Security and Risk Management
Bảo mật & Quản lý Rủi ro · 15% of CISSP Exam
About This Domain
The largest domain at 15%. Covers professional ethics, governance, risk management frameworks, legal requirements, and business continuity. This domain sets the management mindset for the entire CISSP exam — think like a manager and security leader, not just a technician.
Domain 1 is tested heavily on "what would a CISSP do" scenarios. The correct answer prioritizes business context, governance, and risk management over pure technical solutions. Master this domain and it rewires your thinking for all other domains.
10 Lessons in This Domain
- • 4 Canons in priority order
- • Society > Clients > Profession
- • Duty to report illegal activity
- • Confidentiality, Integrity, Availability
- • Non-repudiation & Authenticity
- • AAA framework
- • Policy → Standard → Guideline → Procedure
- • Due Care vs Due Diligence
- • NIST CSF 5 functions
- • Criminal vs Civil vs Regulatory law
- • Decree 13/2023, PH DPA, PCI-DSS
- • 72-hour breach notification rule
- • SLE = AV × EF; ALE = SLE × ARO
- • Qualitative vs Quantitative methods
- • Risk Appetite & Residual Risk
- • Mitigate, Accept, Avoid, Transfer
- • NIST RMF 7 steps
- • Risk register & formal acceptance
- • MTD, RTO, RPO, WRT definitions
- • BCP vs DRP relationship
- • Recovery site types & testing tiers
- • Separation of Duties & Dual Control
- • Mandatory vacation & job rotation
- • Social engineering attack types
- • STRIDE: 6 threat categories
- • IOC vs IOA distinction
- • MITRE ATT&CK & APT concepts
- • Vendor due diligence & SOC 2 Type 2
- • SBOM & software supply chain risks
- • Awareness vs Training vs Education
Domain 1 Full Quiz
Complete all 10 lessons before attempting the full domain quiz. The quiz covers all concepts across all lessons with 25 mixed questions at exam difficulty.
Coming Soon — Complete all lessons first