What does Security+ SY0-701 Domain 5 cover?

Security+ SY0-701 Domain 5 covers security program management and oversight, including governance, risk management, third-party risk, compliance, audits, security policies, and security awareness.

How should I study governance and risk for Security+?

Focus on matching business risk to controls, understanding risk treatment options, recognizing policy and procedure differences, and applying compliance or audit requirements to realistic scenarios.

Security+ Governance, Risk, and Compliance Guide

This guide covers the Security+ SY0-701 Domain 5 topics that connect technical controls to business oversight. Instead of only memorizing terms, focus on why an organization chooses a control, how it measures risk, how it proves compliance, and how policies shape daily security operations. Use this page with the complete Security+ objectives guide and the Security+ practice exam.

⚖️ Risk Assessment

Risk management is the process of identifying, assessing, and prioritizing risks to minimize their impact.

▸ Qualitative vs. Quantitative: Qualitative uses subjective scales (High/Medium/Low), while Quantitative uses numerical data (SLE, ALE, ROI).
▸ Risk Register: A central repository for all identified risks, their severity, and mitigation plans.
▸ Risk Treatment: Strategies to handle risk: Avoid, Transfer (Insurance), Mitigate (Controls), or Accept.

📋 Compliance Frameworks

Organizations must adhere to various standards and regulations depending on their industry and location.

▸ GDPR & CCPA: Regulations focused on data privacy and user rights for EU and California residents.
▸ HIPAA: US standard for protecting sensitive patient health information.
▸ PCI-DSS: Security standards for organizations that handle branded credit cards.
▸ NIST & ISO: Frameworks (like NIST CSF or ISO 27001) providing best practices for information security management.

📜 Security Policies

Policies are high-level statements of management intent. They guide the behavior of employees and the configuration of systems.

▸ AUP (Acceptable Use Policy): Defines proper use of company assets and networks.
▸ NDA (Non-Disclosure Agreement): Legal contract outlining confidential material the parties wish to share but restrict access to.
▸ Personnel Policies: Mandatory vacations, separation of duties, and background checks to reduce insider threats.

🧭 Security Governance

Governance defines who makes security decisions, how those decisions are documented, and how the program stays aligned with business goals. For Security+, be ready to distinguish high-level direction from implementation detail.

Document	Purpose	Exam clue
Policy	Management's required direction.	Broad statement such as acceptable use or data classification.
Standard	Mandatory technical or procedural baseline.	Password length, encryption level, image baseline, or approved protocol.
Procedure	Step-by-step task instructions.	How to onboard a user, revoke access, or restore a backup.
Guideline	Recommended practice that allows judgment.	Preferred configuration or recommended hardening approach.
Exception	Approved deviation with justification and expiration.	Temporary business need that cannot meet the standard yet.

📊 Risk Metrics and Business Impact

Security+ scenarios often describe a business requirement and ask which risk or continuity metric best applies. Memorize the formulas, but also understand what each metric tells leadership.

SLE, ARO, and ALE

SLE is the expected loss from one event. ARO is how often the event is expected per year. ALE = SLE x ARO, which helps justify control spending.

RTO and RPO

RTO is how quickly service must be restored. RPO is the maximum acceptable data loss window. These guide backup and disaster recovery choices.

MTTR, MTBF, and MTTD

MTTR measures repair time, MTBF measures reliability between failures, and MTTD measures how quickly incidents are detected.

Risk appetite

Risk appetite is the level of risk leadership is willing to accept. Controls should reduce risk to a level that matches that appetite, not eliminate every risk at any cost.

🤝 Third-Party Risk Management

Vendors, managed service providers, cloud platforms, and business partners can introduce risk even when the organization's internal controls are strong. For exam questions, look for due diligence before a relationship starts and ongoing monitoring after the contract is signed.

Due diligence: Review the vendor's security posture, financial stability, certifications, breach history, and data handling practices.
Contract requirements: Define security responsibilities, breach notification timelines, audit rights, data ownership, and termination procedures.
Service-level agreements: Set measurable uptime, response, recovery, support, and reporting expectations.
Continuous monitoring: Reassess vendor risk with questionnaires, evidence reviews, vulnerability disclosures, and performance reports.
Offboarding: Confirm account removal, data return or destruction, certificate revocation, and access termination.

🔒 Data Privacy

Protecting sensitive data is a core component of GRC. This involves classification, handling, and retention.

Data Types

▸ PII: Personally Identifiable Information (Name, SSN).
▸ PHI: Protected Health Information (Medical records).
▸ IP: Intellectual Property (Trade secrets).

Controls

▸ Classification: Labeling data (Public, Confidential, Restricted).
▸ DLP: Data Loss Prevention tools to stop unauthorized exfiltration.
▸ Sovereignty: Legal requirements that data is subject to the laws of the country it is located in.

🧾 Audits, Compliance, and Evidence

Compliance is not the same as security, but compliance programs give organizations a way to prove that required controls are designed, implemented, and operating. Security+ questions usually test whether you know the right evidence or assessment activity for a situation.

▸ Internal audit: Performed by the organization to prepare for an external review or check control performance.
▸ External audit: Performed by an independent party for regulatory, contractual, or certification purposes.
▸ Evidence: Logs, access reviews, training records, change tickets, vulnerability reports, policy approvals, and incident records.
▸ Gap analysis: Compares current controls against a target standard or framework to identify missing requirements.
▸ Corrective action plan: Documents ownership, deadlines, and remediation steps for audit findings.

🎓 Security Awareness and Training

Awareness programs reduce human risk by making secure behavior expected, measurable, and repeatable. A strong program uses role-based training, phishing simulations, new-hire onboarding, annual refreshers, and targeted reminders after incidents.

General users

Phishing, password managers, MFA, acceptable use, reporting suspicious activity, and data handling.

Privileged users

Administrative access, change control, logging expectations, secure remote access, and separation of duties.

Executives

Business risk, regulatory exposure, incident communication, third-party risk, and approval of security priorities.

✅ Exam Readiness Checklist

✓ Explain the difference between a policy, standard, procedure, guideline, and exception.
✓ Choose the correct risk treatment: accept, avoid, transfer, or mitigate.
✓ Use SLE, ARO, ALE, RTO, and RPO in short business scenarios.
✓ Identify evidence that supports audit, compliance, and control validation.
✓ Match data types such as PII, PHI, and intellectual property to appropriate handling controls.
✓ Recognize third-party risk controls such as due diligence, SLAs, right-to-audit clauses, and offboarding.
✓ Connect security awareness training to phishing, social engineering, and insider-risk reduction.

Governance, Risk, and Compliance