CISSP domain - 16% of the exam

Security and Risk Management

Security and Risk Management is 16% of the Certified Information Systems Security Professional (CISSP) (CISSP) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Understand, adhere to, and promote professional ethics including the ISC2 Code of Professional Ethics and organisational codes of ethics.
Section 1.1easy
Understand and apply core security concepts including confidentiality, integrity, availability, authenticity, and non-repudiation.
Section 1.2easy
Evaluate and apply security governance principles aligned with organisational goals, mission, and strategy.
Section 1.3medium
Understand legal, regulatory, and compliance issues pertaining to information security in a holistic context, including cybercrime, privacy, and contractual requirements.
Section 1.4hard
Understand requirements for different investigation types including administrative, criminal, civil, regulatory, and industry standards.
Section 1.5medium
Develop, document, and implement security policy, standards, procedures, and guidelines.
Section 1.6medium
Identify, analyse, assess, prioritise, and implement Business Continuity requirements including business impact analysis and external dependencies.
Section 1.7hard
Contribute to and enforce personnel security policies and procedures across the employment lifecycle and with vendors and contractors.
Section 1.8medium
Understand and apply risk management concepts including risk identification, assessment, response, control selection, and continuous monitoring.
Section 1.9hard
Understand and apply threat modeling concepts and methodologies.
Section 1.10hard
Apply Supply Chain Risk Management (SCRM) concepts including third-party assessment, minimum security requirements, and service-level requirements.
Section 1.11medium
Establish and maintain a security awareness, education, and training program including periodic reviews and effectiveness evaluation.
Section 1.12easy

Sample question from this domain

Free sampleSecurity and Risk Managementeasy

Which statement BEST describes the relationship between the ISC2 Code of Professional Ethics canons and an employer's internal code of conduct for a CISSP-certified employee?

AThe ISC2 canons apply to certified professionals at all times and complement, rather than replace, lawful employer codes of conduct. Correct
BThe employer's code of conduct overrides the ISC2 canons whenever the two appear to conflict in the workplace.
CThe ISC2 canons only apply when the CISSP is performing security work outside of normal employment duties.
DEither code can be ignored provided the professional acts in line with applicable national law and contractual obligations.

Recognise that the ISC2 Code of Ethics binds the certified professional continuously and operates alongside, not in place of, lawful organisational codes. Holding the CISSP is a personal undertaking to abide by the ISC2 canons in every professional act, while an employer's code defines workplace duties owed to a principal. Both apply concurrently, and where a lawful employer rule and a canon point the same way the professional follows both; the canons set the floor and an organisational code can add stricter expectations on top.

Why A is correct: The canons bind the certificant personally and continuously, while a lawful employer code governs workplace duties; the two are designed to coexist, with the canons providing the professional baseline.

Why B is wrong: Tempting because employees normally follow employer policy, but a CISSP holder agreed to uphold the ISC2 canons as a condition of certification, so the canons are not displaced by internal policy.

Why C is wrong: Plausible to a candidate who thinks ethics codes only cover voluntary or external activity, but the canons attach to the certificant in every professional context, not only off-hours engagements.

Why D is wrong: Compliance with law is necessary but not sufficient; the ISC2 canons impose duties beyond legal minimums, and ignoring an employer's lawful code breaches duty owed to principals.

Other domains in this exam

Asset Security10% of the exam
Security Architecture and Engineering13% of the exam
Communication and Network Security13% of the exam
Identity and Access Management (IAM)13% of the exam
Security Assessment and Testing12% of the exam
Security Operations13% of the exam
Software Development Security10% of the exam

See also the CISSP cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by (ISC)2. Original, blueprint-aligned practice material only.