Overview
Domain 5 addresses the management, governance, and oversight aspects of a security program. At 20% of the exam, it covers risk management, compliance, policies, awareness training, privacy, and business continuity. This domain focuses on the organizational side of security — how programs are designed, measured, and maintained.
Exam Weight
20% — approximately 18 questions out of 90.
Topics
| Topic | Note | Key Focus |
|---|---|---|
| Governance | governance | Security frameworks, oversight, roles |
| Risk Management | risk-management | Risk identification, mitigation, transfer, acceptance |
| Business Impact Analysis | business-impact-analysis | MTD, RTO, RPO, critical function identification |
| Risk Assessment | risk-assessment | Qualitative, quantitative, likelihood, impact |
| Third-Party Risk | third-party-risk | Vendor assessment, SLA, supply chain, SOC reports |
| Compliance | compliance | Regulatory requirements, audit readiness |
| Regulations & Frameworks | regulations-and-frameworks | GDPR, HIPAA, PCI-DSS, NIST, ISO 27001 |
| Security Policies | security-policies | AUP, password policy, data handling, standards |
| Security Awareness Training | security-awareness-training | Phishing simulations, role-based training |
| Data Classification | data-classification | Public, internal, confidential, restricted, labeling |
| Privacy | privacy | PII, PHI, data minimization, consent, GDPR rights |
| Audits & Assessments | audits-and-assessments | Internal/external audits, SOC 2, attestation |
| Business Continuity | business-continuity | BCP, continuity of operations, succession planning |
| Disaster Recovery | disaster-recovery | DRP, hot/warm/cold sites, backup strategies |
Cross-Domain Connections
- risk-management integrates with Domain 4’s vulnerability-management to prioritize remediation based on risk
- security-awareness-training directly addresses Domain 1’s social-engineering and human-based attack-vectors
- compliance and regulations-and-frameworks mandate the technical controls implemented in Domain 3 (encryption, dlp, data-protection)
- business-continuity and disaster-recovery depend on Domain 3’s resilience-and-redundancy architecture
- third-party-risk connects to Domain 3’s cloud-security and shared responsibility models
- governance sets the policies that Domain 4’s incident-response and hardening procedures follow
- data-classification drives Domain 3’s dlp and data-protection controls
- threat-actors from Domain 1 are a key input to risk-assessment and risk-management decisions