CISSP Mastery

CISSP Mastery · Module 1 / 8

Domain 1: Security & Risk Management

The foundation of the CISSP — the domain that governs every other. Master the CIA triad, governance structures, risk lifecycle, compliance obligations, and legal frameworks that frame every security decision.

Your progress

Domain 1 of 8 13%

Module 1

16%

Exam weight

CIA

Core triad

1 / 8

Domain focus

Tier 1

Heaviest domain

Module overview

Why Domain 1 governs everything

Domain 1 is deliberately first — its concepts (risk, governance, ethics) shape how you answer every other domain’s scenario. Master it once; reuse it seven times.

On the exam, when you see "What should you do FIRST?", the answer almost always comes from Domain 1 — identify, classify, or assess before acting. Analysis precedes response.

Treat this module as your operating system: every other domain (Asset Security, IAM, Operations, Software) plugs into the same risk + governance substrate you build here.

Governance, risk and compliance convergence — conceptual illustration — **Governance, risk & compliance convergence.** Security controls only hold when governance (policy + accountability), risk (assessment + treatment) and compliance (legal + contractual) are wired into the same operating loop.

Foundational security concepts

CIA triad & supporting principles

Every security control ultimately serves Confidentiality, Integrity, or Availability. Extend the triad with authenticity, non-repudiation, and accountability to cover governance-grade questions.

Confidentiality

Protect information from unauthorized disclosure. Enforce with classification, encryption at rest/in transit, least privilege, and need-to-know segmentation.
Integrity

Guarantee that data and systems are not altered without authorization. Hashing, digital signatures, version control, and change management are your primary controls.
Availability

Ensure timely and reliable access. Redundancy, load balancing, capacity planning, and tested BCP/DRP plans keep critical services within agreed SLAs.
Authenticity & non-repudiation

Prove who did what. Digital signatures, robust audit logging, and strong authentication deny plausible deniability and satisfy evidentiary requirements.

Security governance

Governance frameworks — policies, roles & accountability

Governance translates executive intent into operational controls. Expect questions that follow the authority chain — Board → CISO → Data Owner → Data Custodian → User.

Policies · Standards · Procedures · Guidelines

Policies set direction. Standards make policies measurable. Procedures turn them into steps. Guidelines add context. Together they form an auditable hierarchy.
Roles & responsibilities

Data owners accept risk. Data custodians implement controls. System owners operate. Users comply. The senior-most role always owns the residual risk.
Due care & due diligence

Due care is acting reasonably (implementing controls). Due diligence is verifying they work (testing, monitoring, reviewing). CISSP favors both, continuously.
Ethics (ISC² Code)

Protect society → Act honorably → Provide diligent service → Advance the profession. When ethics tie-break a question, society and the common good come first.

Risk management lifecycle

Assess, treat & monitor risk

Risk = Threat × Vulnerability × Impact. The exam rewards answers that identify and assess before responding. Analysis before action, every time.

Quantitative analysis

AV (Asset Value) → EF (Exposure Factor) → SLE = AV × EF → ARO (Annualized Rate of Occurrence) → ALE = SLE × ARO. Use when data supports it.
Qualitative analysis

Likelihood × Impact matrix ranked Low / Medium / High / Critical. Faster, cheaper, and ideal when data is sparse or stakeholder judgment is the main input.
Risk treatment

Mitigate (apply controls), Transfer (insurance / contracts), Accept (document residual risk), or Avoid (remove the activity). CISSP prefers mitigate → transfer → accept.
Continuous monitoring

Risk registers, KRIs, and periodic reassessments keep residual risk honest. Never set-and-forget — threats evolve, and so must the risk profile.

Legal compliance

Laws, regulations & contracts

Know which framework applies to which context. The exam expects you to match the obligation (privacy, financial, health) to the correct law or contractual requirement.

Privacy (GDPR, CCPA, PIPEDA)

GDPR: consent, purpose limitation, DPO, 72-hour breach notice. CCPA: opt-out, consumer rights. PIPEDA: Canadian private-sector baseline.
Sector-specific (HIPAA, GLBA, PCI-DSS)

HIPAA for PHI (US health). GLBA for financial safeguards. PCI-DSS is contractual — card brands enforce it. Always check scope before control selection.
Financial & public-company (SOX)

Sarbanes-Oxley imposes internal controls over financial reporting, with IT audit scope (access, change, segregation of duties) for in-scope systems.
Intellectual property

Copyright (expression), patent (invention), trademark (brand), trade secret (protected by reasonable effort). IP classification affects handling rules.

Deep dive

Processes — expand to master

Click each heading to unfold the step-by-step flow. Use the numbered order as a memory anchor on the exam.

Risk assessment process — the six-phase loop The formal flow you must recognize on the exam: identify, analyze, evaluate, treat, monitor — with governance hooks at every stage.

01

Identify assets & threats

Inventory systems, data, and people. Pair each asset with plausible threat actors and scenarios.
02

Assess vulnerabilities

Correlate threats with known weaknesses (technical, process, human). Technical scans alone are not enough.
03

Analyze likelihood & impact

Choose quantitative, qualitative, or hybrid. Document the assumptions — reviewers will challenge them.
04

Evaluate & prioritize

Rank risks against the organization’s risk appetite. Separate critical from acceptable with a defensible threshold.
05

Treat risk

Select mitigate / transfer / accept / avoid. Match the treatment to the asset value — not to fashion.
06

Monitor & review

Revisit on a cadence and after incidents, changes, or new regulations. Continuous risk management is a CISSP expectation.

BCP / DRP lifecycle Business continuity and disaster recovery frame availability and resilience — heavy exam territory.

01

Project initiation

Secure executive sponsorship, define scope, form the BCP team, and align on budget and authority.
02

Business Impact Analysis (BIA)

Identify critical processes, RTO (time tolerance) and RPO (data loss tolerance), and interdependencies.
03

Strategy selection

Match recovery strategies to BIA outputs: hot / warm / cold sites, cloud DR, reciprocal agreements.
04

Plan development

Document playbooks, contacts, decision trees. A plan no one can find at 2 AM is not a plan.
05

Testing & exercises

Checklist → tabletop → functional → full interruption. Findings feed back into the plan — always.
06

Maintenance

Re-run the BIA after major change (M&A, new systems, regulations). Stale plans fail at the worst moment.

Threat modeling (STRIDE, PASTA, attack trees) Structured approaches to enumerate threats before deploying systems — the CISSP "before" pattern in action.

01

STRIDE

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. One lens per class of threat.
02

PASTA

Seven-stage risk-centric process that ties business objectives to technical threat analysis.
03

Attack trees

Graphical decomposition from root goal to leaf actions. Useful to communicate risk pathways to non-technical stakeholders.
04

Select the right tool

Design phase → STRIDE. Business-driven risk → PASTA. Stakeholder communication → attack trees. Context wins.

Security and risk control lifecycle — visual reference — **Security & risk control lifecycle.** From identification to monitoring — anchor every exam answer in this loop: *identify → classify → assess → treat → monitor → improve*.

Concept map

The CIA triad — confidentiality, integrity, availability

The single mental model that anchors every Domain 1 control. Hover any vertex to see how the three pillars must stay in balance.

The CIA triad

CIA

Hover, tap, or Tab a pillar for CIA focus and an exam cue.

Hover any vertex to feel the balance shift — break one pillar, the whole triad collapses.

Exam-grade takeaways

Expert insights & pro tips

Short, high-signal anchors — the same bar we set on the Academy callouts.

Expert insight

CIA conflicts almost always resolve to confidentiality

When availability and confidentiality fight, CISSP defaults to confidentiality — unless the scenario calls out life-safety or mission-critical availability (e.g., 911 systems, medical devices).

Pro tip

Risk is owned by the business, not by security

The CISO recommends. The data owner / business executive accepts residual risk. Security facilitates the decision — it does not sign off unilaterally. The exam loves this distinction.

Expert insight

Laws, regulations, contracts — order matters

Criminal and civil law trump regulatory standards, which trump internal policies, which trump contracts only where law permits. Recognize the hierarchy to answer scope questions cleanly.

Quick check

Domain 1 quiz

One question at a time — instant feedback.

Quiz progress

Question 1 of 5 · 20%

Q 1

Question 1 of 5

1.A board asks for cyber risk in monetary terms. Which method should the CISO emphasize?

Ready for Domain 2?

Module 1 anchors every later domain — especially Asset Security, which builds on classification and data lifecycle. Mark this module complete, then take a 30-minute active recall session before moving on.

← Back to CISSP Academy Next · Domain 02 · Asset Security