September 5, 2018 | Category: Cyber Security, Training and Certification | Tags: Views: 856

The (ISC)² CAP Exam Updates – October 2018

The (ISC)² Certified Authorization Professional (CAP) certification exam updates go into effective this October 15th, 2018. In this post we break down a quick overview of the certification, exam requirements, and the critical changes to the exam domains and content you need to know. 

About the CAP Certification

The CAP certification is developed and monitored by the International Info System Security Certification Consortium Inc. (ISC)². CAP is intended for individuals committed to providing high quality security assessment and authorization services, which is essential to determining user/client privileges and access levels when it comes to computer programs and files, within the Risk Management Framework and applying those skills within an organization.

The Risk Management Framework (RMF) is an important process to follow because it is used to identify security threats to an organization and minimize overall risk upon impact.

The CAP Exam

Candidates for the CAP certification exam need to have a 2 years minimum of experience in one or more of the 7 domains of the CAP Common Body of Knowledge (CBK). If you do not have the experience you can still take the CAP exam, but will instead become an Associate of (ISC)² after sucessfully passing the exam. You then have 3 years to complete the required 2 years of experience to obtain the CAP certification.

Both the old and new exams will be exactly the same in terms of exam structure.

  • Exam costs $599 USD
  • 125 multiple choice questions
  • Scoring is out of 1000 points and a 70% score minimum is required to pass
  • Exam duration is 3 hours long

What’s New on the CAP Exam

If you compare what is covered in each of the sections, there are a few changes to each exam domain topics. See the changes below between the provided outlines.

Effective on October 15 of 2018, the CAP exam will be based on the new outline.

Old Outline New Outline
Domain 1: Risk Management Framework (RMF) (20%)

  • Describe the Risk Management Framework
  • Describe and Distinguish Between the RMF Steps
  • Identify Roles and Define Responsibilities
  • Understand and Describe How the RMF Process Relates
  • Understand the Relationship between the RMF and System Development Life Cycle (SDLC)
  • Understand Legal, Regulatory, and Other Security Requirements
Domain 1: Information Security Risk Management Program (15%)

  • Understand the Foundation of an Organization-Wide Information Security Risk Management Program
  • Understand Risk Management Program Processes
  • Understand Regulatory and Legal Requirements
Domain 2: Categorization of Information Systems (8%)

  • Categorize the System
  • Describe the Information System
  • Register the System
Domain 2: Categorization of Information Systems (IS) (13%)

  • Define the Information System
  • Determine Categorization of the Information System
Domain 3: Selection of Security Controls (13%)

  • Identify and Document Common Controls
  • Select, Tailor, and Document Security Controls
  • Develop Security Control Monitoring Strategy
  • Review and Approve SP
Domain 3: Selection of Security Controls (13%)

  • Identify and Document Baseline and Inherited Controls
  • Select and Tailor Security Controls
  • Develop Security Control Monitoring Strategy
  • Review and Approve Security Plan
Domain 4: Security Control Implementation (10%)

  • Implement Selected Security Controls
  • Document Security Control Implementation
 Domain 4: Implementation of Security Controls (15%)

  • Implement Selected Security Controls
  • Document Security Control Implementation
Domain 5: Security Control Assessment (19%)

  • Prepare for Security Control Assessment
  • Develop Security Control Assessment Plan
  • Assess Security Control Effectiveness
  • Develop Initial Security Assessment Report
  • Review Interim SAR and Perform Initial Remediation Actions
  • Develop Final SAR and Optional Addendum
Domain 5: Assessment of Security Controls (14%)

  • Prepare for Security Control Assessment
  • Conduct Security Control Assessment
  • Prepare Initial Security Assessment Report
  • Review Interim Security Assessment Report and Perform Initial Remediation Actions
  • Develop Final Security Assessment Report and Optional Addendum
Domain 6: Information System Authorization (13%)

  • Develop Plan of Action and Milestones
  • Assemble Security Authorization Package
  • Determine Risk
  • Determine the Acceptability of Risk
  • Obtain Security Authorization Decision
Domain 6: Authorization of Information Systems (IS) (14%)

  • Develop Plan of Action and Milestones
  • Assemble Security Authorization Package
  • Determine Information System Risk
  • Make Security Authorization Decision
Domain 7: Monitoring of Security Controls (17%)

  • Determine Security Impact of Changes to System and Environment
  • Perform Ongoing Security Control Assessments
  • Conduct Ongoing Remediation Actions
  • Update Key Documentation
  • Perform Periodic Security Status Reporting
  • Perform Ongoing Risk Determination and Acceptance
  • Decommission and Remove System
Domain 7: Continuous Monitoring (16%)

  • Determine Security Impact of Changes to Information Systems and Environment
  • Perform Ongoing Security Control Assessments
  • Conduct Ongoing Remediation Actions
  • Update Documentation
  • Perform Periodic Security Status Reporting
  • Perform Ongoing Information System Risk Acceptance
  • Decommission Information System (IS)

How to Prepare for the CAP Exam

One of the most effective preparation options is to attend a training boot camp. Our CAP training course prepares individuals for the current and updated CAP exam.

Related Post

Network Address Translation

When Can You Ditch Network Address Translation (NAT)?