Domain 1.0: Security and Risk Management

Foundational Concepts of the CIA Triad

Confidentiality - Prevent unauthorized disclosure of sensitive information.

Integrity - Prevent unauthorized modification of systems and information.

Availability - Prevent disruption of service and productivity.

  • 1.2 Understand and apply security concepts

    • 1.2.1 Confidentiality, integrity, and availability, authenticity and nonrepudiation


  • 1.3 Evaluate and apply security governance principles

    • 1.3.1 Alignment of security function to business strategy, goals, mission, and objectives

    • 1.3.2 Organizational processes (e.g., acquisitions, divestitures, governance committees)

    • 1.3.3 Organizational roles and responsibilities

    • 1.3.4 Security control frameworks

    • 1.3.5 Due care/due diligence

  • 1.7 Develop, document, and implement security policy, standards, procedures, and guidelines

  • 1.11 Understand and apply threat modeling concepts and methodologies

  • 1.12 Apply Supply Chain Risk Management (SCRM) concepts

    • 1.12.1 Risks associated with hardware, software, and services

    • 1.12.2 Third-party assessment and monitoring

    • 1.12.3 Minimum security requirements

    • 1.12.4 Service level requirements