The 12 Domains

Security is not solely an engineering problem; it is a business risk. This domain ensures that executive leadership takes formal, documented responsibility for the organisation’s security posture. It requires the establishment of a formal security programme, clear reporting lines, and regular management reviews of security metrics.

In a cloud-native world, identity is the new perimeter. This domain mandates strict controls over who can access systems, data, and infrastructure. It enforces the Principle of Least Privilege (PoLP) and requires modern authentication mechanisms across all environments.

Protecting customer data from unauthorised access or disclosure is the core objective of any security standard. This domain covers the encryption, handling, and lifecycle management of sensitive information, ensuring compliance with global privacy regulations like GDPR and the Australian Privacy Act.

Securing the underlying networks and servers that host your application. This domain requires defence-in-depth strategies, including network segmentation, firewall configuration, and intrusion detection systems, tailored for modern cloud environments.

Ensuring that the software you build is secure by design. This domain integrates security into the Software Development Life Cycle (SDLC), requiring automated testing, secure coding practices, and regular vulnerability assessments.

Legacy frameworks struggle with ephemeral infrastructure. This domain introduces specific controls for containerised workloads (Docker, Kubernetes) and serverless architectures (AWS Lambda, Vercel), ensuring these modern environments are hardened against attack.

The defining feature of the DSS-1200 framework. As software increasingly relies on Large Language Models (LLMs) and AI APIs, this domain mandates controls to prevent data leakage, prompt injection, and unauthorised model training on customer data.

You are only as secure as your weakest vendor. This domain requires rigorous assessment of all third-party sub-processors, open-source dependencies, and infrastructure providers to prevent supply chain attacks.

When a breach occurs, speed and visibility are critical. This domain ensures you have the telemetry required to detect an attack and the formal procedures required to contain and eradicate it.

While modern companies operate in the cloud, physical security still matters. This domain covers the physical security of corporate offices, employee devices, and the verification of data centre physical controls.

Security must align with the law. This domain ensures the organisation identifies and complies with all relevant statutory, regulatory, and contractual security requirements in the jurisdictions where it operates.

Moving away from point-in-time compliance. This domain requires the implementation of automated systems that continuously monitor the environment for configuration drift, vulnerabilities, and active threats.