CompTIA Security+ SY0-601 Domain 5 Governance, Risk, and Compliance
                     CompTIA Security+ SY0-601 Domain 5: 
Governance, Risk, and Compliance 
www.infosectrain.com | [email protected]
www.infosectrain.com | [email protected]
Security+ SY0-601 Domains
There are 5 domains in the new version of security+ SY0-601.
www.infosectrain.com | [email protected]
•Domain 1.0: Attacks, Threats, and Vulnerabilities (24%)
•Domain 2.0: Architecture and Design (21%)
•Domain 3.0: Implementation (25%)
•Domain 4.0: Operations and Incident Response (16%)
•Domain 5.0: Governance, Risk, and Compliance (14%)
In this blog, we discuss domain 5.0 Governance, Risk, and 
Compliance.
www.infosectrain.com | [email protected]
Governance, Risk, and Compliance
In the earlier version of Security+ (SY0-501) only risk management was 
covered in domain 5 but in the latest version of Security+ (SY0-601) 
domain 5 we have an important concept: Governance, Risk, and 
Compliance.
GRC or (Governance, Risk, and Compliance) is the process of aligning and 
integrating IT and business objectives to verify that risks are successfully 
managed while maintaining efficient business operations and adherence 
to all applicable industry laws. This domain covers 14% of weightage in 
the exam.
The topics covered in this domain are listed below:
1.Compare and contrast various types of controls
2.Explain the importance of applicable regulations, standards, or 
frameworks that impact the organizational security posture
3.Explain the importance of policies to organizational security
4.Summarize risk management processes and concepts
5.Explain privacy and sensitive data concepts in relation to security
www.infosectrain.com | [email protected]
1. Compare and contrast various types of controls
Candidates’ ability to analyze and compare various security 
controls is tested in this part. In this subdomain, we will 
understand the Category of controls: Managerial control, 
Operational control, Technical control. We will get familiar with 
types of risk controls: Preventive, Detective, Corrective, 
Deterrent, Compensating, Physical.
www.infosectrain.com | [email protected]
2. Explain the importance of applicable regulations, standards, or 
frameworks that impact the organizational security posture
In this subdomain, we will learn about various Regulations, Standards, and 
Legislation. Inside this part, we will cover General Data Protection Regulation 
(GDPR), National, Territory, State laws, Payment Card Industry Data Security 
Standard (PCI DSS).
This part explains to us the key frameworks of security. Inside this part we will 
cover the  following topics:
•Center for Internet Security (CIS)
•National Institute of Standards and Technology (NIST) Risk Management 
Framework (RMF)/ Cybersecurity Framework (CSF)
•International Organization for Standardization (ISO) 
27001/27002/27701/31000
•SSAE SOC 2 Type I/II
•Cloud security alliance
•Explanation of the Cloud control matrix
www.infosectrain.com | [email protected]
In this part, we also learn Benchmarks/secure configuration guides, Platform /vendor-
specific guides, Web server, OS, Application server, Network infrastructure devices.
3. Explain the importance of policies to organizational security
In this subdomain, you will understand Personnel management control, 
Third-party risk management, Data, Credentials policies, Organization 
policies, and Diversity of training techniques. In personnel management 
control we cover various topics like Acceptable use policy, Job rotation, 
Mandatory vacation, Separation of duties, Least privilege, Clean desk 
space, Background checks, a Non-disclosure agreement (NDA), Social 
media analysis, Onboarding, Offboarding, User training, Gamification, 
Capture the flag, Phishing campaigns, Phishing simulations, Computer-
based training (CBT).
Third-party risk management focuses on various types of agreements, 
SLA (Service level agreement), and BPA (Business partnership 
agreement). This part also covers topics like Supply chain, Memorandum 
of understanding (MOU), End of service life (EOSL).
www.infosectrain.com | [email protected]
4. Summarize risk management processes and concepts
Many companies have proper risk management policies and 
processes in place to fulfill regulatory obligations and keep their 
operations safe. In this subdomain, we will summarize the 
concepts of risk management. We will understand the types of 
Risk, such as External risk, Internal risk, Legacy systems, 
Multiparty, IP theft, Software compliance/licensing. The 
strategies of Risk management, Acceptance, Avoidance, 
Transference, and Cybersecurity insurance. We will also learn to 
define Risk analysis, Risk register, Risk control assessment, 
Single-Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), 
Annualized Rate of Occurrence (ARO). Also, understand the 
concept of Business impact analysis (BIA) like Recovery Time 
Objective (RTO), Recovery Point Objective (RPO), Mean Time To 
Repair (MTTR) and Mean Time Between Failures (MTBF), 
Disaster Recovery Plan (DRP), Mission essential functions, and 
Identification of critical systems.
www.infosectrain.com | [email protected]
5. Explain privacy and sensitive data concepts in relation to 
security
In this subdomain, we will understand the concept of 
Organizational consequences of privacy and data breaches, 
Reputation damage, Identity theft, Fines, and IP theft. We also 
get an in depth understanding of the Data types and 
classifications of data types Public, Private, Sensitive, 
Confidential, Critical, Proprietary. We understand Privacy-
enhancing technologies like Data minimization, Data masking, 
Tokenization, Anonymization, Pseudo-anonymization. We get 
familiar with Roles and responsibilities, Data owners, Data 
controller, Data custodian/steward, Data Protection Officer 
(DPO). We will also cover the information life cycle, Impact 
assessment, Terms of the agreement, and Privacy notice.
www.infosectrain.com | [email protected]
Learn Security+ With Us
InfosecTrain is a leading provider of IT security training and 
consulting organization, focusing on a wide range of IT security 
training. The training sessions will be delivered by highly 
qualified and professional trainers with years of industry 
experience whom you can easily interact with and solve your 
doubts anytime. If you are interested and looking for live online 
training, InfosecTrain provides the best online Security+ 
certification training. You can check and enroll in our CompTIA
 Security+ Online Certification Training to prepare for the 
certification exam.
www.infosectrain.com | [email protected]
About InfosecTrain
• Established in 2016, we are one of the finest 
Security and Technology Training and 
Consulting company
• Wide range of professional training programs, 
certifications & consulting services in the IT 
and Cyber Security domain
• High-quality technical services, certifications 
or customized training programs curated with 
professionals of over 15 years of combined 
experience in the domain
www.infosectrain.com | [email protected]
Our Endorsements
www.infosectrain.com | [email protected]
Why InfosecTrain Global Learning Partners
Certified and Flexible modes Access to the 
Experienced Instructors of Training recorded 
sessions
Post training Tailor Made 
completion Training
www.infosectrain.com | [email protected]
Our Trusted Clients
www.infosectrain.com | [email protected]

Contact us
Get your workforce reskilled 
by our certified and 
experienced instructors!
IND: 1800-843-7890 (Toll Free) / US: +1 657-221-
1127  / UK : +44 7451 208413
[email protected]
www.infosectrain.com