ISC2 CISSP: Security and Risk Management
Table of Contents
Click Here to Return To the ISC2 CISSP Course Page
Security and Risk Management is 16% of the ISC2 CISSP exam, the single largest domain. This module covers the managerial foundation of the whole certification: ethics, core security concepts, governance, compliance, and risk. The CISSP thinks like a manager, not a technician. When two answers seem right, pick the one that protects the organization and follows policy.
Professional Ethics
You promote professional ethics above all else. The ISC2 Code of Professional Ethics has four canons you must apply in order:
- Protect society, the common good, public trust, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
When canons conflict, the earlier canon wins. You also follow your organizational ethics and code of conduct.
Core Security Concepts
You apply the 5 Pillars of Information Security. The classic CIA triad is the core, extended with authenticity and non-repudiation.
| Concept | Meaning |
|---|---|
| Confidentiality | Only authorized people see the data |
| Integrity | Data stays accurate and unaltered |
| Availability | Authorized users reach the data when needed |
| Authenticity | The source of data or a message is genuine |
| Non-repudiation | A party cannot deny an action they took |
Security Governance
Security governance aligns the security function to business strategy, goals, and objectives. Security exists to support the mission, not to block it. You translate business needs into a hierarchy of documents:
| Document | Role | Mandatory? |
|---|---|---|
| Policy | High-level management intent | Yes |
| Standard | Specific mandatory requirements | Yes |
| Procedure | Step-by-step instructions | Yes |
| Guideline | Recommended best practice | No |
Legal, Regulatory, and Compliance
You understand the investigation types because each has a different burden of proof and goal:
- Administrative - internal, policy violations
- Criminal - law enforcement, “beyond a reasonable doubt”
- Civil - disputes between parties, “preponderance of evidence”
- Regulatory - a government regulator enforcing rules
- Industry standards - frameworks like PCI DSS
Business Continuity
You identify Business Continuity (BC) requirements through a Business Impact Analysis (BIA). The BIA finds critical processes and sets the key recovery metrics:
| Metric | Meaning |
|---|---|
| RTO | Recovery Time Objective, how fast you must restore a process |
| RPO | Recovery Point Objective, how much data loss you can accept |
| MTD | Maximum Tolerable Downtime before the business fails |
Risk Management
Risk management is the heart of this domain. You identify threats and vulnerabilities, analyze risk, then choose a response.
Quantitative analysis uses formulas you must know:
- SLE (Single Loss Expectancy) = Asset Value x Exposure Factor
- ALE (Annualized Loss Expectancy) = SLE x ARO (Annualized Rate of Occurrence)
You then pick a risk response:
| Response | Action |
|---|---|
| Mitigate | Apply controls to reduce risk |
| Transfer | Shift risk to a third party, like insurance |
| Avoid | Stop the risky activity |
| Accept | Acknowledge and live with the risk |
You ground this in risk frameworks such as ISO 27005, NIST RMF (SP 800-37), COBIT, SABSA, and PCI DSS.
Supply Chain Risk Management
SCRM addresses risk from vendors and suppliers. You watch for product tampering, counterfeits, and weak vendor security. Modern controls include a silicon root of trust for hardware integrity and a software bill of materials (SBOM) that lists every component in your software, so you can react fast when a dependency is found vulnerable.
Security Awareness and Training
People are the most common attack vector, so you build a security awareness, education, and training program. Awareness changes behavior, training builds skill, and education builds understanding. You measure it with simulated phishing and track improvement over time.
Next Steps
With the management foundation set, move to Asset Security to classify and protect data, then Security Architecture and Engineering . Compare frameworks further in the cybersecurity certifications comparison guide , and return to the ISC2 CISSP Course for the full path.
