# Domain 1 - Index Domain 1 covers governance, risk, compliance (GRC), ethics, and foundational security principles that guide policies, roles, frameworks, and business continuity across the enterprise. ## Concepts 1. [[CIA Triad]] 2. [[Security Governance]] 3. [[Security Policy Hierarchy]] 4. [[Due Care vs Due Diligence]] 5. [[Security Roles and Responsibilities]] 6. [[Risk Management Lifecycle]] 7. [[Threat vs Vulnerability vs Risk]] 8. [[Risk Appetite, Tolerance, Capacity]] 9. [[Risk Assessment: Qualitative vs Quantitative]] 10. [[Risk Analysis Metrics: SLE, ARO, ALE]] 11. [[Risk Response Strategies]] 12. [[Control Types and Categories]] 13. [[Security Control Assessment and Assurance]] 14. [[Governance vs Management]] 15. [[Security Culture and Awareness]] 16. [[Acceptable Use Policy (AUP)]] 17. [[Data Classification (Governance Overview)]] 18. [[Legal Systems: Common, Civil, Religious, Customary]] 19. [[Intellectual Property (IP) Basics]] 20. [[Licensing Models and Agreements]] 21. [[Privacy Principles and Data Protection]] 22. [[Ethics: (ISC)² Code of Ethics]] 23. [[Ethics: IAB RFC 1087 and ACM Code]] 24. [[Computer Crime Categories and Laws]] 25. [[Compliance and Regulatory Concepts]] 26. [[Threat Modeling Basics (STRIDE)]] 27. [[Attack Surface, Exposure, and Attack Vectors]] 28. [[Business Impact Analysis (BIA)]] 29. [[RTO, RPO, WRT]] 30. [[NIST Risk Management Framework (RMF)]] 31. [[NIST SP 800-53 Security Controls]] 32. [[NIST SP 800-30 Risk Assessment]] 33. [[ISO IEC 27001 ISMS]] 34. [[ISO IEC 27002 Security Controls]] 35. [[ISO IEC 27005 Risk Management]] 36. [[ISO 31000 Risk Management Principles]] 37. [[COBIT Governance]] 38. [[COSO ERM]] 39. [[Business Continuity Management (BCP)]] 40. [[Disaster Recovery Planning (DRP)]] 41. [[Backup Strategies (Full, Incremental, Differential)]] 42. [[Redundancy and Resilience (HA, Clustering, FT)]] 43. [[Disaster Recovery Sites (Hot, Warm, Cold)]] 44. [[BCP DR Testing Methods]] 45. [[Incident Response Overview (NIST 800-61)]] 46. [[Evidence and Chain of Custody]] 47. [[eDiscovery and Data Retention]] 48. [[Security Audits and Assessment Types]] 49. [[Third-Party Risk Management (TPRM)]] 50. [[Supply Chain Risk Management (SCRM)]] 51. [[Contracts, SLAs, OLAs, MOUs]] 52. [[Cyber Insurance and Risk Financing]] 53. [[Security Metrics, KPIs, KRIs]] 54. [[Risk Register and Reporting]] 55. [[Inherent, Residual, Total Risk]] 56. [[Security Control Baselines and Tailoring]] 57. [[Professional Ethics Scenarios]] 58. [[Security Strategy and Roadmap]] 59. [[Information Security Program Charter]] 60. [[Policy Exception Management]] > Also see: [[MOC - CISSP]]