CarlsCloud™ Demystifying CISSP Domain 1: Security and Risk Management

In this article, we will demystify Domain 1 and provide recommendations for the most effective and efficient study methods to master Domain 1: Security and Risk Management and pass the CISSP exam.

10 months ago   •   5 min read

By Carl Ballenger, CISSP
Demystifying CISSP Domain 1: Security and Risk Management
Table of contents

The Certified Information Systems Security Professional (CISSP) certification is one of the most prestigious and sought-after certifications in the field of information security. It validates an individual's knowledge and expertise in various domains of security.

Among these domains, Domain 1: Security and Risk Management holds significant importance, as it sets the foundation for the entire CISSP exam and also is the most heavily weighted at 15%.

In this article, we will demystify Domain 1 and provide recommendations for the most effective and efficient study methods to pass the CISSP exam.

Domain 1:  Security and Risk Management encompasses the principles and concepts that form the basis of information security and risk management. It covers a wide range of topics, including the importance of security governance, compliance, policies, procedures, and risk management practices.

This domain also focuses on legal and regulatory issues, ethical considerations, and security awareness and training programs and once again is weighted the MOST heavily at 15% per ISC2.

CISSP Security and Risk Management Study Methods

To effectively prepare for Domain 1 of the CISSP exam, it is crucial to employ proven study methods that enhance understanding and retention of the material.

Starting off I want to highly recommend the following FREE CISSP Domain 1 YouTube video resource by Pete Zerger and his Inside Cloud and Security CISSP series and channel. I used this all in one YT video extensively while running, working out etc and consistently listened to it at 1.5x or 2.x or higher speeds over and over to hash out the specific focus areas of Domain 1: Security and Risk Management.

00:22:55 : Domain 1 Security and Risk Management

00:22:55 : Domain 1 Security and Risk Management
00:22:55 : Domain 1 Security and Risk Management 

CISSP Exam Study Material Resources such as the following:

(ISC)2 CISSP (Sybex) Study Guide 9th Edition
Luke Ahmeds : How To Think Like A Manager
Destination CISSP - A Concise Guide - Rob Witcher

will help strengthen your knowledge.

The Official (ISC)2 CISSP CBK Reference 6th Edition
The Official (ISC)2 CISSP CBK Reference 6th Edition
  1. Understand the CISSP CBK: The Common Body of Knowledge (CBK) is the foundation for the CISSP exam.  Familiarize yourself with the domains, subdomains, and topics outlined in the CBK, paying special attention to Domain 1. This will give you a clear understanding of the scope and depth of the material you need to cover.  Although a bit dry it will assuredly cover the knowledge you will need to clear the CISSP exam.
  2. Use official study resources: ISC², the organization that administers the CISSP certification, provides official study guides and practice exams. These resources are invaluable for gaining knowledge and understanding the exam format. Make sure to leverage these materials to get a comprehensive overview of the topics covered in Domain 1.
  3. Read supplementary materials: While the official study resources are essential, it is also beneficial to explore additional reference materials. There are numerous books, online articles, and whitepapers available that delve deeper into security and risk management concepts. Engage with reputable sources and gather a broader perspective on the subject matter.
  4. Take advantage of online communities: Joining online forums and communities dedicated to CISSP exam preparation like Reddit r/CISSP can be immensely helpful. Engage with fellow candidates, share insights, and participate in discussions related to Domain 1. These communities provide an excellent platform for learning from others' experiences, clarifying doubts, and staying motivated throughout your preparation journey.
  5. Practice with sample questions: Answering practice questions is a vital part of exam preparation. Seek out sample questions specifically tailored for Domain 1 to test your understanding and identify areas that require further study. Practice exams also simulate the actual exam environment, allowing you to develop time management skills and get accustomed to the format.
  6. Create and write down an actual study plan: Developing a structured study plan is crucial for organizing your preparation efforts effectively. Divide your study time into manageable chunks, allocating specific periods for each topic within Domain 1. A well-planned study schedule will help you stay focused, cover all the necessary material, and track your progress.
  7. Engage in hands-on learning: Practical experience is invaluable when it comes to information security. Look for opportunities to apply the concepts you've learned in real-world scenarios. Engaging in security-related projects, participating in security assessments, or seeking mentorship from experienced professionals can enhance your understanding of security and risk management principles.
  8. Review and revise: Regularly review the material you have covered to reinforce your knowledge. As the CISSP exam covers a broad range of topics, revisiting previously studied areas is essential to retain the information. Create concise summaries or flashcards to aid your revision process.

Domain 1:  Security and Risk Management


Understand, adhere to, and promote professional ethics

  • (ISC)² Code of Professional Ethics
  • Organizational code of ethics


Understand and apply security concepts

  • Confidentiality, integrity, and availability, authenticity and nonrepudiation


Evaluate and apply security governance principles

  • Alignment of the security function to business strategy, goals, mission, and objectives
  • Organizational processes (e.g., acquisitions, divestitures, governance committees)
  • Organizational roles and responsibilities
  • Security control frameworks
  • Due care/due diligence


Determine compliance and other requirements

  • Contractual, legal, industry standards, and regulatory requirements
  • Privacy requirements


  • Cybercrimes and data breaches
  • Licensing and Intellectual Property (IP) requirements
  • Import/export controls
  • Transborder data flow
  • Privacy


Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)


Develop, document, and implement security policy, standards, procedures, and guidelines


Identify, analyze, and prioritize Business Continuity (BC) requirements

  • Business Impact Analysis (BIA)
  • Develop and document the scope and the plan


Contribute to and enforce personnel security policies and procedures

  • Candidate screening and hiring
  • Employment agreements and policies
  • Onboarding, transfers, and termination processes
  • Vendor, consultant, and contractor agreements and controls
  • Compliance policy requirements
  • Privacy policy requirements


Understand and apply risk management concepts

  • Identify threats and vulnerabilities
  • Risk assessment/analysis
  • Risk response
  • Countermeasure selection and implementation
  • Applicable types of controls (e.g., preventive, detective, corrective)
  • Control assessments (security and privacy)
  • Monitoring and measurement
  • Reporting
  • Continuous improvement (e.g., Risk maturity modeling)
  • Risk frameworks


Understand and apply threat modeling concepts and methodologies


Apply Supply Chain Risk Management (SCRM) concepts

  • Risks associated with hardware, software, and services
  • Third-party assessment and monitoring
  • Minimum security requirements
  • Service level requirements


Establish and maintain a security awareness, education, and training program

  • Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
  • Periodic content reviews
  • Program effectiveness evaluation

Spread the word

Keep reading