Objectives in this domain

Summarize elements of effective security governance.
Section 5.1medium
Explain elements of the risk management process.
Section 5.2hard
Explain the processes associated with third-party risk assessment and management.
Section 5.3medium
Summarize elements of effective security compliance.
Section 5.4medium
Explain types and purposes of audits and assessments.
Section 5.5medium
Given a scenario, implement security awareness practices.
Section 5.6easy

Sample question from this domain

Free sampleSecurity Program Management and Oversightmedium

A regional building society's incident review finds that engineers across three teams handled a recent ransomware outbreak inconsistently: one team wiped a compromised laptop before evidence was preserved, another paused containment to seek written approval that never arrived, and a third made firewall changes without recording them. The chief information security officer wants the governance artefact that most directly fixes this inconsistency by prescribing the exact step-by-step actions every responder must take, in order, for a ransomware event. Which artefact should she commission first?

AA board-approved information security policy that states the firm will respond to ransomware in a timely and proportionate manner.
BA written ransomware response procedure that lists the ordered steps for triage, isolation, evidence preservation, approval gates, and communications, mapped to named roles. Correct
CAn industry standard such as ISO/IEC 27035 referenced in the security manual as the firm's accepted approach to incident management.
DA governance committee charter that assigns the chief information security officer accountability for ransomware preparedness across the group.

Distinguish procedures from policies and standards by recognising that procedures prescribe the ordered operational steps responders must execute. In a governance hierarchy, policies state intent, standards state the measurable criteria a programme must meet, and procedures state the ordered actions people must take. Inconsistent operational behaviour during an incident is a procedure gap because no policy or standard reaches the level of telling a responder exactly what to do, in what order, with which approval, so a runbook is the artefact that closes it.

Why A is wrong: A policy expresses managerial intent and accountability at a high level; it does not prescribe the ordered operational steps responders need, which is exactly the gap the incident review surfaced.

Why B is correct: Procedures translate policy and standards into the ordered, role-tagged actions responders execute; this directly removes the inconsistency by giving every team the same numbered runbook for a ransomware event.

Why C is wrong: A standard sets the criteria a programme should meet and is tempting because it carries authority, but it stops short of the ordered ransomware-specific actions a responder follows at 02:00 in the morning.

Why D is wrong: A charter clarifies who is accountable at the governance layer, which is useful, but it does not tell the engineer on shift which command to run before pulling a network cable on an infected host.

Other domains in this exam

General Security Concepts12% of the exam
Threats, Vulnerabilities, and Mitigations22% of the exam
Security Architecture18% of the exam
Security Operations28% of the exam

See also the SY0-701 cert hub, the study guide, and the cheat sheet.