The Certified Authorization Professional credential is a tried-and-true method to further your career and demonstrate your knowledge of risk management (RMF). It certifies your advanced technical knowledge and abilities for authorizing and maintaining information systems inside the RMF utilizing best practices, policies, and procedures specified by (ISC)2’s cyber security experts. Obtaining this certification can help you advance your career and improve your resume.
However, studying for the exam necessitates a significant amount of practice. The secret to passing an exam is to prepare well. As a result, we’ve created a CAP Exam Preparation Guide to help you get started. Before we get into your preparation adventure, let’s go over the exam details.
Who is a Certified Authorization Professional?
The Certified Authorization Professional (CAP) is a security risk manager that argues for information system authorization to support an organization’s mission and operations while adhering to legal and regulatory constraints.
The CAP Certification Exam is ideal for IT, information security, and information assurance practitioners and contractors who use the RMF in:
- The U.S. federal government, such as the U.S. Department of State or Department of Defense
- The military
- Civilian roles, such as federal contractors
- Local governments
- Private sector organizations
CAP Exam Details
- The ISC2 Certified Authorization Professional (CAP) exam covers 125 questions.
- These CAP Exam Questions are in Multiple Choice and Multi-Response format.
- You will get 180 minutes to complete the exam. Also, CAP Exam Cost is 599 USD and is available in English language only.
- Additionally, the CAP Exam Pass Rate is 700 (on a scale of 1-1000).
|ISC2 Certified Authorization Professional (CAP)
|Multiple Choice and Multi-Response Questions
|Number of Questions
|700 (on a scale of 1-1000)
CAP Exam Requirements
- Candidates must have a minimum of 2 years cumulative work experience in 1 or more of the 7 domains of the CAP CBK.
- However, a candidate that doesn’t have the required experience to become a CAP may become an Associate of (ISC)² by successfully passing the CAP examination.
- The Associate of (ISC)² will then have 3 years to earn the 2 year required experience.
Scheduling the Exam
For the CAP Exam Registration follow the steps:
- Firstly, Create an account with Pearson VUE, the exclusive global administrator of all (ISC)² exams.
- Then, Select the (ISC)² certification exam you are pursuing.
- Finally, Schedule your exam and testing location with Pearson VUE
Exam Retake Policy
(ISC)² grants a chance to retake your failed exam. Moreover, you can sit for the exam up to three times a year. The following are the rules in order to retake the exam:
- To begin with, if you don’t pass the exam the first time, you can retest after 90 days of the actual exam
- Similarly, if you don’t pass a second time, you can retest after an additional 90 days
- Further, if you don’t pass a third time, you can retest after 180 days
Certified Authorization Professional FAQ
Familiarising with the exam policies is an important step before commencing on with your preparations. To have clarity about the exam details visit Certified Authorization Professional FAQ
Exam Course: Certified Authorization Professional
The exam domains are described in depth in the Official Exam Guide. These domains are divided into subtopics. This will aid applicants in their exam preparation by identifying specific topics within each area that may be evaluated. The CAP Exam Syllabus exam includes the seven domains listed below. Furthermore, the percentage next to each domain denotes its importance in the exam.
Domain 1. Information Security Risk Management Program 15%
1.1 Understand the Foundation of an Organization-Wide Information Security Risk Management Program
- Principles of information security
- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
- RMF and System Development Life Cycle (SDLC) integration
- Information System (IS) boundary requirements
- Approaches to security control allocation
- Roles and responsibilities in the authorization process
1.2 Understand Risk Management Program Processes
- Enterprise program management controls
- Privacy requirements
- Third-party hosted Information Systems (IS)
1.3 Understand Regulatory and Legal Requirements
ISC2 Reference: LEGAL & REGULATORY COMPLIANCE
- Federal information security requirements
- Relevant privacy legislation
- Other applicable security-related mandates
Domain 2. Categorization of Information Systems (IS) 13%
2.1 Define the Information System (IS)
- Identify the boundary of the Information System (IS)
- Describe the architecture
- Describe Information System (IS) purpose and functionality
2.2 Determine Categorization of the Information System (IS)
- Identify the information types processed, stored, or transmitted by the Information System (IS)
- Determine the impact level on confidentiality, integrity, and availability for each information type
- Determine Information System (IS) categorization and document results
Domain 3. Selection of Security Controls 13%
3.1 Identify and Document Baseline and Inherited Controls
3.2 Select and Tailor Security Controls
- Determine applicability of recommended baseline
- Determine appropriate use of overlays
- Document applicability of security controls
3.3 Develop Security Control Monitoring Strategy
3.4 Review and Approve Security Plan (SP)
Domain 4. Implementation of Security Controls 15%
4.1 Implement Selected Security Controls
- Confirm that security controls are consistent with enterprise architecture
- Coordinate inherited controls implementation with common control providers
- Determine mandatory configuration settings and verify implementation (e.g., United States Government Configuration Baseline (USGCB), National Institute of Standards and Technology (NIST) checklists, Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) benchmarks)
- Determine compensating security controls
4.2 Document Security Control Implementation
- Capture planned inputs, expected behavior, and expected outputs of security controls
- Verify documented details are in line with the purpose, scope, and impact of the Information System (IS)
- Obtain implementation information from appropriate organization entities (e.g., physical security, personnel security)
Domain 5. Assessment of Security Controls 14%
5.1 Prepare for Security Control Assessment (SCA)
- Determine Security Control Assessor (SCA) requirements
- Establish objectives and scope » Determine methods and level of effort
- Determine necessary resources and logistics
- Collect and review artifacts (e.g., previous assessments, system documentation, policies)
- Finalize Security Control Assessment (SCA) plan
5.2 Conduct Security Control Assessment (SCA)
- Assess security control using standard assessment methods
- Collect and inventory assessment evidence
5.3 Prepare Initial Security Assessment Report (SAR)
- Analyze assessment results and identify weaknesses
- Propose remediation actions
5.4 Review Interim Security Assessment Report (SAR) and Perform Initial Remediation Actions
- Determine initial risk responses
- Apply initial remediations
- Reassess and validate the remediated controls
5.5 Develop Final Security Assessment Report (SAR) and Optional Addendum
Domain 6. Authorization of Information Systems (IS) 14%
6.1 Develop Plan of Action and Milestones (POAM)
- Analyze identified weaknesses or deficiencies
- Prioritize responses based on risk level
- Formulate remediation plans
- Identify resources required to remediate deficiencies
- Develop schedule for remediation activities
6.2 Assemble Security Authorization Package
- Compile required security documentation for Authorizing Official (AO)
6.3 Determine Information System (IS) Risk
- Evaluate Information System (IS) risk
- Determine risk response options (i.e., accept, avoid, transfer, mitigate, share)
6.4 Make Security Authorization Decision
- Determine terms of authorization
Domain 7. Continuous Monitoring 16%
7.1 Determine Security Impact of Changes to Information Systems (IS) and Environment
- Understand configuration management processes
- Analyze risk due to proposed changes
- Validate that changes have been correctly implemented
7.2 Perform Ongoing Security Control Assessments (SCA)
- Determine specific monitoring tasks and frequency based on the agency’s strategy » Perform security control assessments based on monitoring strategy
- Evaluate security status of common and hybrid controls and interconnections
7.3 Conduct Ongoing Remediation Actions (e.g., resulting from incidents, vulnerability scans, audits, vendor updates)
- Assess risk(s)
- Formulate remediation plan(s)
- Conduct remediation tasks
7.4 Update Documentation
- Determine which documents require updates based on results of the continuous monitoring process
7.5 Perform Periodic Security Status Reporting
- Determine reporting requirements
7.6 Perform Ongoing Information System (IS) Risk Acceptance
- Determine ongoing Information System (IS)
7.7 Decommission Information System (IS)
- Determine Information System (IS) decommissioning requirements
- Communicate decommissioning of Information System (IS)
Preparatory Guide: Certified Authorization Professional
Obtaining this qualification will greatly enhance your employment options. As a result, it’s critical to get a head start on your preparations and be familiar with all available resources. This study guide compiles a list of all the learning resources you’ll need as part of your preparation. To ace, the exam, use our step-by-step CAP Exam Study Guide.
Step 1- Start with the Certified Authorization Professional Official Guide
The (ISC)² Official Site should always be the first step in your preparation guide. This will undoubtedly get you started in the correct direction. Keep in mind that the official website is the most reliable. After you’ve gone through the fundamentals of the exam. It’s time to crack open the exam manual. The Official Exam Guide contains a full description of the course goals that will assist you in mastering exam themes. Furthermore, a thorough examination of the CAP Exam Outline will enable you to better align yourself with the exam’s main goals.
Step 2- Explore Learning Resources
Your preparations are defined by your study resources. As a result, selecting the appropriate resources becomes even more critical. In order to ace the exam, you must have access to these resources. (ISC)2 offers a number of study aids to assist you in your preparation. We recommend that you look into the following options. Materials for the CAP Exam.
Enrol for Training Courses
While studying for any exam, training courses are necessary. They provide hands-on experience that allows you to better understand exam themes. To assist you in your preparations, (ISC)2 offers its own training courses. You may visit the (ISC)² Training Finder to register for the course that best meets your needs.
This course is for the information security professional who is responsible for ensuring that system security is in line with an organization’s mission and risk tolerance while also meeting legal and regulatory standards. The CAP training course covers the seven areas of the CAP CBK and provides a complete examination of information systems security concepts and industry best practices.
After completing this course, the student will be able to:
- To begin with, Identify and describe the steps and tasks within the NIST Risk Management Framework (RMF).
- Further, Describe the roles associated with the RMF and how they are assigned to tasks within the RMF.
- Then, Execute tasks within the RMF process based on assignment to one or more RMF roles.
- Also, Explain organizational risk management and how it is supported by the RMF.
This course is available in the following options:
Learn with the Official Study Guides
Preparing for any exam without books appears both ridiculous and ineffective. In addition, books provide applicants with a complete amount of material for studying for the Certified Authorization Professional certification test. Official Study Guides help you improve your knowledge in a given topic and understand concepts in greater depth.
We suggest you to refer the Official (ISC)² Guide to the CAP CBK, Second Edition: It provides readers with the tools to effectively secure their IT systems via standard, repeatable processes.
Discover Official CAP Flash Cards
Study for the Certified Authorization Professional exam anytime, anywhere with Official CAP Flash Cards! This unique, interactive way tests your knowledge of industry terms while providing you with immediate feedback about whether or not your answer is correct.
Step 3- Join a Community
Joining an online community is an excellent way to prepare for an exam. When a large number of people get involved in a problem, the chances of finding a solution grow dramatically. In addition, having different points of view makes the material more lively. The research get more extensive as a result of these conversations. Introverts, who might otherwise avoid dialogues, get a chance to express themselves. Forums are excellent for forming a community that is necessary for understanding others. As a result, join groups to meet new people, form new networks, and expand your expertise.
Step 4- Self-Evaluate with Practice Tests
Finally, we’re on the last step for the preparation. But before you start practising, make sure you have completed the entire course and are well versed. Self-evaluation, as we say, will provide you with better insights if you are well skilled or not. Moreover, self-evaluation will assist you to acknowledge the areas where you lack. Further, these CAP Exam Practice Test are designed to provide the candidate with the real exam environment. Therefore, we recommend practising as much as you can. Start practising now to boost your confidence!