Home » Security Training and Tips » Domains of CISSP: Information Security and Risk Management

Domains of CISSP: Information Security and Risk Management

The Information Security and Risk Management domain involves the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and rate their vulnerabilities so that effective security controls can be implemented.

Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

The candidate will be expected to understand the planning, organization, and roles of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures to support the policies; security awareness training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the importance of confidentiality; proprietary and private information; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources.

Key Areas of Knowledge

  • Understand and align security function to goals, mission, and objectives of the organization
  • Understand and apply security governance
    • Organizational processes
    • Define security roles and responsibilities
    • Legislative and regulatory compliance
    • Privacy requirements compliance
    • Control frameworks
    • Due care
    • Due diligence
  • Understand and apply concepts of confidentiality, integrity, and availability
  • Develop and implement security policy
    • Security policies
    • Standards/baselines
    • Procedures
    • Guidelines
    • Documentation
  • Define and implement information classification and ownership
  • Ensure security in contractual agreements and procurement processes
  • Understand and apply risk management concepts
    • Identify threats and vulnerabilities
    • Risk assessment/analysis
    • Risk assignment/acceptance
    • Countermeasure selection
  • Evaluate personnel security
    • Background checks and employment candidate screening
    • Employment agreements and policies
    • Employee termination processes
    • Vendor, consultant and contractor controls
  • Develop and manage security education, training, and awareness
  • Develop and implement information security strategies
  • Support certification and accreditation efforts
  • Assess the completeness and effectiveness of the security program
  • Understand professional ethics
    • (ISC)2 code of professional ethics
    • Support organization’s code of ethics
  • Manage the Security Function
    • Budget
    • Metrics
    • Resources


About this author:


Mary is a leading trainer in Microsoft® and Business Applications.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.