Information Security and Risk Management

The Information Security and Risk Management domain encompasses the following topics:

• Security management: The identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability.

• Risk management: The identification, measurement, control, and minimization of loss associated with uncertain events or risks, including overall security review, risk analysis, selection and evaluation of safeguards, cost-benefit analysis, management decision, safeguard implementation, and effectiveness review.

This domain is covered in Chapter 6. Major topics include

• Security management concepts and principles

• Change control and change management

• Information and data classification

• Employment policies and practices

• Policies, standards, guidelines, and procedures

• Individual roles and responsibilities

• Security awareness training

• Security management planning