| 1.1 | Understand, adhere to, and promote professional ethics (2-4 items) |
| 1.2 | Understand and apply security concepts |
| 1.3 | Evaluate, apply, and sustain security governance principles |
| 1.4 | Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context |
| 1.4.1 | Cybercrimes and data breaches |
| 1.4.2 | Licensing and Intellectual Property requirements |
| 1.4.3 | Import/export controls |
| 1.4.4 | Transborder data flow |
| 1.4.5 | Issues related to privacy (e.g., GDPR, California Consumer Privacy Act, Personal Information Protection Law, Protection of Personal Information Act) |
| 1.4.6 | Contractual, legal, industry standards, and regulatory requirements |
| 1.5 | Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards) |
| 1.6 | Develop, document, and implement security policy, standards, procedures, and guidelines |
| 1.7 | Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements |
| 1.7.1 | Business impact analysis (BIA) |
| 1.7.2 | External dependencies |
| 1.8 | Contribute to and enforce personnel security policies and procedures |
| 1.8.1 | Candidate screening and hiring |
| 1.8.2 | Employment agreements and policy driven requirements |
| 1.8.3 | Onboarding, transfers, and termination processes |
| 1.8.4 | Vendor, consultant, and contractor agreements and controls |
| 1.9 | Understand and apply risk management concepts |
| 1.9.1 | Threat and vulnerability identification |
| 1.9.2 | Risk analysis, assessment, and scope |
| 1.9.3 | Risk response and treatment (e.g., cybersecurity insurance) |
| 1.9.4 | Applicable types of controls (e.g., preventive, detection, corrective) |
| 1.9.5 | Control assessments (e.g., security and privacy) |
| 1.9.6 | Continuous monitoring and measurement |
| 1.9.7 | Reporting (e.g., internal, external) |
| 1.9.8 | Continuous improvement (e.g., risk maturity modeling) |
| 1.9.9 | Risk frameworks (e.g., ISO, NIST, COBIT, SABSA, PCI) |
| 1.10 | Understand and apply threat modeling concepts and methodologies |
| 1.11 | Apply Supply chain risk management (SCRM) concepts |
| 1.11.1 | Risks associated with the acquisition of products and services from suppliers and providers (e.g., product tampering, counterfeits, implants) |
| 1.11.2 | Risk mitigations (e.g., third-party assessment and monitoring, minimum security requirements, service level requirements, isolation of root of trust, physically unclonable function, software bill of materials) |
| 1.12 | Establish and maintain a security awareness, education, and training program |
| 1.12.1 | Methods and techniques to increase awareness and training (e.g., social engineering, phishing, security champions, gamification) |
| 1.12.2 | Periodic content reviews to include emerging technologies and trends (e.g., cryptocurrency, AI, blockchain) |
