Domain 1:
Information Security Risk Management Program
1.1
Understand the foundation of an organization information security risk management program
- Principles of information security
- Risk management frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)
- System Development Life Cycle (SDLC)
- Information system boundary requirements
- Security controls and practices
- Roles and responsibilities in the authorization/approval process
1.2
Understand risk management program process
- Select program management controls
- Privacy requirements
- Determine third-party hosted information systems
1.3
Understand regulatory and legal requirements
- Familiarize with governmental, organizational and international regulatory security and privacy requirements (e.g., International Organization for Standardization (ISO) 27001, Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA))
- Familiarize with other applicable security-related mandates