Infographic showing CISSP Domain 1: Security and Risk Management, including compliance with laws, risk management frameworks, and security awareness practices

Security and Risk Management

Introduction

Security and risk management component of the CISSP certification, covering Domain 1 of the eight core areas. This domain accounts for 15% of the CISSP exam.
The other areas are:

  1.  Security and Risk Management
  2.  Asset Security
  3.  Security Architecture and Engineering
  4.  Communication and Network Security
  5.  Identity and Access Management (IAM)
  6.  Security Assessment and Testing
  7.  Security Operations
  8.  Software Development Security

1. Security Fundamentals

The Goals of Information Security

Information security is built on the CIA triad—Confidentiality, Integrity, and Availability:

  • Confidentiality ensures that sensitive data is accessible only to authorized individuals. Techniques include access controls [with Active directory or Linux file permission for example], encryption and steganography. Of which the opposite is discloser.

  • Integrity protects data from unauthorized modification. Hashing, message digest MD, digital signatures and certificates help verify authenticity [with a CA third party] and prevent tampering. Of which the opposite is altering.

  • Availability guarantees that systems and data are accessible when needed. Redundancy, failover systems and timely patching support this goal. Of which is opposite denying access.

Each element is essential to maintaining trust and operational continuity in any secure environment.

2. Security Governance

Aligning Security with Business Objectives

Security must support—not hinder—business goals. Effective governance balances risk with operational needs, ensuring that security investments align with return on investment (ROI) and compliance requirements.

Organizational Processes

Security governance involves leadership at all levels. Boards and risk committees must understand threats, review audit findings and oversee incident response and integration during mergers or divestitures.

Security Roles and Responsibilities

Key roles include:

  • CISO – Oversees the security strategy and reports to executive leadership.

  • Risk Management Team – Identifies and mitigates threats.

  • IT Leaders – Implement controls and ensure operational alignment.

Control Frameworks

Frameworks provide structure and consistency:

  • COBIT – Governance and audit-focused.

  • ISO/IEC 27001 & 27002 – Security objectives and implementation guidance.

  • ISO/IEC 27701 – Privacy management.

  • ISO 31000 – Risk management principles.

  • NIST 800-53 – U.S. government standard with five functions and 22 categories.

3. Compliance and Ethics

Legal and Compliance Risks

Organisations must comply with local and international laws such as GDPR, PCI DSS and sector-specific regulations. Legal teams should be involved in interpreting and applying these requirements.

Data Privacy Stakeholders

Personally Identifiable Information (PII) and Protected Health Information (PHI) must be handled with care. Privacy principles include notice, consent, data minimization and secure disposal.

Computer Crimes

Laws like the Computer Fraud and Abuse Act (CFAA) criminalize unauthorised access and misuse of systems. Security teams must understand legal boundaries and reporting obligations.

Software Licensing Agreements

Licenses define how software can be used. Types include negotiated contracts, click-through agreements and open-source licenses. Misuse can lead to legal and financial penalties.

Intellectual Property

Security professionals must protect and respect copyrights, trademarks, patents, and trade secrets—especially when developing or integrating software.

Import and Export Controls

Data and technology exports may be restricted by national security laws. Organisations must monitor cross-border data flows and comply with sanctions.

Data Breaches

Breaches involving PII can trigger legal obligations, including victim notification, providing credit monitoring/compensations, regulatory reporting and potential fines. Encryption may provide legal exemptions in some jurisdictions.

Ethics Codes

The (ISC)² Code of Ethics includes four canons:

  1. Protect society and the common good.

  2. Act honourably and ethically.

  3. Provide diligent and competent service.

  4. Advance and support the profession.

4. Security Policy

Purpose and Structure of Security Policies

Security policies are formalized rules that guide behaviour and decision-making across an organisation. They define acceptable use, outline responsibilities and establish enforcement mechanisms. A well-structured policy hierarchy includes:

  • Policies – High-level directives aligned with business goals. (mandatory)

  • Standards – Specific technologies or methodologies to meet policy requirements. (mandatory)

  • Procedures – Step-by-step instructions for implementing standards. (mandatory/optional)

  • Guidelines – Recommended practices that offer flexibility.

Policy Types

  • Organisational Policies – Define the overall security posture and governance.

  • Issue-Specific Policies – Address topics like email usage, remote access or social media.

  • System-Specific Policies – Tailored to individual systems or platforms.

Clear expectations should be given for security policies examples are storage locations.. Access Control levels/encryption requirements Or data transmission encryption type Or data end of life how long to keep it. Data disposal and the cloud policies used.

5. Business Continuity and Disaster Recovery

Business Continuity Planning (BCP)

BCP ensures that critical operations can continue during and after a disruption. It involves:

  • Business Impact Analysis (BIA) – Identifying essential functions and their dependencies.

  • Risk Assessment – Evaluating threats and vulnerabilities.

  • Recovery Strategies – Developing plans for continuity and communication.

Disaster Recovery Planning (DRP)

DRP focuses on restoring IT systems and data after a disaster. Key components include:

  • Recovery Time Objective (RTO) – Maximum acceptable downtime.

  • Recovery Point Objective (RPO) – Maximum acceptable data loss.

  • Backup and Redundancy – Ensuring data availability through replication and offsite storage.

Also consider people team members and succession planning.

High Availability and Fault Tolerance

HA is about providing for redundancy.  Fault tolerance look at a single unit. Load balancing spreads the demand. Example of HA and fault tolerance are uninterruptible power supply USP, using more than one supply of power, storage (RAID mirroring and disk striping with parity RAID 5)/not backup and networking (multiple ISP/NIC teaming). Use more than one tech solution, or vendor, using cryptography and security controls.

6. Personal Security: Safeguarding the Human Element

The Role of Personal Security in Risk Management

While technical controls are essential, people remain one of the most targeted and vulnerable assets in any organization. Personal security focuses on protecting individuals from threats that could compromise organisational security, whether through social engineering, insider threats or physical access.

Key Components of Personal Security

  • Pre-Employment Screening

    • Conduct background checks, reference verification, and identity validation.

    • Assess candidates for potential insider threat indicators or conflicts of interest.

  • Security Awareness and Training

    • Educate employees on phishing, social engineering and secure behaviour.

    • Reinforce policies through regular training, simulations and assessments.

  • Access Management

    • Implement least privilege and need-to-know principles.

    • Use role-based access control (RBAC) and enforce separation of duties.

  • Monitoring and Behaviour Analysis

    • Monitor for anomalous behaviour that may indicate insider threats.

    • Use tools like User and Entity Behaviour Analytics (UEBA) to detect risks early.

  • Termination Procedures

    • Revoke access immediately upon termination or role change.

    • Conduct exit interviews and remind departing staff of confidentiality obligations.

Insider Threat Mitigation

  • Establish a culture of accountability and trust.

  • Encourage anonymous reporting of suspicious behaviour.

  • Implement technical controls to detect and prevent data exfiltration.

7. Risk Management

Risk Concepts

Risk is the potential for loss or harm. It’s calculated as: Risk = Threat × Vulnerability × Impact

Risk Management Process

  1. Identify Assets – What needs protection?

  2. Identify Threats and Vulnerabilities – What could go wrong?

  3. Assess Risk – Qualitative or quantitative analysis.

  4. Select Controls – Mitigate, transfer, accept or avoid risk.

  5. Monitor and Review – Continuous improvement.

Control Types

  • Administrative – Policies, training, background checks.

  • Technical – Firewalls, encryption, access controls.

  • Physical – Locks, surveillance, security guards.

Quantitative Risk Assessment

Other figure are to be used in a quantitative risk assessment. The Asset values AV is the replacement cost worked out by risk manager. The Exposure factor EF and the single loss expectancy or SLE is worked out from the following formula. AV x EF = SLE in £. The annualized rate of occurrence or ARO in the year is used in the formula SLE x ARO = ALE

Restoring the system back to full use after an incident is also a valuable figure to know. The mean time to failure is MTTF. There is the mean time between failures MTBF and mean time to repair MTTR.

Risk management

treatment of control
RISK avoidance/transference/mitigation/acceptance
find a risk profile.. leads to a residual risk/control risk

Security control selection and implementation
procedures to manage security risks
layers of defence in depth if a control fails
grp into prevention/detective/corrective control
technical and management/op controls
look to prevent false positives

Ongoing risk management

assessment reporting at a point in time ..internal or audited externally
checking of the controls/review effectiveness
RIMS model is use https://www.rims.org/home

Risk management frameworks

NIST process 800-37 there are 6 steps that need to known

Risk visibility and reporting

tools to document/track in a risk register
db is listed with description/category/probabilty and impact/risk rating/actions taken
threat intelligence info gathered by grps

8. Threat Modelling


Threat intelligence

Education on the public/current open source intelligence
find on security websites/vulnerability databases/general news media/social media/information published on the dark web/public and private information sharing centers/file and code repositories/security research organizations
AI is used by intelligence/service provider as a offering/service to act/real time >> updating databases
info must be prompt/on-time/accurate/reliable

Intelligence sharing

focus in incident response teams, vulnerability management teams, risk management teams, security engineering teams and detection and monitoring teams
Infomation sharing and analysis centres ISACs >> teams of organisations https://www.enisa.europa.eu/topics/national-cyber-security-strategies/information-sharing

Identifying threats

modelling by a structed approach by:- asset focusing/threat focus/service focus

Threat hunting

from solid defense to assumption of compromise.. use AI and offense by using a hypothesis and look for inducators of compromise. find out what happened containment and recovery

8. Threat Modelling: Identifying and Prioritizing Risks

What Is Threat Modelling?

Threat modelling is a proactive process used to identify, evaluate, and mitigate potential threats to systems, applications, or processes. It helps organizations understand what they’re protecting, who they’re protecting it from, and how to prioritize defences.

Core Elements

  • Assets – What needs protection (e.g., data, systems, services)?

  • Threats – What could go wrong (e.g., attackers, insiders, natural disasters)?

  • Vulnerabilities – Weaknesses that could be exploited.

  • Impact – The potential damage if a threat is realized.

Common Methodologies

  • STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)

  • DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)

  • PASTA (Process for Attack Simulation and Threat Analysis)

When to Perform Threat Modelling

Ideally during the design phase of a system or application, but it can also be applied retroactively to existing environments.

Benefits

  • Prioritizes security efforts based on real-world risk.

  • Improves communication between developers, architects, and security teams.

  • Reduces the likelihood of costly vulnerabilities post-deployment.

9. Supply Chain Risk Management

Managing vendor relationships

protect CIA with vendors so as not being the weak link.. cycle is vendor selection with RFP/onboarding/monitoring/offboarding
see ISO framesworks

Vendor agreements

NDA and SLR leads to SLA
MOU can be used with other..
BPA
ISA
MSA
SOW
included is security and compliance terms with monitoring and auditing

Vendor information management

data ownership provisioning
agreements 3rd party.. data protection

Vendor audits and assessments

CIA audits controls report, review and recommendations
against standards (independent audit)
big 4 auditors PricewaterhouseCoopers, Ernst & Young, Deloitte and Kpmg
clear scope.. defined
leads to a gap analysis

Cloud audits

Different types of service organisation control reports SOC-reports
SOC 1 most common for customers
SOC 2 detailed on CIA controls
SOC 3 highlevel CIA controls
CAN Be Type 1 report not verified and type 2.. (result/testing of controls)

Security service providers

MSSPs >> can be all security/log monitoring/FW/IAM
CASB >> sits in between OR API-CASB

9. Third-Party and Supply Chain Risk Management

Understanding Third-Party Risk

Organizations increasingly rely on vendors, partners, and service providers—each introducing potential security risks. Third-party risk management ensures these relationships don’t become weak links in your security posture.

Key Risk Areas

  • Data Handling – How vendors store, process, and transmit your data.

  • Access Control – Whether third parties have appropriate access restrictions.

  • Compliance – Whether vendors meet regulatory and contractual obligations.

  • Operational Resilience – Their ability to recover from incidents or outages.

Supply Chain Security

Supply chains can be exploited to introduce malware, counterfeit hardware, or unauthorized software. Risks may arise from:

  • Compromised firmware or drivers

  • Insecure software updates

  • Tampered hardware components

Best Practices

  • Conduct due diligence and risk assessments before onboarding.

  • Include security clauses in contracts and SLAs.

  • Monitor vendor performance and conduct regular audits.

  • Use frameworks like NIST SP 800-161 and ISO/IEC 27036 for structured supply chain risk management.

10. Awareness and Training

Security awareness training

educate users about risk >>training>>awareness
methods.. on sans.org. simulations and effectiveness diverse .. gamification and CTF
based on the roles customized. frequency .updates
review training is it relevant

Compliance training

external programs laws obligations/regulations obligation/standard obligations. What at the details?

User habits

replace with good habits.. passwords/data handling.. clean desk policies/NDA.. physical/BYOD ..acceptable use
know what measures company take to perform analysis of SM use

Measuring compliance and security posture

How effective is the efforts. Measure with scores and survey. Metric reviewed

10. Security Awareness and Training

Why It Matters

Even the most advanced technical controls can be undermined by human error. Security awareness training empowers employees to recognize and respond to threats, reducing the risk of breaches caused by phishing, social engineering, and poor security hygiene.

Core Components

  • Phishing Simulations – Train users to spot suspicious emails and links.

  • Policy Education – Ensure staff understand acceptable use, data handling, and incident reporting procedures.

  • Role-Based Training – Tailor content for developers, executives, and IT staff based on their responsibilities.

Delivery Methods

  • Instructor-led sessions

  • E-learning modules

  • Microlearning and gamification

  • Regular newsletters and security bulletins

Measuring Effectiveness

  • Track completion rates and quiz scores

  • Monitor incident reports and user behaviour

  • Use metrics to refine and improve training programs

Compliance Considerations

Many regulations (e.g., GDPR, HIPAA, PCI DSS) require documented security awareness programs. Regular training helps meet these obligations and fosters a culture of security.

Advance Your Security Expertise Today – Explore actionable insights from CISSP Domain 1 and schedule a free consultation to strengthen your organization’s risk posture with expert guidance.

Comments