CompTIA Security+

Security+ domain #5: Governance, risk and compliance

Daniel Brecht
July 7, 2021 by
Daniel Brecht

CompTIA revised the Security+ exam objectives and streamlined its domains, reducing them from six to five. The aim was to better align to the latest practical knowledge required of today’s cybersecurity professionals.

This credential validates the baseline skills that current IT practitioners need to perform core security functions and tasks. 

By mastering the topics contained in the five Security+ CBK Domains, professionals prepare themselves to move forward in their careers and fill intermediate-level positions. 

Become a SOC Analyst: get Security+ certified!

Become a SOC Analyst: get Security+ certified!

More than 47,000 new SOC analysts will be needed by 2030. Get your CompTIA Security+ to leap into this rapidly growing field — backed with an Exam Pass Guarantee.

The new SY0-601 Domain 5

While the old Security+ exam (SY0-501, set to retire on July 31, 2021) listed only risk management topics under domain 5, the new version (SY0-601) of the test dedicates its last objective to an essential concept in today’s cybersecurity: governance, risk and compliance (GRC). GRC refers to how IT and business objectives are aligned and integrated to ensure that risks are effectively managed while still providing efficient business operations and compliance with all appropriate industry regulations. As we will see, the domain covers technical topics like security controls but also regulations, security policies and concepts related to privacy and the processing of sensitive data. A good place to start is with the CompTIA Security+ certification exam objectives to understand the types of questions you’ll see on the exam. Another place to start is the Infosec  Security+ certification hub.

Outline of Security+ governance, risk and compliance topics

For the exam, Security+ professionals need to be familiar with the following fundamental components of governance, risk management and compliance and demonstrate understanding of the connection and relationship they share. Next is the GRC topics breakdown, which reflects the importance of the new cybersecurity trifecta (infrastructure, operations and management) that is now at the basis of today’s digital cybersecurity world. 

Domain 5: Governance, risk and compliance

  • Compare and contrast various types of controls
  • Explain the importance of applicable regulations, standards or frameworks that impact the organizational security posture
  • Explain the importance of policies to organizational security
  • Summarize risk management processes and concepts
  • Explain privacy and sensitive data concepts concerning security

Compare and contrast various types of controls

This section tests candidates on their ability to compare and contrast various security controls (i.e., deterrent, preventive, detective, corrective, technical, administrative and physical) that professionals need to implement to prevent, identify and correct issues as they occur. 

Explain the importance of applicable regulations, standards, or frameworks that impact the organizational security posture

This section deals with one of the hot topics in today’s cybersecurity world: compliance. Testers will need to have a solid understanding of the many regulations that apply specifically to the industry their organization fits in, like PCI-DSS, SOX, HIPAA, GDPR, FISMA, NIST and CCPA as general ones like the general data protection regulation (GDPR). 

Explain the importance of policies to organizational security

In this section, candidates test on personnel, training, data handling, permissions and company policies. It spans personnel management controls such as job rotation, mandatory vacations, segregation of duties, background checks and awareness training based on the users’ roles. 

This is particularly important, as protecting digital assets entails effective technical measures in place and working on what is considered a weak link in the cybersecurity chain: the human element. Professionals, then, are tested on the importance of proper training for all users, especially employee onboarding and educating new staff; the preparation and dissemination of clear policies in outlining how to protect the organization from cyber-related threats are also covered.

The part on third-party risk management focuses on plans and procedures related to organizational security, including standard operating procedures, different types of agreements, such as service level agreements or SLA, as well as business partnership agreements (BPA). 

Summarize risk management processes and concepts

This section is the legacy of the previous test version (SY0-501) and covers risk management topics. Candidates must identify risk types and their different sources (internal vs. external, derived from legacy systems, etc.) and ways to manage them. They also need to explain the different types of threat assessments and apply risk assessment techniques such as combining the single-loss expectancy (SLE) with the annual rate of occurrence (ARO) and defining the annualized loss expectancy (ALE). 

In addition, they’ll come across critical components of the IT risk analysis process. 

Testers must summarize business impacts analysis concepts such as recovery time objective (RTO) and recovery point objective (RPO), or the mean time between failures (MTBF) and mean time to repair (MTTR). 

Identifying mission-essential functions and critical systems or explaining how a single point of failure can impact the organization is also tested in this section. 

Explain privacy and sensitive data concepts concerning security

This section deals with another important topic in today’s cybersecurity world: data classification, management and protection, and the concept of privacy. Candidates test on data types (categories such as sensitive, proprietary and public), their understanding of the information life cycle, and roles and responsibilities (such as owner, controller, steward/custodian and privacy officer). 

It covers breaches in-depth, including who to notify and their many consequences (fines, loss of reputation and clients), and privacy practices such as data destruction and media sanitization, sensitivity labeling and other privacy-enhancing technologies.

Security+'s Domain 5

Domain 5 of the new CompTIA Security+ (SY0-601) exam launched in November 2020 weighs 14% and covers a pivotal part of the knowledge required by all cybersecurity professionals. Revised to include more than merely risk management topics, it revolves around GRC and its importance for any organization. Effective implementation of GRC helps reduce risk and ensure compliance and improve control effectiveness and avoid any waste of resources supporting better business decisions.

To take the Security+ exam, register and schedule to take the test; choose the preferred testing option, either online or in-person and pay the $370 fee. 

For more on the Security+ certification, view our  Security+ certification hub.


Security+, CompTIA, Inc.

Exam Objectives, CompTIA, Inc.

Security+ Certification Training, CompTIA, Inc.

Security+ 501 vs. 601: What’s the Difference?, CompTIA, Inc.

SY0-601 vs SY0-501 Exam Objectives Comparison, CompTIA, Inc.

The NEW CompTIA Security+: Your Questions Answered, CompTIA, Inc.

The Cybersecurity Hat Trick: Infrastructure, Operations and Management, CompTIA, Inc.

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.