Security and Risk Management

CISSP Domain 1 Review notes – Security and Risk Management

This is one of the longest and relatively important domains in CISSP Certification. People who work in the technical role of finding this domain is difficult because it focuses more on business and is related to broad concepts in risk management, and preparing information security and governance framework.

Domain 1 summary

Domain 1 starts with information about three pillars of information security – confidentiality, integrity and availability, explains the significance of each principle in reality. Furthermore, the domain explains the difference between information security management and the concept of information security governance.

Furthermore, the domain explains the strategy to develop your information security goals as strategic (long term), tactical (six months to one year) and operational (less than months) purpose. The aim must be based on security objectives originating from business security goals, also called maintenance goals. The domain explains the difference between the purpose of “sitting treatment” and the purpose of “thorough testing”.

Domains provide guidance on the contents of information security policies and how policies are different from procedures, standards, basic lines and documents guidelines. This includes a detailed understanding of the roles and responsibilities of “Information Security” for senior management, head of information security officers, data owners, finder data, system owners, system administrators and security administrators. This concept of role and responsibility was tested slightly in the actual CISSP exam.

Security and Risk Management

Moving domains to explain various types of controls (administration, technical and physical) and concepts including segregation of tasks, job rotation, mandatory holidays, spilled knowledge and multiple controls. Furthermore, the domain shares information about information security practices in hiring new employees and termination of employees. Again, these concepts are tested in the actual CISSP exam.

As domain names suggest – “Risk Management” – this domain illustrates to explain the basics of risk management including assets (both intangible and intangible), vulnerabilities, threats, completing the exercises of “business impact analysis” and creating risk registers. After that, we learn to understand the approach of risk remediation (risk mitigation, risk transfer, risk aversion and risk acceptance).

After understanding the concept of risk management, the domain provides information about the company’s architectural framework such as Zachman, Sabsa and TOGAF. Hope here is to understand the company’s architectural framework at the definition level and understand how one framework is different from other frameworks. Please refer to the attached review record for further details.

Domains explain concepts about business continuity management (BCM). The reason for entering the BCM concept is that the methodology to create a business continuity plan comes from the risk of managing organizational assets.

The next topic in the domain is legal law, the legal category, concepts about the causation of producers, EXCIGI conditions, wise human rules, data protection laws, privacy law and safe ports. The hope is that someone understands this law at a high level.

The next domain defines intellectual property, patent, trademark, copyright and trade secrets. Along with this, we studied the concepts around its surrounding forensics, chain prisoners, proof types, computer supervision and finally, the ISC2 code of ethics.

This proof of your abilities

If you have worked in the field for a while, you will collect a lot of skills that are very sought after. But without concrete qualifications, it’s hard to show this to the employer.

The best work out there either directly requires a CISSP certificate or staring at someone who has gone through the process of punishing to achieve it. This is one of the most valuable information security certificates out there.

There are many people who work in security, but do not all have a knowledge warehouse needed to protect against the worst kind of security violations. With CISSP, you will get a variety of skills that are very necessary and can clearly deliver this to the employer in the future.

Businessman looking for you

Another thing that makes CISSP certification commensurate with large desperate companies for people who understand the complexity of large security, and they know this value of certification. There may be hundreds of thousands of security jobs at M.S., but the best is reserved for those who can show the experience and knowledge needed to achieve CISSP certificates.

Instead of having to go through a strict process in finding a job, you will find the company knock down your door to try to make you join them. CISSP certificates are universally recognized standards, and holders are searched by companies such as Google, IBM, Hewlett-Packard, and many others.


This domain is important because there are many questions raised about IT policies, procedures, roles and responsibilities, types of control, risk management concepts including risk analysis, risk evaluation and risk remediation. There will also be one numeric (calculated-based) around the calculation risk. Overall, this domain is more business focused and not technical. As a result, it is considered difficult by people who work in a technical role.

Leave a Reply

Your email address will not be published. Required fields are marked *