Learn about the objectives of the Security and Risk Management domain of the CISSP exam.
- ISC Squared provides a detailed curriculum for the CISSP exam. It organizes the content into eight major domains of information security: security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. If you'd like, take the time to look through the official exam objectives and get a sense for the things you'll learn as you prepare for the CISSP exam.
Chances are that you are already familiar with some topics, while others are brand new to you. That's fine. This course is designed to give you all of the knowledge you'll need to pass the CISSP exam, no matter where you are in your security career. In this video, and the seven that follow, I'll walk you through each of the eight CISSP domains and give you just a quick flavor of what the exam covers. And once you're done with these brief introductions, I have an entire course ready and waiting for you on each one of these domains.
The first domain of the CISSP exam, security and risk management, makes up 15% of the questions on the test. It has 12 objectives. The first objective is to understand and apply the concepts of confidentiality, integrity, and availability. These three elements make up the famous CIA triad of information security, and are the cornerstone of our profession. The second objective is to apply security governance principles by aligning the security function to the strategy, goals, mission and objectives of the business.
You'll learn about organizational processes, security roles and responsibilities, security control frameworks, and the concepts of due care and due diligence. In the third objective, you'll learn about the compliance issues associated with cyber security, including legislative, regulatory, and privacy compliance. From there, you'll move on to learn about other legal and regulatory issues that pertain to information security in a global context.
These include computer crimes, licensing and intellectual property, import/export controls, trans-border data flow, privacy, and data breaches. The fifth objective covers professional ethics, including the ISC Squared code of ethics that applies to all CISSP certified individuals, and the code of ethics of your organization. The sixth objective ensures that you are able to develop and implement documented security policy, standards, procedures, and guidelines.
In the seventh objective, you'll learn about business continuity planning, and how to conduct a business impact analysis. When you get to the eighth objective, you'll learn about personnel security policies, and the importance of screening job candidates, carefully writing employment policies, having a consistent process for terminations, and putting controls in place around vendors, contractors, and consultants. The ninth objective covers the risk management process.
Material in this objective ranges from identifying potential threats and vulnerabilities through performing risk assessments, selecting controls, and managing risks in other ways. In the 10th objective, you'll learn how to conduct threat modeling to determine potential attacks and remediate those threats. The 11th objective provides you with the information you'll need to integrate security risk considerations into your organization's acquisition strategy and practices.
And finally, you'll learn how to establish and manage an information security education, training, and awareness program that's appropriate for your organization. That's a lot of material to learn, but once you've completed the security and risk management course, you'll be ready to face these questions on the CISSP exam.
- Who should take the CISSP exam
- Benefits of certification
- Study resources
- CISSP domains
- Question types
- Exam tips
- Practicing for the test