Security governance principles: What you need to know for the CISSP exam

The Certified Information Systems Security Professional (CISSP) exam covers six security government principles that help organizations establish a security management framework: Responsibility, Strategy, Acquisition, Performance, Conformance and Human Behavior. These guiding frameworks create secure infrastructure, ensure legal compliance and establish accountability for security breaches. 

Within the CISSP exam, the Security and Risk Management domain is the largest, making up 16% of the exam, so it’s crucial for exam takers to feel confident about the theories and concepts. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

What are the CISSP security governance principles you need to know for the exam? 

For the CISSP exam, security professionals must understand basic principles like the CIA Triad, modern and historical regulatory acts, professional ethics concepts and more. 

The CIA Triad 

Confidentiality, integrity and availability make up the CIA Triad, which is a common model for the basic development of security systems. It’s used to mitigate unauthorized access, back up data and protect information through the principle of least privilege. Confidentiality focuses on protecting the privacy of information, while integrity ensures the data is not modified or destroyed without authorization. Availability refers to data being accessible and usable. 

Professional Ethics 

The CISSP code of ethics recognizes this certification is a privilege that must be earned and maintained. ISC2 members who violate this professional code of ethics are subject to action by a peer review panel, which could result in the removal of their certification. The code of ethics from ISC2 is below: 

• Protect society, the common good, necessary public trust and confidence and the infrastructure 
• Act honorably, honestly, justly, responsibly and legally 
• Provide diligent and competent service to principals 
• Advance and protect the profession 

Legal and Regulatory Acts 

For the CISSP, legal and regulatory acts have played key roles in developing modern security systems, especially as sophistication increases and cyberattacks are more frequent. 

• The Computer Fraud and Abuse Act of 1984 – Amended in 1994, this law protects federal government computers from malicious attacks 
• The Computer Security Act of 1987 – Developed in response to the growing reliance of the federal government on computer systems, this act established security standards and security training. 
• National Information Infrastructure Protection Act of 1996 – Expanded protections to computer systems used for international trade or commerce, making it a crime to damage critical infrastructure. 
• Health Insurance Portability and Accountability Act (HIPPA) – Aimed to protect individual health information and required entities like health insurers, health providers, and claims and processing agencies to disclose data breaches. 
• Gramm-Leach-Bliley Financial Modernization Act (GBLA) – A frequently updated act, GBLA expands the protection of consumers’ personal identifiable information (PII) within the financial industry. 
• Electronic Communications Privacy Act (ECPA) – This blanket act covers wire, oral and electronic communications in transit, at rest and while being stored. 
• Sarbanes-Oxley Act (SOX) – Created in response to rising corporate fraud, this law regulates reporting, internal audits and business practices at publicly traded companies. 
• Patriot Act of 2011 – This re-authorized act allows for widespread surveillance of citizens with the goal of identifying, dismantling and disrupting terrorist organizations. It calls for information sharing, access to electronic communications and “sneak and peek” searches. 

Business Continuity Planning (BCP) 

BCP is the process of maintaining and sustaining business operations with reduced infrastructure and resource capabilities in the event of a data breach, natural disaster or system malfunction. A business continuity plan is typically a formal document signed off by all major stakeholders that details the actions and processes individuals take in case of an emergency. 

The four pillars of BCP are assessment, preparedness, response and recovery. 

• Assessment - This includes hazard identification and risk of evaluation, typically through a business impact analysis (BIA) 
• Preparedness- This includes ongoing security awareness training and simulation activities 
• Response - This includes both the individuals involved in crisis response and the action steps involved. 
• Recovery - This detailed plan assigns resources and responsibilities to get systems back up and running as quickly as possible. 

How does security governance interact with risk management? 

In the CISSP exam, security and risk management are closely intertwined as they protect an organization’s information assets and detail the documentation, development and implementation of standards, procedures and guidelines. While security governance is the “who” and “how” for managing risks, risk management focuses more on the “what.” 

Risk management 

The two work hand in hand with the security government’s principles detailing the standardized approach toward security and risk management processes. However, here are some crucial differences: 

• Risk management is a more tactical process that involves the identification, measurement, control and minimization of loss 
• Made up of tools like risk analysis, overall security review, technical safeguards like intrusion-prevention systems and cost-benefit analysis 
• Action-oriented meant to implement corrective measures quickly and effectively 

Security governance 

Overall, security governance sets the foundation for effective risk management and provides high-level strategic direction. It establishes who is authorized to make decisions and specifies different accountability frameworks to ensure protocols are followed. 

• Involves standardized practice as in protocols across different organizations 
• The key goal is to establish clear policies and procedures with defined roles and responsibilities 
• Establishes strategic alignment between leadership, security standards and overall business strategy 
• Helps organizations stay compliant with legal regulations 

What’s changed in CISSP security and risk management? 

With the 2024 update to the CISSP exam, the Security and Risk Management domain increased its weight from 15% to 16%, highlighting its increase in importance and maintaining its position as the largest domain on the exam. This domain covers professional ethics, security governance principles, different investigation types, business continuity requirements and threat modeling concepts and methodologies.  

Understanding this domain is the foundation for all advanced cybersecurity knowledge and practices. 

To learn more about the latest updates to the exam, check out ISC2’s updated exam outline. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Prep for the CISSP exam 

The CISSP is the most requested cybersecurity certification in U.S. job listings, according to CyberSeek, and it’s best for mid-career professionals with at least five years of cumulative full-time experience in two or more of the eight domains. The CISSP is a highly valuable certification with an average information security manager salary of $175,583, with variability around the role, location, experience and other factors. If you’re looking to take the next step in your career, the CISSP is an excellent addition to your resume. 

Professionals should expect several months of preparation for the CISSP exam. Learn more about Infosec’s CISSP Boot Camp for in-depth learning on security governance principles and risk management best practices. Depending on your learning style, Infosec offers in-person, live online or self-paced training taught by expert instructors.