CISSP Domain 1: Security and Risk Management Guide — Master the 16% Heavyweight

Welcome to the cornerstone of the CISSP. Domain 1: Security and Risk Management carries 16% of the exam, the heaviest of the eight domains, and ISC2 writes it from a manager's chair, not an engineer's keyboard. This deep-dive walks four pillars: the CIA triad with governance and the ISC2 Code of Ethics; risk management with quantitative and qualitative analysis; compliance and privacy law including India's DPDP Act 2023 and GDPR; and continuity, threats, and security awareness. We close with the AI angle: how generative AI reshapes risk treatment, data-governance, and supply-chain risk. Master this and the other seven domains become applications of principles you already own, the way real security leaders are paid to think on the job.

Domain 1 at a glance

Flip each card for the one-line essence of each area before you dive in.

CIA, governance & ethics

Think of a bank vault: the cash inside, the locked door, and the manager who decides who gets a key. Security starts with the same three ideas, now expanded to five pillars in the 2024 ISC2 outline. Confidentiality keeps secrets from the wrong eyes, integrity stops silent tampering, and availability keeps the door open for authorised users. The 2024 refresh adds two more: authenticity (the message and sender are genuinely who they claim) and non-repudiation (the actor cannot later deny the action). Digital signatures deliver both authenticity and non-repudiation at once.

Security governance is the steering wheel, not the engine. It flows down from the organisation's mission, goals and objectives, so security decisions serve the business rather than fight it. Governance also enforces the ISC2 Code of Ethics four canons, listed in strict precedence so conflicts resolve top-down: (1) protect society and infrastructure, (2) act honourably and legally, (3) serve principals diligently, (4) advance and protect the profession.

Governance is then written down as a hierarchy. The policy is the high-level mandatory intent signed by management. Standards make it specific and mandatory (use AES-256). Procedures give the step-by-step how-to. Baselines set the minimum acceptable configuration. Guidelines are the only optional, recommended layer.

Roles separate accountability from labour. The mission/senior owner holds ultimate accountability and accepts residual risk. The data owner classifies the data and sets handling rules. The data custodian (often IT) just implements those controls daily — backups, patching, access lists.

Risk management

Think of risk management like a Mumbai monsoon plan — you cannot stop the rain, so you decide which drains to clear, which roads to avoid, and which losses to simply budget for. CISSP treats risk management as a continuous lifecycle, not a one-time audit. The loop runs: identify assets and threats, assess risk, treat it, then monitor and repeat.

Frameworks give that loop structure. NIST SP 800-37 RMF drives federal system authorization and added a "Prepare" step in Revision 2. ISO 27005 is the assessment companion you pick when chasing ISO 27001 certification. FAIR is the model you choose when the board wants risk stated in rupees, not "High/Medium/Low".

That distinction is the qualitative-versus-quantitative split. Qualitative analysis ranks risks subjectively using scales and techniques like the Delphi method (anonymous expert consensus). Quantitative analysis attaches real money. The core math chains three values: SLE = Asset Value × Exposure Factor, then ALE = SLE × ARO. So a Rs 100,00,000 database with a 30% exposure factor gives an SLE of Rs 30,00,000; if the breach hits twice a year (ARO = 2), the ALE is Rs 60,00,000 — your annual loss budget.

ALE then drives the four treatments. Avoid drops the risky activity entirely. Transfer shifts financial impact to a third party (insurance, outsourcing). Mitigate applies controls to lower likelihood or impact. Accept formally signs off on a risk the business can tolerate. Whatever leftover remains after controls is residual risk — and the data owner, not the security team, accepts it.

Compliance & privacy law

Think of compliance law as the traffic rules for personal data: break them and you pay a fine, but follow them and everyone moves safely. CISSP Domain 1 expects you to separate three obligation types. Regulatory requirements come from governments and carry legal force — GDPR, India's DPDP Act, HIPAA. Contractual requirements come from agreements you signed — PCI-DSS is industry-contractual, not a law. Due care means doing what a reasonable person would do to protect data; due diligence means the ongoing investigation that proves you keep checking. Due diligence is the homework; due care is acting on it.

Know each framework's scope. GDPR protects EU residents' personal data globally, granting rights like access, erasure, and portability, with fines up to 4% of global turnover. HIPAA guards US PHI and forces business-associate contracts down the supply chain. India's DPDP Act 2023, operationalised by the DPDP Rules 2025, calls you a Data Fiduciary, the user a Data Principal, and demands free, specific, informed consent. Substantive provisions phase in by May 2027; Significant Data Fiduciaries face annual DPIAs and a mandatory DPO.

Privacy by Design means data minimisation and default protection are engineered in, not patched on. Always limit collection to PII you genuinely need.

Continuity, threats & awareness

Think of business continuity like a hospital's backup generator: when the mains fail, surgery cannot pause for hours. Business Continuity Planning (BCP) is the high-level strategy that keeps critical functions alive during disruption, while Disaster Recovery Planning (DRP) is the technical subset that restores IT systems. The heart of both is the Business Impact Analysis (BIA). The BIA ranks each process by impact and sets four exam-critical metrics. MTD (Maximum Tolerable Downtime) is the longest a function can stay dead before the business is severely harmed. RTO (Recovery Time Objective) is your target to get the system technically back up. WRT (Work Recovery Time) is the extra time to clear backlogs and validate data before going live. The golden rule: RTO + WRT must be less than or equal to MTD. Separately, RPO (Recovery Point Objective) measures acceptable data loss in time — a 15-minute RPO means backups every 15 minutes.

Threats must be found before they are mitigated. Threat modeling does this proactively. STRIDE (Microsoft, 1999) enumerates six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Attack trees map an attacker's goal at the root and branch downward into the steps and conditions needed to reach it. Remember STRIDE finds threats; DREAD only ranks already-found threats. The 2024 outline also stresses supply-chain and third-party risk (SCRM): your security is only as strong as your weakest vendor. Use SLAs, right-to-audit clauses, fourth-party (sub-supplier) review, and minimum security requirements in contracts. Finally, security awareness, training and education must be ongoing, role-based, and measurable — phishing simulations, security champions, and gamification beat one-time annual videos.

Domain 1 in the AI era (2026)

CISSP Domain 1 is about managing risk to acceptable levels — and in 2025/2026 the fastest-growing risk on most enterprise registers is AI itself. As a security and risk leader you no longer just buy AI; you must govern it across its lifecycle. Three frameworks now anchor that work, and a Domain-1 professional should know how they stack.

• NIST AI RMF — voluntary US framework with four functions: Govern, Map, Measure, Manage. Its Generative AI Profile (NIST AI 600-1) adds 12 GenAI-specific risks (hallucination, data leakage, systemic bias). NIST published a crosswalk mapping RMF subcategories to ISO clauses.
• ISO/IEC 42001:2023 — the certifiable AI Management System (AIMS) standard, the AI cousin of ISO 27001. ISO/IEC 42006:2025 (the audit/certification-body qualification standard) makes third-party certification real.
• EU AI Act — risk-tiered law with hard dates: prohibited practices and AI-literacy duties since 2 Feb 2025; general-purpose AI (GPAI) obligations since 2 Aug 2025; most high-risk and GPAI enforcement (with fines) from 2 Aug 2026. It has extraterritorial reach, so Indian firms selling into the EU are in scope.

The India angle matters most here. India's DPDP Rules 2025 were notified on 13 Nov 2025, with full applicability by 13 May 2027 — directly shaping how AI systems may process personal data (consent, purpose limitation, breach reporting). Days earlier, on 5 Nov 2025, MeitY released the India AI Governance Guidelines — a light-touch, principles-based framework (not yet binding law), overseen by an AI Governance Group chaired by the Principal Scientific Adviser.

For the risk register, treat each AI system as an asset with its own owner, classification, and AI-specific third-party/supply-chain risk: poisoned training data, opaque model provenance, and vendor model swaps you can't see.

Strengths tip: If you're strong at GRC and asset classification, AI governance is a natural extension — reuse your existing register, RACI, and third-party-risk muscle rather than building a parallel program.

The AI-era angle, in four cards

What 2026 adds to this domain — flip to see why each matters.