CISSP Study Guide · Domain 1
CISSP Domain 1 Explained: Security and Risk Management
Domain 1 is the heaviest on the exam (~16%) and sets the manager's mindset the whole CISSP rewards: security exists to serve the business, and every decision is risk-based.
A practical guide with free practice questions · by Domain8
The CISSP — Certified Information Systems Security Professional — is ISC2’s globally recognized cybersecurity certification, organized into eight domains.
Security and Risk Management is the foundation of the CISSP. It covers governance, risk, compliance, privacy, and ethics — and it establishes the "think like a manager" judgment the rest of the exam leans on. If you internalize this domain, the BEST-answer questions everywhere else get easier.
Want to drill Domain 1? Domain8 has adaptive quizzes, a 700-question bank, and a diagnostic that finds your weak spots. Domain 8 is free to try, no card.
Study free at Domain8 →1. Security and business alignment
Security strategy flows down from the business mission and goals, never the reverse. Know the boundary the exam loves to blur:
- Governance is direction and oversight (the what and why), owned by senior leadership and the board.
- Management is execution (the how), run by the CISO and the security team.
- Accountability stops at the top — senior management is ultimately accountable and formally accepts risk. Work can be delegated; accountability never transfers.
2. Due care, due diligence, and risk appetite
Precise vocabulary the exam rewards:
- Due diligence is the research and verification (the thinking and checking).
- Due care is taking the prudent action a reasonable organization would (the doing).
- Risk appetite is how much risk leadership will accept in pursuit of objectives — the boundary every decision works within.
3. The governance document hierarchy
Know which documents are mandatory and which are advisory:
- Policy — high-level mandatory statement of management intent.
- Standard — mandatory specifics (required tools, configurations).
- Procedure — mandatory step-by-step instructions.
- Guideline — recommended best practice, optional.
4. Risk management
Everything comes back to risk: identify, assess, treat, and monitor.
- Risk = likelihood × impact; it needs an asset, a threat, AND a vulnerability.
- Assess it qualitatively (high/med/low) or quantitatively (SLE = AV × EF; ALE = SLE × ARO).
- Treat it four ways: avoid, transfer, mitigate, or accept.
- Controls reduce risk but never eliminate it — residual risk always remains and senior management must accept it.
5. Privacy, law, and intellectual property
Know the major privacy regimes and the four IP protections:
- GDPR (EU), CCPA/CPRA (California), HIPAA (US health), GLBA (US financial); apply the data subject's jurisdiction, strictest governs.
- The data controller is accountable; the processor only follows instructions.
- IP: patent (disclose + expire), trademark (brand), copyright (expression), trade secret (secrecy, no expiry).
Free practice questions
Try these in the exam's "best answer" style, then expand for the explanation.
1. Senior management asks who is ultimately accountable for the organization's information security. What is the BEST answer?
- The CISO who runs the security program
- The security analyst operating the controls
- Senior management and the board
- The third-party managed security provider
Show answer
C. Accountability concentrates at the top. Senior management is ultimately accountable and formally accepts risk; the work can be delegated to the CISO and team, but accountability never transfers away.
2. A control to mitigate a rare risk would cost far more than the expected annual loss it prevents. What is the MOST appropriate risk treatment?
- Mitigate with the control anyway
- Accept the risk
- Avoid the activity entirely
- Transfer the risk with insurance
Show answer
B. When the cost of a control exceeds the expected loss, accepting the risk is a legitimate, documented decision. Risk treatment should match the math, and senior management formally accepts the residual risk.
3. An organization investigates a vendor's security posture before signing, then adds contractual controls based on what it found. The investigation and the action are, respectively:
- Due care and due diligence
- Due diligence and due care
- Both due care
- Both due diligence
Show answer
B. Due diligence is the research and verification (the investigation); due care is taking the prudent action (adding the controls). The exam frequently swaps these two.
Like these? Get a full adaptive quiz engine and a diagnostic that scores you by difficulty and question style. All of Domain 8 is free to try.
Study free at Domain8 →Frequently asked questions
How much of the CISSP is Domain 1?
About 16% — the largest single domain. It is also the most conceptual, so mastering its mindset pays off across the whole exam.
What is the fastest way to study Domain 1?
Learn the vocabulary precisely (governance vs management, due care vs due diligence, the document hierarchy), then drill risk-based BEST-answer questions until the judgment is automatic.
More CISSP domain guides
D2 · D3 · D4 · D5 · D6 · D7 · D8 · All guides