| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 4 of 5)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues risk management in Domain 1 by getting into the math and the taxonomy of controls. Part 4 of 5 makes safeguard selection concrete — how to prove a control is worth its cost, what else belongs in the decision, and how the exam expects you to categorize and classify every control you deploy.
What this episode covers
- Is the safeguard worth it — comparing pre-safeguard and post-safeguard annual loss expectancy against full ownership cost.
- The cost-benefit formula — pre-ALE minus post-ALE minus annual cost; favor the largest positive value.
- What else matters in selection — controls that are testable, tamperproof, secrecy-independent, and tied to business need.
- Control categories — administrative, technical or logical, and physical, layered as defense in depth.
- The seven functional types — prevent, detect, correct, recover, deter, direct, and compensate, with overlap between them.
- Preventive and detective controls — stopping unwanted activity before it happens versus discovering it after.
- Corrective and recovery controls — fixing the small stumble right away versus restoring after the hard fall.
- Compliance testing — auditing that confirms every required control is deployed and working as intended.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How do you calculate whether a safeguard is worth it?
Take the pre-safeguard annual loss expectancy, subtract the post-safeguard annual loss expectancy, then subtract the annual cost of the safeguard — the result is the value of that safeguard to the organization. The annual cost is more than the sticker price, covering purchase, implementation, maintenance, training, and lost productivity. A negative result means the safeguard costs more than it saves, a positive result is your annual savings, and the largest positive value marks the most cost-effective option.
What else matters when choosing a countermeasure?
Several practical qualities beyond the math. The cost should be less than both the asset value and the benefit it provides, and a good countermeasure solves a real, identified problem rather than a fashionable one. Its protection should not depend on secrecy, and it should be testable, consistent across users and systems, and tamperproof, with overrides limited to privileged operators. Above all, it must support a genuine business need.
How are controls grouped by category?
Into three families that work in layers. Administrative controls are the policies and procedures, like hiring practices, background checks, data classification, and security training. Technical controls, also called logical controls, are the hardware and software mechanisms, like encryption, firewalls, access control lists, and authentication. Physical controls protect the facility and real-world objects, like guards, fences, locked doors, and cameras — and the three layer together into defense in depth.
What are corrective and recovery controls?
The controls that restore normal operation. A corrective control modifies the environment to fix a problem right after an incident, like antimalware quarantining a virus or a system rebooting to clear an attack. A recovery control extends that idea to bigger damage, restoring resources and capabilities after a serious violation — backups and restores, server clustering, system imaging, and alternate processing sites for disaster recovery.
What are deterrent, directive, and compensating controls?
A deterrent control discourages violations by convincing people not to act, like warning banners, visible guards, or security cameras. A directive control channels behavior toward compliance, like posted policies, exit signs, and supervision. A compensating control is a backup option that supports or substitutes for another control — like a backup that restores a file when a preventive control failed to stop its deletion — filling the gaps the primary controls leave open.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 2.2 - Understand & Apply Risk Management Concepts (Part 4 of 5).