Introduction to Domain One — General Security Concepts
If you’ve been listening from the beginning, you now know what the Security Plus certification is, how the exam is organized, and how to build a study plan that works. So now it’s time to dive into the content—starting with Domain One: General Security Concepts. This domain sets the foundation for everything else you’re going to learn, and it’s where we begin because every other domain builds on top of these principles. If you understand the language and logic of cybersecurity early, the rest of the journey becomes much easier.
So what exactly does Domain One cover? This domain introduces the core vocabulary and mindset of cybersecurity. It explains what security actually means—not just in theory, but in how it’s applied in real organizations. You’ll learn about the goals of security, the types of controls used to enforce it, and the frameworks that help guide secure behavior. You’ll explore concepts like confidentiality, integrity, and availability—often referred to as the CIA triad. You’ll dig into control types like preventive, detective, and corrective. You’ll also begin to understand how authentication, authorization, and accounting work together to manage access and track activity.
You’ll learn about the categories of security controls—technical, operational, managerial, and physical—and how different controls fit into each. You’ll be introduced to Zero Trust, change management, and cryptographic fundamentals. And you’ll begin to develop the mental model of risk-based thinking that drives everything in the world of cybersecurity.
Let’s start with the CIA triad. These three principles—confidentiality, integrity, and availability—define the core goals of cybersecurity. Confidentiality means keeping data private and secure from unauthorized access. Integrity means ensuring that data hasn’t been altered or tampered with. Availability means making sure systems and data are accessible when needed. Every security control, every policy, every defensive tool in cybersecurity ultimately supports one or more of these three goals.
For example, encryption supports confidentiality by preventing unauthorized users from reading sensitive data. Hashing supports integrity by allowing systems to detect changes to files or messages. Redundancy and failover systems support availability by keeping services running during disruptions. Once you understand the CIA triad, it becomes a lens you can use to evaluate every control you encounter.
Next, this domain introduces the types and categories of security controls. You’ll learn to identify whether a control is preventive, detective, corrective, deterrent, directive, or compensating. You’ll also learn to place it into the right category—like technical, which includes things like firewalls and access controls; operational, which includes processes and procedures; managerial, which focuses on oversight; and physical, which deals with things like locks, guards, and surveillance.
Let’s say you have a security camera in your office building. That’s a physical control. And depending on how it’s used, it might be classified as a detective control—if it helps identify intrusions after the fact—or a deterrent, if it discourages unauthorized access in the first place. This kind of thinking is what Domain One trains you to do: to see each control as part of a bigger system of protection.
This domain also introduces the AAA framework: authentication, authorization, and accounting. Authentication verifies identity—proving someone is who they say they are. Authorization determines what that person is allowed to do—what systems they can access and what actions they can take. And accounting logs what they actually did—creating an audit trail that can be reviewed later. These concepts are essential for managing secure access, and you’ll see them repeated throughout the other domains.
Another important topic is Zero Trust. The idea here is simple: never trust, always verify. In a Zero Trust model, access is granted based on continuous verification of identity, context, and behavior. Users are only given the minimum access they need, and that access is continuously evaluated. It’s a shift away from traditional perimeter defenses toward more granular, adaptive security—especially in hybrid and cloud environments.
You’ll also learn about change management in this domain. This means having formal processes for requesting, reviewing, approving, and documenting changes to systems or configurations. Change management helps ensure that updates don’t accidentally introduce new vulnerabilities—and that when something breaks, there’s a record of what changed and when. This is one of those behind-the-scenes processes that doesn’t get much attention until something goes wrong—but it’s essential for maintaining secure and stable environments.
Finally, you’ll get a basic introduction to cryptographic concepts. This won’t go into deep math or algorithm theory—but you will learn what encryption does, the difference between symmetric and asymmetric methods, and why hashing and salting matter. These topics become much more important later in the exam, especially in Domain Three, but Domain One gives you the initial foundation you’ll need to understand what’s going on when those terms show up.
So why does all of this matter? Because every security control, every risk assessment, every response plan is built on these foundational ideas. If you don’t understand the difference between confidentiality and integrity, you won’t understand why some attacks are so dangerous. If you don’t know how to classify controls, you won’t be able to answer scenario questions that ask which control is best. And if you don’t understand the logic of risk, you’ll miss the big picture behind policies and processes.
In terms of exam weight, Domain One is the lightest—it covers 12 percent of the total questions. But don’t let that fool you. This domain matters. The concepts here show up everywhere else. If you master Domain One early, it makes the other domains easier to understand. It’s like learning the grammar of a language before trying to write a novel.
And here's a tip. When studying this domain, don’t just memorize terms. Work with them. Create examples. Look at your own environment—your home network, your school lab, your workplace—and ask yourself: where do I see preventive controls? What’s managing authentication? How is availability maintained? Making these concepts real is one of the fastest ways to lock in your understanding.
As we move through upcoming episodes, we’ll begin exploring the specific topics within each domain in more depth. Domain One is our starting point because it gives us the language, the mindset, and the models that make sense of everything else that follows.
