Domain 1 : Security and Risk Management

Domain
1.1
1.1.1
1.1.2
1.2
1.2.1
1.3
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.4
1.4.1
1.4.2
1.5
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6
1.7
1.8
1.8.1
1.8.2
1.9
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.1
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.10.10
1.11
1.12
1.12.1
1.12.2
1.12.3
1.12.4
1.13
1.13.1
1.13.2
1.13.3
 Domain 1 : Security and Risk Management
Topic
Understand, adhere to, and promote professional
(ISC)² Code of Professional Ethics
Organizational code of ethics
Understand and apply security concepts
Confidentiality, integrity, and availability, authenticity and nonrepudiation
Evaluate and apply security governance principles
Alignment of security function to business strategy, goals, mission, and objectives
Organizational processes (e.g., acquisitions, divestitures, governance committees)
Organizational roles and responsibilities
Security control frameworks
Due care/due diligence
Determine compliance and other requirements
Contractual, legal, industry standards, and regulatory requirements
Privacy requirements
Understand legal and regulatory issues that pertain to information security in a holistic context
Cybercrimes and data breaches
Licensing and intellectual property (IP) requirements
Import/export controls
Transborder data flow
Privacy
Understand requirements for investigation types (i.e.,administrative, criminal, civil, regulatory, industry standards)
Develop, document, and implement security policy, standards, procedures,and guidelines
Identify, analyze, and prioritize Business Continuity (BC) requirements
Business Impact Analysis (BIA)
Develop and document the scope and the plan
Contribute to and enforce personnel security policies and procedures
Candidate screening and hiring
Employment agreements and policies
Onboarding, transfers, and termination processes
Vendor, consultant, and contractor agreements and controls
Compliance policy requirements
Privacy policy requirements
Understand and apply risk management concepts
Identify threats and vulnerabilities
Risk assessment/analysis
Risk response
Countermeasure selection and implementation
Applicable types of controls (e.g., preventive, detective,corrective)
Control assessments (security and privacy)
Monitoring and measurement
Reporting
Continuous improvement (e.g., Risk maturity modeling)
Risk frameworks
Understand and apply threat modeling concepts and methodologies
Apply Supply Chain Risk Management (SCRM) concepts
Risks associated with hardware, software, and services
Third-party assessment and monitoring
Minimum security requirements
Service level requirements
Establish and maintain a security awareness, education, and training program
Methods and techniques to present awareness and training (e.g.,social engineering, phishing, security champions, gamificatio
Periodic content reviews
Program effectiveness evaluation
Chapter Status
19
19
19
1
1
1
1
1
1
1
1
4
4
4
4
4
4
4
4
4
19
1
3
3
3
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
2
2
2
2