CISSP Domain 1, Security and Risk Management, is the largest and most heavily weighted domain on the exam (15%) and the one that catches the most candidates off guard. The trap is technical thinking. Domain 1 is not about firewalls, encryption, or controls. It is about how a security leader thinks: governance, risk, compliance, ethics, and the manager mindset that ties the other seven domains together. Pass Domain 1 by mastering business context, not by memorising frameworks.
This guide pulls together the 12 in-depth Domain 1 articles on Threat on the Wire into one reference. Start at the top and work down, or jump straight to the section you need. Every article is written for security professionals who already understand the basics and want clarity on how the (ISC)² CBK expects you to reason on exam day.
What Domain 1 is really testing
CISSP lens: when in doubt, pick the answer that aligns business objectives, governance intent, and risk-based decision making. Technical answers are almost always wrong in Domain 1.
The exam wants to see whether you think like a security manager, not a technician. The "obviously correct" technical answer is usually a distractor. The right answer ties the question back to business risk, executive accountability, due care, or the formal governance hierarchy.
You will be tested on:
- Confidentiality, integrity, and availability (the CIA triad) and how to balance them in trade-off scenarios.
- The hierarchy of policies, standards, procedures, and guidelines, and which document type fits which situation.
- Risk management as a lifecycle: identify, assess, treat, monitor.
- Quantitative and qualitative risk methods, and when each is appropriate.
- Legal and regulatory awareness: GDPR, HIPAA, transborder data flow, due care, due diligence.
- Personnel security, third-party risk, and supply-chain governance.
- Threat modeling as a structured input to risk decisions.
- Professional ethics and the (ISC)² Code of Ethics canons in priority order.
How Domain 1 fits into the rest of the CBK
Domain 1 is the lens through which every other domain is interpreted. The risk-management lifecycle you learn here drives the testing strategies in Domain 6 (Security Assessment and Testing). The personnel-security and insider-threat material connects directly to Domain 7's monitoring practices. Supply-chain risk maps into Domain 8's third-party software risk.
If a Domain 4 question asks about a network design choice and the answer options are technical, look for the one that reflects the risk-management mindset learned here. That is almost always the right pick.
Core concepts at a glance
| Concept | What it is | Why it matters on the exam |
|---|---|---|
| CIA triad | Confidentiality, integrity, availability | Every Domain 1 question can be reframed as a CIA trade-off |
| Governance hierarchy | Policy > standard > procedure > guideline | Document-type questions are common; know which is mandatory vs advisory |
| Due care | Doing what a reasonable organisation would do | Tested with due diligence as a paired concept |
| Due diligence | Investigating and verifying before acting | "Care vs diligence" wording is the classic distractor pair |
| Risk lifecycle | Identify, assess, treat, monitor | The order matters: assess before you treat |
| Inherent risk | Risk before any controls | Compared with residual risk in scenario questions |
| Residual risk | Risk that remains after controls | Senior management formally accepts residual risk |
| ALE / SLE / ARO | Annual loss expectancy = single loss expectancy x annual rate of occurrence | The quantitative-risk math you must be able to do on the exam |
| STRIDE / PASTA | Threat-modeling frameworks | Domain 1 framing; reused in Domain 8 |
| (ISC)² Canons | Society, principals, profession, individuals | Tested in priority order; "society" beats employer in tie-break |
Security governance
Governance is the structure of authority, accountability, and documentation that lets a security program make defensible decisions. The exam tests three things in this area: what each document type is for, what the hierarchy looks like, and how senior management's role differs from a security manager's.
Start with the CIA triad and why it underpins every governance decision. Then move to the governance hierarchy of policies, standards, procedures, and guidelines - the single most testable governance topic in the domain. Finish with the due care vs due diligence distinction, because every CISSP candidate gets at least one item that hinges on telling them apart.
Governance quick rules
- Policies are mandatory and approved by senior management. They state intent, not implementation.
- Standards are mandatory and reflect specific technical or operational requirements. Think "all servers must use TLS 1.2 or higher."
- Procedures are mandatory step-by-step instructions. They tell someone exactly how to perform a task.
- Guidelines are recommendations, not requirements. They inform; they do not compel.
- Senior management owns risk. Security managers operate the program; senior management accepts residual risk.
Risk management
Risk management is the analytic backbone of Domain 1 and the most interconnected topic in the whole CBK. The exam expects you to move fluently between the high-level framework (identify, assess, treat, monitor) and the calculation-level details (ALE, SLE, ARO, exposure factor).
Build the foundation first with how to assess threats and vulnerabilities and the difference between inherent and residual risk. Then learn when to use which method via quantitative vs qualitative risk analysis - quantitative for calculable monetary loss, qualitative for everything else. Round out the topic with how a security leader uses STRIDE and PASTA threat modeling to inform risk decisions.
Risk treatment options
| Option | What it means | When the exam expects this answer |
|---|---|---|
| Avoid | Do not do the activity | The risk is unacceptable and there is a viable alternative |
| Mitigate | Reduce the likelihood or impact with controls | The default treatment for most identified risks |
| Transfer | Shift the risk to a third party (insurance, contract) | The risk is high-impact, low-likelihood, and someone will assume it |
| Accept | Acknowledge the risk and do nothing further | Cost of treatment exceeds the loss; senior management signs off |
The exam will sometimes offer "ignore" as a fifth option. Ignoring is never correct. Acceptance is a documented decision; ignorance is negligence.
Business continuity and disaster recovery
BCP and DR are tested as Domain 1 governance topics, with operational depth in Domain 7. In Domain 1 the exam wants you to know what each plan is for, who owns it, and how the lifecycle works.
Business Continuity vs Disaster Recovery: what Domain 1 actually expects you to know covers the distinction the exam keeps testing. BCP is about keeping the business running, even degraded. DR is about restoring IT systems and data. BCP scope is broader; DR scope is narrower and IT-specific.
For deeper operational coverage, see Domain 7's treatment of BCP and DR in security operations.
Legal, regulatory, and compliance
You do not need to be a lawyer, but you do need to recognise the major legal frameworks and how they shape security decisions. The most testable topic is transborder data handling - moving personal data from one jurisdiction to another - because it is a recurring exam scenario for any security manager working with global or cloud systems.
Navigating GDPR, HIPAA, and transborder data transfers walks through the practical decision points: what GDPR's lawful-basis requirements mean, how HIPAA's covered-entity model differs, and where transborder agreements like Standard Contractual Clauses fit in.
Personnel and third-party risk
People are the most variable component of any security program. Domain 1 tests two angles: managing the insider and managing the third party.
Start with the insider threat lifecycle and the hostile-termination checklist. The exam loves termination scenarios: who escorts whom, when access is disabled, and what the audit trail looks like after.
For third parties, read supply chain risk management as enterprise risk governance. SCRM is no longer optional reading - it appears on the exam, and it appears in every security program that touches a software supply chain.
Security awareness ties these together. Security awareness training: culture vs compliance explains why phishing tests alone do not change behaviour, and what a real awareness program looks like.
Professional ethics
Every CISSP candidate gets at least one ethics question, and most get more than one. The (ISC)² Code of Ethics is short, but the way the canons interact under pressure is what the exam tests.
The (ISC)² Code of Ethics, with the canons in their official priority order is the reference you need. The order matters in scenario questions:
- Protect society, the common good, necessary public trust, and the infrastructure.
- Act honourably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
When two canons appear to conflict in a question, the canon higher in the list wins. "Society" beats "employer" every time.
Real-world manager scenarios
A risk lead at a healthcare provider learns that a vendor's recent security incident may have exposed patient data flowing through the vendor's analytics platform. The technical instinct is to disconnect the vendor and run forensics. The manager instinct is different. First, confirm whether the contract requires breach notification within a defined window. Second, brief the chief privacy officer; HIPAA is in play. Third, check whether the data sharing involved a Business Associate Agreement (BAA) and whether transborder transfer added a GDPR concern. Only then do you talk about technical containment. Domain 1 questions reward this manager-first sequence.
A second example: a CISO is asked by the CEO to "make sure we are SOC 2 compliant by Q4." A technical leader hears "implement controls." A Domain 1-trained leader hears "scope the audit, define the trust services criteria, identify which systems are in scope, build the evidence-collection plan, run a readiness assessment, then engage the auditor." The action items are the same in spirit; the framing is what makes the answer right.
Common exam traps in Domain 1
- Picking the most technical answer. Domain 1 questions almost always have a technical-sounding option that is wrong. The right answer is governance, risk, or stakeholder-focused.
- Confusing due care with due diligence. Due care is doing the right thing; due diligence is investigating before doing it. Memorise this and you will pass any item that uses both terms.
- Mistaking inherent for residual risk. Inherent is before controls; residual is after. The exam tests this with subtle wording differences.
- Rejecting risk acceptance. Acceptance is a valid treatment when senior management signs off. The wrong answer is "ignore."
- Calling a guideline mandatory. Guidelines recommend; they do not compel. If a question hinges on whether something is required, the answer is policy, standard, or procedure - never guideline.
- Forgetting senior management owns risk. The security manager runs the program, but residual-risk acceptance belongs to senior management or the risk owner. Pick the answer that reflects that authority structure.
The full Domain 1 reading order
Read these in order if you are working through Domain 1 as a study sequence. Skip directly to a topic if you are reviewing.
Governance and the CIA triad
- Security Governance: The CIA Triad and Beyond
- Governance Hierarchy in CISSP: Policies, Standards, and Procedures
- Due Care vs Due Diligence: The Compliance Distinction Every CISSP Candidate Must Master
Risk management
- CISSP Risk Management: Assessing Threats and Vulnerabilities
- Quantitative vs Qualitative Risk Analysis
- Threat Modeling for Security Leaders: STRIDE and PASTA
Business continuity and disaster recovery
Legal, regulatory, and compliance
Personnel and third-party risk
- Personnel Security and the Insider Threat Lifecycle
- Supply Chain Risk Management for CISSP
- Security Awareness Training: Culture vs Compliance
Professional ethics
Related CISSP domains
Threat on the Wire publishes a long-form pillar for every CISSP domain. The eight domains are interlocked - mastering any one of them is easier when you can see how it connects to the others. Here's how this domain relates to the other seven, with a one-line summary of the relationship and a link to the pillar.
| Pillar | How it relates to this domain |
|---|---|
| Domain 2: Asset Security | Domain 1 governance frames classification; Domain 2 applies it to data assets. |
| Domain 3: Security Architecture and Engineering | Domain 1 decides which controls are needed; Domain 3 designs them. |
| Domain 4: Communication and Network Security | Network choices flow from the risk decisions made in Domain 1. |
| Domain 5: Identity and Access Management | Personnel security and ethics in Domain 1 frame the IAM lifecycle. |
| Domain 6: Security Assessment and Testing | Risk lifecycle is validated by Domain 6 testing; assurance needs both. |
| Domain 7: Security Operations | Domain 1 sets the governance and BCP plans; Domain 7 executes them. |
| Domain 8: Software Development Security | Supply-chain risk extends from Domain 1 into Domain 8 third-party software risk. |
For the full CISSP overview, exam structure, and 12-week study plan, see the CISSP Study Hub.
Frequently asked questions
How much of the CISSP exam covers Domain 1?
Domain 1 is weighted at 15% of the exam, the largest single domain. Out of roughly 100-150 items on a CAT exam, expect 15-22 of them to come from Domain 1. The proportion of governance-and-risk thinking baked into other domains' questions is even higher than that, because Domain 1 is the lens for the whole CBK.
Why do candidates find Domain 1 the hardest, even though it is non-technical?
Most CISSP candidates come from technical backgrounds. They are used to questions with one defensible right answer. Domain 1 questions often have two or three answers that are reasonable, with one being the most-correct from a governance perspective. The shift from "what works technically" to "what reflects business intent" is the single biggest mindset change in CISSP preparation.
What is the fastest way to prepare for Domain 1?
Read the articles in the reading order above, then drill scenario questions with a focus on the manager mindset. The (ISC)² Official Study Guide and Sybex All-in-One both cover Domain 1 well, but practice questions are where the manager-frame trap becomes obvious. Use practice items to spot which technical answers you would pick by reflex, and force yourself to see the governance answer instead.
Who accepts residual risk?
Senior management or the formal risk owner accepts residual risk. The security manager identifies, assesses, and recommends; they do not unilaterally accept. If a question gives "the security analyst accepts the risk" or "the system administrator accepts the risk" as options, those are wrong. Look for "the system owner," "the data owner," "senior management," or "the executive committee."
When the (ISC)² Canons conflict, which wins?
The canons are listed in priority order. Canon 1 (society and infrastructure) outranks Canon 2 (acting honourably), which outranks Canon 3 (service to principals), which outranks Canon 4 (advancing the profession). When a scenario forces a choice between protecting your employer (canon 3) and protecting public safety (canon 1), the answer is always canon 1.
Is due care the same as a security control?
No. Due care is the standard of behaviour - doing what a reasonable, prudent organisation would do given the threat environment. A security control is one possible way to demonstrate due care, but due care itself is a behavioural standard, not a technical implementation. The exam will test this with questions that offer "implementing encryption" as an option when the right answer is "performing the risk assessment that determined encryption was necessary."
Key takeaways
- Domain 1 is the largest single domain (15%) and the lens through which every other domain is interpreted.
- The right answer is almost never the most technical answer. Default to governance, risk, or stakeholder-focused options.
- Memorise the policy / standard / procedure / guideline hierarchy and which are mandatory.
- Risk has a lifecycle: identify, assess, treat, monitor. Treatment options are avoid, mitigate, transfer, accept - never ignore.
- Senior management owns and accepts residual risk; the security manager runs the program.
- Due care is the behavioural standard; due diligence is the verification before acting. The (ISC)² Code of Ethics canons are tested in priority order, with society beating employer.
If you take one thing away from Domain 1, take this: every security decision is a business decision in disguise. Pick the answer that reflects business risk and governance authority, and you will be right more often than not - on the exam, and in your job.