Information Security Governance and Risk Management

Duration 03:00 4201 Views



Hello and Welcome to Lesson 1 of CISSP Certification Course by SimpliLearn! This lesson is about Information Security Governance and Risk Management.

This lesson is about the understanding of Information Security Governance and Risk Management which is one of the ten domains of the Common Body of Knowledge (CBK) for the CISSP exam.

As security professionals our job is to evaluate risks against our critical assets and deploy safeguards to mitigate them. CISSP online Training offered by Simplilearn equips professionals with all the necessary skill sets. We work in various roles as firewall engineers, penetration testers, auditors, management and the like. The common thread is risk: It is part of our job description.

Information Security Governance and Risk Management involves the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability.

Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.

Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation and effectiveness review.

In short, this domain focuses on risk analysis and mitigation. It also details security governance or the organizational structure required for a successful information security program.

The difference between organizations that are successful and those that fail is usually not tied to dollars or staff size.  It is tied to the right people in the right roles. Knowledgeable and experienced information security staff and supportive and vested leadership are the keys to success.


The objective of (ISC) 2 for this domain is that aspirants of CISSP training are expected to understand the areas of security management concerned with identifying and securing company information which basically includes planning, organization, and roles of individuals in identifying and securing an organization’s information assets

He is also expected to understand how to create and structure guidelines, standards and procedures in support of information security policy. The development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures to support the policies