CompTIA Security+ Domain 5: Security Program Management & Oversight

20% of the SY0-701 exam

Practice — Domain 5

Interactive Domain 5 practice questions load here — covering governance, risk, compliance. Each answer is revealed with a full explanation and its source after you respond.

JavaScript is required for the interactive quiz. You can still browse all of CompTIA Security+ while JavaScript loads.

Want all five domains under exam conditions? Take a full 90-question mock →

About this domain

Where the other four domains are hands-on, Security Program Management & Oversight zooms out to the governance level — and it carries 20% of the SY0-701 exam. Instead of configuring a firewall or analyzing malware, here you are asked who signs off on policy, how risk gets measured and treated, and what a contract must say before data ever reaches a vendor. The exam tests whether you can tell a policy from a standard, procedure, or guideline, and whether you understand the governance roles and data roles, such as controller, processor, custodian, and steward, that decide who is accountable for what.

Risk management is heavily quantitative. Expect to calculate SLE, ARO, and ALE, weigh risk responses such as accept, avoid, transfer, and mitigate, and recognize when buying cyber insurance is a transfer decision rather than a fix. Business impact terms like RTO, RPO, MTTR, and MTBF show up alongside third-party agreements, where you must match the right document, MOU, MSA, SOW, BPA, or an SLA with uptime penalties, to the right situation.

The domain closes with compliance topics like privacy, due care versus due diligence, and attestation, plus audits and assessments including penetration testing team types, and security awareness practices such as phishing campaigns and insider-threat recognition.

What Domain 5 covers

5.1 Governance: roles, and policy vs standard vs procedure vs guideline
5.1 Data roles: controller, processor, custodian, and steward
5.2 Risk management process and quantitative analysis (SLE, ARO, ALE)
5.2 Risk responses and business impact terms (RTO, RPO, MTTR, MTBF)
5.3 Third-party risk and agreement types (MOU, MSA, SOW, BPA, SLA)
5.4 Compliance: privacy, due care vs due diligence, and attestation
5.5 Audits and assessments, including penetration testing team types
5.6 Security awareness: phishing campaigns and insider-threat indicators

Domain 5 quick glossary

The terms that show up most on Domain 5 questions — one line each.

PolicyA high-level, mandatory statement of management intent that does not specify exact technical settings.

StandardA required, specific rule (such as a minimum key length) that enforces a broader policy.

ALEAnnualized Loss Expectancy: SLE multiplied by ARO, the expected yearly cost of a risk.

Risk transferShifting financial impact to a third party, commonly by purchasing cyber insurance.

Data controllerThe party that decides why and how personal data is processed and is accountable for it.

Data processorA party that handles personal data on behalf of, and under the instructions of, the controller.

SLAService Level Agreement: a contract clause defining uptime or performance targets with penalties.

Due diligenceThe investigation and ongoing research done before and during a decision; due care is acting on it.

Keep going

Practice the other domains, or go deeper with the full study materials.

Domain 1: General Security Concepts12% · CIA triad, controls, crypto Domain 2: Threats, Vulnerabilities & Mitigations22% · threat actors, malware, mitigations Domain 3: Security Architecture18% · architecture models, data protection Domain 4: Security Operations28% · incident response, monitoring, IAM All Security++ practice testsFull sets · timed mocks