Skip to content
CompTIA Security+ · SY0-701

Security+ Domain 5: Security Program Management & Oversight

Domain 5.0 — Security Program Management & Oversight · 20% of the exam

The governance domain — all 6 objectives (5.1–5.6) across security governance, risk management, third-party risk, compliance, audits and assessments, and security awareness. 84 pages with 90 exam-style practice questions.

6 modules · 35 topics 84-page PDF 90 practice questions
Read a free sample By the author of 60+ Pluralsight courses · 4.6/5 from 2,000+ ratings
Best value
$19.95/ month

All study guides — current and every new one.

or own the whole exam
$29.95one-time · all 5 domains$49.75
or just this guide
$9.95one-time · lifetime access
  • Interactive online guide
  • Downloadable PDF
  • Lifetime updates
  • 30-day money-back guarantee

Secure checkout via Stripe · no account needed · instant access

20% of your exam score

Domain 5.0 is worth 20% of the SY0-701 exam. Walk in having mastered it — not hoping it doesn't come up.

Every objective, nothing extra

Built line by line from CompTIA's official objectives 5.1–5.6 — 35 in-depth topics with worked scenarios and exam tips, in a 84-page guide you'll actually finish.

90 exam-style questions

Every question comes with instant feedback and a full explanation, so a wrong answer teaches you as much as a right one.

The industry's baseline cert

Security+ is the most widely held cybersecurity certification in the world — the default HR filter for security roles and the baseline for DoD 8140 work.

Read a real excerpt — free

This is the actual opening of Module 5.1, Security governance — not marketing copy. If you like how it teaches, the rest of the guide reads the same way.

Objective 5.1

Summarize elements of effective security governance

Governance is how an organization decides what "secure" means, writes it down, assigns responsibility for it, and keeps the documents current. This module covers the document hierarchy (guidelines, policies, standards, procedures), the external forces that shape it, the structures that oversee it, and the roles accountable for systems and data.

Security governance answers a deceptively simple question: who decides, and how do we know everyone follows the decision? Without governance, security is a collection of individual heroics — one admin hardens servers her way, another his way, and nobody can prove anything to an auditor. Governance replaces heroics with documents that have different levels of authority and different levels of detail. The exam expects you to place any described document into exactly one of four buckets: policy (mandatory, high-level "what and why"), standard (mandatory, specific "how much / which one"), procedure (mandatory, step-by-step "how"), or guideline (advisory best practice).

The governance document hierarchy

Think of the hierarchy as increasing specificity as you move down. A policy says "all sensitive data must be encrypted at rest" (what/why). A standard says "use AES-256 for data at rest and TLS 1.2 or higher in transit" (the measurable requirement). A procedure says "step 1: open the key management console…" (the how). A guideline says "where practical, prefer hardware-backed key storage" (recommended, not required).

Policies MandatoryHigh-level WHAT and WHY — management's intent. Approved by senior leadership.
Standards MandatorySpecific, measurable requirements that make policies enforceable (e.g., password length, approved ciphers).
Procedures MandatoryStep-by-step HOW — the exact sequence of actions (e.g., an offboarding checklist, a playbook).
Guidelines AdvisoryRecommended best practices for situations the mandatory documents don't cover. Flexible.
Figure 5.1 — The governance hierarchy: policies set intent, standards set requirements, procedures set steps, guidelines advise. Only guidelines are optional.
Exam tip · policy vs. standard vs. procedure vs. guideline

Classification questions hinge on two properties: is it mandatory? and how specific is it? Mandatory + broad = policy. Mandatory + specific requirement (a number, an algorithm, a configuration) = standard. Mandatory + sequenced steps = procedure. Optional recommendation = guideline. If a question says "recommended" or "suggested," the answer is guideline — no matter how technical it sounds.

The guide continues for 84 pagesKeep reading — unlock the full guide

Not ready to buy? Read it later.

We'll email you a free sample of this guide as a PDF — no purchase needed.

Try 3 sample questions

Pulled straight from the guide's 90-question bank — tap an answer for instant feedback and the explanation.

From module 5.1 · Security governance

  1. 1. A document approved by executive leadership states: "All company data classified as Confidential or above must be protected against unauthorized access, and all employees are responsible for safeguarding it." The document does not specify technologies or configurations. Which type of governance document is this?

From module 5.2 · Risk management

  1. 1. A file server is valued at $250,000. A risk assessment determines that a successful ransomware attack would destroy 40% of the asset's value. What is the SLE?

From module 5.3 · Third-party risk

  1. 1. A company wants a contractual guarantee that it can inspect a cloud provider's security controls and records during the life of the contract. Which provision should it negotiate into the agreement?

87 more questions like these are waiting inside.

What's inside

  • 35 in-depth topics across 6 modules, mapped to objectives 5.1–5.6
  • 90 exam-style practice questions with instant feedback
  • Full answer key with explanations for every question
  • Complete Security+ acronym & key-term reference
  • 84-page downloadable PDF for offline study and printing
  • Lifetime updates as the exam evolves

The modules, mapped to the objectives

  1. 5.1

    Security governance

    Summarize elements of effective security governance

    15 Qs
    Password standardAccess control standardPhysical security standardEncryption standardBoardsCommittees
  2. 5.2

    Risk management

    Explain elements of the risk management process

    15 Qs
    Ad hocRecurringOne-timeContinuousRTORecovery Time ObjectiveRPORecovery Point Objective
  3. 5.3

    Third-party risk

    Explain the processes associated with third-party risk assessment and management

    15 Qs
    Penetration testingRight-to-audit clauseEvidence of internal auditsIndependent assessmentsSupply chain analysis
  4. 5.4

    Security compliance

    Summarize elements of effective security compliance

    15 Qs
    Due diligenceDue careAttestation & acknowledgementInternal & external monitoringAutomationOwnership
  5. 5.5

    Audits & assessments

    Explain types and purposes of audits and assessments

    15 Qs
    PhysicalOffensiveDefensiveIntegrated
  6. 5.6

    Security awareness

    Given a scenario, implement security awareness practices

    15 Qs
    Phishing: campaigns, recognition, responseAnomalous behavior recognitionUser guidance and training topicsReporting and monitoring: initial and recurringDevelopment and execution
Chris Rees

About the author

Chris Rees

Professional information technologist with 25+ years in IT and the author of 60+ certification training courses — 50+ live on Pluralsight, rated 4.6/5 across more than 2,000 reviews. This guide is that same exam-focused teaching, in a format you can finish.

More about Chris
Save 40%

Sitting the whole exam? Get the Complete Security+ Collection.

All 5 SY0-701 domains — including this guide — for $29.95 instead of $49.75.

See everything inside

Questions, answered

Do I need an account to buy?

No. Checkout is a single Stripe form — email and card, about 30 seconds. We create your access from your checkout email automatically and sign you in the moment payment completes.

Is this up to date with the real SY0-701 exam?

Yes — the guide is mapped module-by-module to CompTIA's official Security+ objectives (5.1–5.6), and lifetime updates are included, so as the exam evolves your guide does too.

What exactly do I get?

Instant access to the interactive online guide with all 90 practice questions, plus a 84-page PDF you can download, print, and keep forever.

Do I need the other domains too?

This guide covers Domain 5.0 (20% of the exam). To prepare for the whole exam, the Complete Security+ Collection bundles all 5 domains for $29.95 — less than the price of three guides.

What if it isn't for me?

Every purchase comes with a 30-day money-back guarantee — email us and we'll refund you, no hoops.

Who wrote it?

Chris Rees — a professional information technologist with 25+ years in IT and the author of 60+ certification courses, rated 4.6/5 across 2,000+ reviews on Pluralsight.

Be ready for 20% of the exam — for $9.95

Instant access, lifetime updates, and a 30-day money-back guarantee. The only risk is walking into the exam without it.

Get the guide

Share this guide