Security+ Domain 5 covers governance, risk management, compliance, and security awareness. Less technical than other domains but requires understanding organizational security: frameworks, policies, third-party risk, and audit processes.
Questions
~18 questions
Concepts
36 total
Difficulty
Foundation
Study Time
1-2 weeks
Objectives
6 objectives
Understanding how security is governed within organizations.
Key Concepts
Governance Structures
Organizational frameworks including boards, committees, and government entities that oversee security.
Roles and Responsibilities
Defining security roles: owners, controllers, processors, custodians, and data stewards.
Security Policies
Acceptable use policies, information security policies, business continuity plans, disaster recovery, and incident response policies.
Standards and Procedures
Implementing security standards including password standards, access control standards, physical security, and encryption standards.
External Considerations
Regulatory requirements, legal obligations, industry-specific guidance, and geographic considerations.
Monitoring and Revision
Ongoing governance activities including policy review, exception management, and continuous improvement.
Exam Tip
Know the hierarchy: policies → standards → procedures → guidelines. Policies are broad, standards are specific requirements, procedures are how-to steps, guidelines are suggestions.
Identifying, assessing, and treating organizational risks.
Key Concepts
Risk Identification
Finding potential threats and vulnerabilities through ad hoc methods, recurring assessments, and continuous monitoring.
Risk Assessment
Evaluating likelihood and impact using risk registers, risk matrices, and heat maps.
Risk Analysis Methods
Quantitative analysis (SLE, ARO, ALE calculations) vs qualitative analysis (high/medium/low ratings).
Risk Response Strategies
Risk treatment options: transfer, accept, avoid (exemption), and mitigate risks.
Risk Thresholds
Defining risk appetite, risk tolerance, and key risk indicators (KRIs) for organizational decision-making.
Risk Reporting
Communicating risk status to stakeholders through reports, dashboards, and risk summaries.
Business Impact Analysis
Assessing the impact of disruptions including RTO, RPO, MTTR, and MTBF calculations.
Exam Tip
Know the risk calculations: SLE × ARO = ALE. Understand when to use quantitative (when data exists) vs qualitative (when data is limited) analysis.
Managing security risks from vendors, suppliers, and partners.
Key Concepts
Vendor Assessment
Evaluating vendor security through penetration testing, right-to-audit clauses, evidence of internal audits, and supply chain analysis.
Vendor Selection
Due diligence and due care in selecting vendors. Evaluating vendor security posture and capabilities.
Agreement Types
Service level agreements (SLA), memorandum of understanding (MOU), memorandum of agreement (MOA), and master service agreements (MSA).
Vendor Monitoring
Ongoing assessment through performance reviews, security assessments, and compliance verification.
Vendor Questionnaires
Using security questionnaires to assess vendor controls and compliance status.
Compliance Considerations
Rules of engagement, risk ownership, data ownership, and exit strategies for vendor relationships.
Exam Tip
Third-party risk is heavily emphasized in SY0-701. Know the difference between SOC 1 (financial controls), SOC 2 (security controls), and SOC 3 (public summary).
Meeting regulatory and standards requirements.
Key Concepts
Compliance Reporting
Internal and external reporting requirements. Compliance documentation and evidence collection.
Privacy Requirements
Data subject rights, privacy notices, consent management, and breach notification requirements.
Regulatory Frameworks
Understanding GDPR, HIPAA, PCI DSS and their specific requirements.
Compliance Consequences
Understanding fines, penalties, sanctions, reputational damage, and loss of license for non-compliance.
Compliance Monitoring
Attestation and acknowledgment processes. Continuous compliance verification.
Privacy Technologies
Implementing privacy-enhancing technologies and data protection measures.
Exam Tip
Know which regulation applies to which industry: HIPAA = healthcare, PCI DSS = payment cards, FISMA = federal government, SOX = public companies. Understand GDPR's broad scope.
Different methods for evaluating security controls and compliance.
Key Concepts
Audit Types
Internal audits vs external audits, and attestation processes.
Assessment Methods
Self-assessments, third-party assessments, and independent assessments.
Penetration Testing
Physical, offensive (red team), defensive (blue team), and integrated (purple team) testing approaches.
Exam Tip
Know the differences: vulnerability scan (automated, finds weaknesses), penetration test (manual, exploits weaknesses), red team (full adversary simulation, includes social engineering).
Training users to recognize and respond to security threats.
Key Concepts
Phishing Awareness
Training and simulations including phishing campaigns, recognizing phishing attempts, and reporting suspicious communications.
Anomalous Behavior Recognition
Training users to recognize and report risky behavior, unexpected behavior, and unintentional violations.
User Guidance
Policy and handbooks, situational awareness, insider threat awareness, and operational security (OPSEC) training.
Social Engineering Awareness
Training on social engineering techniques including pretexting, vishing, and impersonation attacks.
Training Methods
Different training delivery approaches including computer-based training, gamification, and role-based training.
Training Metrics
Measuring training effectiveness through development and execution metrics, phishing click rates, and reporting rates.
Exam Tip
Security awareness goes beyond training—it's about building culture. Know metrics for measuring effectiveness: phishing click rates, reporting rates, policy compliance.
Performance-based questions (PBQs) for this domain typically cover:
It's different, not necessarily easier. While questions tend to be more straightforward, the breadth of content is significant. You need to memorize many frameworks, regulations, and their purposes. Technical people sometimes find this domain harder because it's less intuitive.
Know the major ones: GDPR (EU privacy), HIPAA (healthcare), PCI DSS (payment cards), SOX (public companies), FISMA (government). Understand what each regulates and its key requirements, but you don't need to memorize every detail.
Know these formulas: Asset Value × Exposure Factor = SLE (Single Loss Expectancy). SLE × ARO (Annualized Rate of Occurrence) = ALE (Annualized Loss Expectancy). Practice applying these in scenarios.
Security awareness is emphasized because it's one of the most cost-effective security controls. Expect questions about phishing simulations, training effectiveness metrics, and building security culture.
Memorize key frameworks (NIST, ISO 27001) and their purposes. Create flashcards for regulations and their applicability. This domain rewards recognition over analysis.
Get personalized practice questions and track your progress.
99% of students who reach 95% concept mastery pass
Start Free AssessmentOur adaptive learning system identifies your weak spots and creates a personalized study plan.
99% of students who reach 95% concept mastery pass the exam