ISC2 Certified Authorization Professional (CAP)


Prepared by CAP credential holders and conducted by only (ISC)² Authorized Instructors, each of whom is up-to-date on the latest information security-related developments and is an expert in the CAP CBK (common body of knowledge), the (ISC)² CAP CBK Training Seminar is the most comprehensive, complete review of information systems security concepts and industry best practices, and the only training endorsed by (ISC)².

At an Official (ISC)² CAP CBK Training Seminar the delegate will enjoy a rich learning environment providing a complete information systems security authorization experience. Through a series of structured training modules, class discussions, case examples and end-of-domain review questions, the CAP candidate will fully understand the requirements for security authorization, the overall process and all the supporting procedures to ensure compliance with current requirements.

As your exclusive way to review and refresh your knowledge of the CBK for the CAP exam, the seminar will help you identify areas you need to study and includes:

  • (ISC)² Authorized Instructor, who is a Subject Matter Expert (SME)
  • Up-to-date CBK Courseware
  • Guidance on CAP requirements & NIST documents
  • End-of-domain review questions
  • CD-ROM containing testable references

CAP Domains

1. Understand the Security Authorization of Information Systems
Security authorization includes a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise. The authorization process incorporates the application of a Risk Management Framework (RMF), a review of the organizational structure, and the business process/mission as the foundation for the implementation and assessment of specified security controls. This authorization management process identifies vulnerabilities and security controls and determines residual risks. The residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risk. The system may be deployed only when the residual risks are acceptable to the enterprise and a satisfactory security plan is complete.

2. Categorize Information Systems
Categorization of the information system is based on an impact analysis. It is performed to determine the types of information included within the security authorization boundary, the security requirements for the information types, and the potential impact on the organization resulting from a security compromise. The result of the categorization is used as the basis for developing the security plan, selecting security controls, and determining the risk inherent in operating the system.

3. Establish the Security Control Baseline
The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline, as well as the plan for monitoring it, is documented in the security plan.

4. Apply Security Controls
The security controls specified in the security plan are implemented by taking into account the minimum organizational assurance requirements. The security plan describes how the controls are employed within the information system and its operational environment. The security assessment plan documents the methods for testing these controls and the expected results throughout the systems life-cycle.

5. Assess Security Controls
The security control assessment follows the approved plan, including defined procedures, to determine the effectiveness of the controls in meeting security requirements of the information system. The results are documented in the Security Assessment Report.

6. Authorize Information System
The residual risks identified during the security control assessment are evaluated and the decision is made to authorize the system to operate, deny its operation, or remediate the deficiencies. Associated documentation is prepared and/or updated depending on the authorization decision.

7. Monitor Security Controls
After an Authorization to Operate (ATO) is granted, ongoing continuous monitoring is performed on all identified security controls as well as the political, legal, and physical environment in which the system operates. Changes to the system or its operational environment are documented and analyzed. The security state of the system is reported to designated responsible officials. Significant changes will cause the system to reenter the security authorization process. Otherwise, the system will continue to be monitored on an ongoing basis in accordance with the organization’s monitoring strategy.

Information Security