2. General Security Concepts (12%)

This domain covers exam objectives 1.1 through 1.4 and accounts for roughly 11 of the 90 questions you'll face. While it's the lightest-weighted domain, it establishes the vocabulary and frameworks that every other domain builds on. Think of it as the grammar of cybersecurity — you need it to understand everything else, even if the exam doesn't test it as heavily in isolation. The questions here tend toward recall and identification, but the control categories versus control types distinction alone trips up a surprising number of candidates.