Governance, compliance, and the risk concepts that underpin every other domain.
1.1
Core concepts
The foundational definitions the rest of the domain builds on.
Security fundamentals
- The CIA triad — confidentiality · integrity · availability — plus authenticity and non-repudiation.
- Governance versus management — the board sets direction and oversight; management executes.
Due care and due diligence
- Due diligence is the research; due care is acting on it — the “prudent person” standard.
- Map controls back to a recognised framework —
ISO/IEC 27001 · NIST CSF · COBIT.
1.2
Risk management
Identifying, assessing, and treating information risk.
Risk concepts
- Inherent versus residual risk; risk appetite versus tolerance.
- Quantitative terms —
SLE (single loss expectancy) · ARO (annual rate of occurrence) · ALE = SLE × ARO.
Risk treatment
- Treat each risk explicitly — accept · avoid · transfer · mitigate — then monitor the residual.
- A control has cost; spend in proportion to the asset value and the exposure.