Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram

CISSP Domain 1: Security and Risk Management

Domain 1 of 8 Light
ISC2 · CISSP · Study Guide · Free Preview

Domain 1: Security and Risk Management

The foundation everything else sits on. Master the managerial mindset that separates a CISSP from a technician.

16%
Exam Weight
12
Subtopics
#1
Heaviest
~25m
Read Time
Domain 1 — 16% of exam100%
All Domains
01Key Concepts at a Glance

Eight Ideas That Drive Every Question

These concepts appear across almost every Domain 1 question. Know them cold.

C

CIA + AN

The 5 security objectives every control maps back to

"Your CEO asks: what are we actually protecting? This is the answer. Every firewall rule, every policy, every access control exists to serve one of these five."

Deep dive in 1.2 Security Concepts
R

Risk Analysis

Threats x Vulnerabilities x Impact. The central decision mechanism.

"The CFO won't approve your budget because you said 'we need better security.' Run the numbers: what's the asset worth, how likely is the threat, what's the annual loss? Now you're speaking their language."

Deep dive in 1.9 Risk Management
D

Due Care vs. Diligence

Care = doing what's reasonable. Diligence = verifying it works.

"You installed a firewall (due care). You tested it quarterly and reviewed the logs (due diligence). If you skip the second part and get breached, that's negligence — even though you bought the tool."

Deep dive in 1.3 Security Governance
P

Policy Hierarchy

Business objectives drive policies drive standards drive procedures

"Teams are using 3 different encryption methods because nobody wrote a standard. The fix isn't mandating AES-256 — it's writing the policy first, then deriving the standard from it. Top down, never bottom up."

Deep dive in 1.6 Security Policy
B

BIA

Identifies critical functions, acceptable downtime, recovery priorities

"The data center is down. What gets restored first — email or payment processing? The BIA already answered this. Business decides what's critical, IT decides how to recover it."

Deep dive in 1.7 Business Continuity
T

Threat Modeling

STRIDE (software), OCTAVE (org), VAST (agile)

"Your dev team uses STRIDE to find app-level threats. Your CISO uses OCTAVE to assess enterprise risk. Different scopes, different frameworks — the exam tests whether you know which fits where."

Deep dive in 1.10 Threat Modeling
S

SCRM

Supply chain: SBOMs, silicon root of trust, vendor assessment

"Your SaaS vendor can't tell you what open-source libraries are in their product. No SBOM means you can't assess component-level vulnerabilities. Your security is only as strong as your weakest supplier."

Deep dive in 1.11 Supply Chain Risk
Q

Quantitative Risk

SLE = AV x EF | ALE = SLE x ARO

"A $200K server with 25% exposure to fire, fires once every 4 years. SLE = $50K, ALE = $12,500. If a suppression system costs $10K/year and cuts risk 80%, the math says buy it. This is how CISOs justify budgets."

Try the Risk Calculator
↓ Download Domain 1 Cheat Sheet (PDF)
02Visual Diagrams

See It, Don't Just Read It

Interactive diagrams for the concepts that show up in every practice exam.

The 5 Pillars of Information Security

InformationSecurity
C
Confidentiality
Accessible only to authorized parties
Encryption, access controls, classification labels. "Need to know" is the principle.
I
Integrity
Accurate, complete, unaltered
Hashing, digital signatures, version control. Detect unauthorized modification.
N
Nonrepudiation
Cannot deny an action occurred
Digital signatures, audit trails, timestamps. Proves who did what and when.
A
Authenticity
Verified identity of origin
Certificates, MFA, digital signatures. Not the same as nonrepudiation on exam day.
A
Availability
Accessible when needed
Redundancy, failover, load balancing, backups. DDoS is an availability attack.
Not just CIA — the CISSP tests all 5 pillars. Hover each card for exam-relevant details.

Documentation Hierarchy — What Drives What

Business Objectives Drives All
Everything below exists to serve business goals. Security is a business function.
Exam tip: the right answer always connects back to business objectives.
Policies Mandatory
High-level statements of intent. Technology-agnostic. Approved by senior management.
Exam tip: policies never specify which product or tool to use.
Standards Mandatory
Specific, measurable requirements. "All passwords must be 12+ characters."
Exam tip: standards are testable and auditable. Policies are not.
Procedures Mandatory
Step-by-step instructions. "To reset a password, open the admin console and..."
Exam tip: procedures are the "how." Standards are the "what."
Guidelines Optional
Recommendations and best practices. Not enforced, but encouraged.
Exam tip: if the answer says "must follow guidelines" it's probably wrong.
Baselines Config
Minimum acceptable configuration. CIS Benchmarks, hardening guides.
Exam tip: baselines are system-level. Standards are org-level.
Solid bar = mandatory. Dashed = optional/recommended. Hover each level for an exam tip.
🧠

Interactive practice — Coming Soon

TJS Platform will have drag-and-drop ordering, matching exercises, and scenario branching for every domain.

Coming Soon
03Diagnostic Quiz

Find Out Where to Start

Now that you've seen the landscape, let's find out where you stand. 5 questions across Domain 1 — see which subtopics need the most work.

Focus on these subtopics

    You've got these

      04Subtopic Navigator

      12 Subtopics — Pick Your Path

      Each lesson teaches through real scenarios — concept, textbook, hard choice, exam signal. Start anywhere or go in order. Completed lessons show a checkmark.

      1.1
      Professional Ethics

      Four canons in priority order. When your employer and society conflict, society wins.
      1.2
      Security Concepts — The 5 Pillars

      CIA plus Authenticity and Nonrepudiation. The exam tests all five, not three.
      1.3
      Security Governance Principles

      Align security with business objectives. Due care is action, due diligence is verification.
      1.4
      Legal, Regulatory, and Compliance

      GDPR, CCPA, Schrems II, transborder data flow. The strongest scenario content in Domain 1.
      1.5
      Investigation Types

      Administrative, criminal, civil, and regulatory investigations. Chain of custody and evidence handling.
      1.6
      Security Policy Framework

      Policy hierarchy: objectives drive policies drive standards drive procedures. Never backwards.
      1.7
      Business Continuity Requirements

      BIA, RPO, RTO, MTD. Know which metric answers which business question.
      1.8
      Personnel Security Policies

      Hiring, termination, separation of duties, mandatory vacation. People are the biggest risk vector.
      1.9
      Risk Management Concepts High Priority

      SLE, ALE, MATA. Where finite resources get allocated. You will calculate these on exam day.
      1.10
      Threat Modeling

      STRIDE for software, OCTAVE for organizations, VAST for agile. Know which model fits which context.
      1.11
      Supply Chain Risk Management New 2024

      SBOMs, silicon root of trust, vendor assessment. Expanded in the 2024 exam update.
      1.12
      Security Awareness, Education, and Training

      Awareness changes behavior, training builds skills, education provides understanding. Different goals, different methods.
      05Memory Aids

      Learn It, Test It, Lock It In

      Each card has 3 layers. Click to advance: mnemonicscenario challengeanswer + exam tip.

      0 / 6 mastered
      5 Pillars
      CIA Agents Never rest”
      Can you name all 5 security objectives?
      Scenario

      A developer digitally signs a code release. Which pillar proves they can’t deny signing it?

      Answer

      Nonrepudiation — the N in “CIA Agents Never rest.” Digital signatures provide integrity + authenticity + nonrepudiation. MFA only gives authenticity.

      Exam tip: “proves identity” = authenticity. “Can’t deny doing it” = nonrepudiation. Same mechanism, different properties.
      click to advance →1 of 3
      Policy Hierarchy
      Business People Should Proceed with Guidelines”
      What order does security documentation follow?
      Scenario

      Teams are using 3 different encryption methods. The CTO says “mandate AES-256 everywhere.” What should you create FIRST?

      Answer

      An encryption policy — the P in the hierarchy. Business objectives → Policies → Standards → Procedures → Guidelines. Always top-down, never technology first.

      Exam tip: “What should you do FIRST?” = always administrative/governance. Never a technical implementation.
      click to advance →1 of 3
      Ethics Canons
      Some Honorable Servants Profess”
      What’s the priority order of the ISC2 canons?
      Scenario

      Your employer is secretly collecting user data beyond the privacy policy. Canon III says serve your employer. Canon I says protect society. Which wins?

      Answer

      Canon I always wins. Society → Honor → Service → Profession. When canons conflict, higher beats lower. No exceptions. Escalate through proper channels.

      Exam tip: the answer will NEVER have Canon III overriding Canon I. If it sounds like “follow your employer,” it’s wrong.
      click to advance →1 of 3
      Risk Responses
      M A T A
      What are the 4 ways to handle identified risk?
      Scenario

      A vulnerability has an ALE of $75K. The only fix costs $100K/year. What should you do?

      Answer

      Accept the risk (the A in MATA) or find a cheaper compensating control. Mitigate, Accept, Transfer, Avoid. A control should never cost more than the loss it prevents. $100K to save $75K = bad business.

      Exam tip: “Eliminate risk” is ALWAYS wrong. The goal is reduce to an acceptable level, then management formally accepts residual risk.
      click to advance →1 of 3
      Threat Models
      STRIDE · OCTAVE · VAST
      Which framework fits which context?
      Scenario

      Your org is shifting to Agile with 2-week sprints. You need threat modeling that integrates into sprint planning. Which framework?

      Answer

      VAST — Visual, Agile, Simple Threat modeling. STRIDE is for software (developers). OCTAVE is for enterprise risk (management). VAST is designed for Agile/DevOps with outputs for both devs and executives.

      Exam tip: match framework to audience. STRIDE = developers. OCTAVE = management. VAST = Agile teams. The exam tests context, not memorization.
      click to advance →1 of 3
      Decision Priority
      People > Process > Technology
      What comes first in every security decision?
      Scenario

      An earthquake hits your data center. What is your absolute FIRST priority: activate the DR site, assess server damage, or ensure employee safety?

      Answer

      Ensure employee safety. People first, always. No server, no contract, no SLA is worth a human life. Activate DR after everyone is safe. Assess damage after that.

      Exam tip: if “ensure safety” or “protect human life” is an option, it’s almost certainly correct. Human safety supersedes ALL other concerns.
      click to advance →1 of 3

      Risk Formulas (Memorize)

      SLE = Asset Value × Exposure Factor
      ALE = SLE × ARO
      Control justified when: Cost < (ALEbefore − ALEafter)

      The 50/50 Rule — Exam Strategy

      Eliminate 2 obviously wrong answers. Between the remaining 2, choose the one that is more managerial, more governance-focused, or more encompassing.

      ↓ Download Flashcards (Anki-Compatible)
      06Think Like a Manager

      The CISSP Tests How You Decide

      01
      Scenario

      Corporate Merger

      Your organization is merging with another company. Leadership asks: "What should we do first?"
      • ×
        Run a vulnerability scanTechnical before business context
      • ×
        Conduct a penetration testPremature, possibly illegal
      • ×
        Merge Active Directory domainsImplementation detail
      • Perform a comprehensive risk analysisUnderstand what you're inheriting before spending resources.
      Principle: Risk analysis before action.
      02
      Scenario

      Inconsistent Encryption

      Audit reveals teams using different unapproved encryption methods.
      • ×
        Mandate AES-256 everywhereRight tech, wrong approach
      • ×
        Shut down custom encryptionReactive, no root cause
      • ×
        Hire a crypto consultantDoesn't fix governance gap
      • Develop enterprise-wide encryption policyThe problem is absent policy, not wrong algorithm.
      Principle: Policy before technology.
      03
      Scenario

      Data Center Earthquake

      Severe earthquake damages your primary data center. Disaster declared. FIRST priority?
      • ×
        Activate DR siteNot first
      • ×
        Assess server damageProperty after safety
      • ×
        Contact insuranceFinancial comes later
      • Ensure employee safetyHuman life supersedes everything.
      Principle: People > Process > Technology.
      🎯

      Adaptive practice drills — Coming Soon

      TJS Platform will track your weak areas and generate focused drills. AI Study Buddy will explain why you got it wrong.

      Coming Soon
      07Common Traps

      The Tempting Wrong Answer

      1

      Thinking like a technician

      Exam wants the managerially appropriate solution.

      2

      Fixing problems not processes

      Address the process failure, not the symptom.

      3

      Technology before policy

      No policy → adding tech = adding unmanaged tech.

      4

      Trying to eliminate risk

      "Eliminate the risk" is always wrong. Goal: acceptable level.

      5

      Overlooking human safety

      Human life supersedes financial, operational, and technical.

      6

      Missing the umbrella answer

      When all seem right, pick the one that encompasses the others.

      08Interactive Tool

      Risk Formula Calculator

      Plug in your own values. See ALE and cost-benefit computed live.

      Calculate ALE & Control Cost-Benefit

      SLE
      $50,000
      ALE
      $25,000

      Control Cost-Benefit Analysis

      ALE Reduction
      $20,000
      Net Benefit
      $5,000
      09Self-Check Quiz

      5 Practice Scenarios

      Select an answer, then click Check. Full adaptive quiz engine with 200+ questions coming soon on TJS Platform.

      ApplyIntermediate1.9
      Q1. SLE = $50,000, ARO = 0.5. Control reduces EF by 80% at $15,000/yr. Implement?
      • A Yes — $15k < SLE of $50k
      • B Yes — $15k cost < $20k ALE reduction
      • C No — doesn't eliminate risk
      • D No — residual risk exceeds cost
      Correct: B

      ALE = $25k. Control reduces to $5k. Saves $20k at $15k cost.

      Subtopic 1.9 — Risk Management Concepts
      UnderstandBeginner1.6
      Q2. Devs deploying to prod without change management. Address FIRST?
      • A Automated pipeline with gates
      • B Discipline the developers
      • C Check if change management policy exists and is communicated
      • D Risk-assess deployed apps
      Correct: C

      Verify governance foundation before enforcement. No policy = nothing to enforce.

      Subtopic 1.6 — Security Policy
      AnalyzeAdvanced1.4
      Q3. US company stores EU data on US servers. No adequacy decision post-Schrems II. Action?
      • A Move all data to EU servers
      • B Implement SCCs with supplementary measures
      • C Obtain consent from each EU customer
      • D Encrypt at rest — risk mitigated
      Correct: B

      SCCs are the established post-Schrems II mechanism for lawful EU–US transfers.

      Subtopic 1.4 — Transborder Data Flow
      RememberBeginner1.1
      Q4. ISC2 member's employer violates data protection regs. Internal escalation failed. Code requires?
      • A Resign to avoid liability
      • B Prioritize protecting society, escalate through channels
      • C Follow employer per Canon III
      • D Report anonymously
      Correct: B

      Canon I (society) trumps Canon III (service). Higher canon wins.

      Subtopic 1.1 — ISC2 Code of Ethics
      ApplyIntermediate1.11
      Q5. SaaS vendor can't provide an SBOM. Most significant concern?
      • A Outdated UI frameworks
      • B Can't assess component-level vulnerability exposure
      • C Pricing not transparent
      • D No DR plan
      Correct: B

      No SBOM = blind spot in supply chain vulnerability assessment.

      Subtopic 1.11 — Supply Chain Risk Management

      Continue Your Prep

      Choose how you want to study. All paths lead to the same goal — passing the CISSP on exam day.

      Recommended
      TJS Platform

      All 8 domains, 200+ adaptive questions, AI Study Buddy, timed exams, and certificate of completion.

      Coming Soon
      Coming Soon
      Pocket Reference PDF

      Printable desk reference with key concepts, mnemonics, and quick-reference tables for all 8 domains.

      $12 / one-time
      Get the PDF
      Free Cheat Sheet

      Domain 1 key concepts on one page. Mnemonics, traps, and the formulas you need to memorize.

      Free / email signup
      Download Free
      Disclaimer
      This content is provided for educational and exam preparation purposes only. It is designed to supplement your study efforts with additional context, scenarios, and practice material. This is not official ISC2 content, is not endorsed by ISC2, and does not guarantee exam success. All practice questions are original and based on published exam objectives — they are not actual exam questions. Exam content, format, and policies are determined solely by ISC2. Always refer to the official ISC2 CISSP Exam Outline and authorized study materials as your primary reference. Tech Jacks Solutions is not responsible for exam outcomes.
      Tech Jacks Solutions

      ISC2 CISSP Exam Outline (April 2024) · GAIO Integrity Lock Active · No brain dumps · No fabricated statistics