6. Security Program Management and Oversight (20%)

This domain covers exam objectives 5.1 through 5.6 and accounts for roughly 18 of the 90 questions. While the previous domains focused on technical controls and daily operations, this domain covers the management layer that directs it all: governance sets the rules, risk management prioritizes spending, compliance proves adherence, and security awareness trains the humans. Many candidates underestimate this domain because it feels "less technical," but questions here are surprisingly nuanced — especially the risk calculations and third-party risk scenarios.