
  • ISC² ethics = 4 canons: society, honour, service, profession.

Domain quiz

Three levels available. Pick one based on the time you have.

🔒 Sign-up required for quizzes

Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.