Blog
Updates to the (ISC)² CAP Exam. What is Changing?
Earlier this year, we announced an upcoming update to the Certified Authorization Professional (CAP) certification. This (ISC)² certification exam will be updating on August 15, 2021.
During the last Job Task Analysis (JTA), the decision was made to expand the CAP to reflect the more diverse day to day work of professionals who were earning the certification.
What started built primarily for U.S. government professionals using the Risk Management Framework (RMF) has now expanded to professionals working in the private sector and or organizations around the world. We spoke with the Content Development Manager here at (ISC)², Toni Hahn, about these changes. Toni – who holds both the CISSP and CAP certifications – oversees a team of certified content experts and works with her team and volunteers to manage the process of updating all (ISC)² exams.
“RMF is no longer the sole framework referenced,” said Toni. “Other frameworks like NIST SP 800-37 (Rev 2), ISO 27001, ISO 31000, FedRAMP, COBIT and many others are now included.” Professionals who hold the CAP certification are essential to any successful risk management program, not just those in the U.S. or in government roles.
Additionally, privacy is more prevalent in the August 2021 exam outline. “Privacy and cybersecurity used to be separate entities,” said Toni. “Within the past few years, we have seen that line blur. Privacy and security are converging, and the outline reflects that.”
Implementing a risk management program can be a tremendous task and holding the CAP certification demonstrates your understanding of the core of this responsibility and best practices for implementation.
While the CAP exam format (time allowed to complete the exam, cost and number of items) will remain the same following the August updates, details on the content changes are shown below:
CAP Currently |
% |
CAP as of August 15, 2021 |
% |
Domain 1: |
|||
Information Security Risk Management Program |
15% |
Information Security Risk Management Program |
16% |
Domain 2: |
|||
Categorization of Information Systems |
13% |
Scope of the Information System |
11% |
Domain 3: |
|||
Selection of Security Controls |
13% |
Selection and Approval of Security and Privacy Controls |
15% |
Domain 4: |
|||
Implementation of Security Controls |
15% |
Implementation of Security and Privacy Controls |
16% |
Domain 5: |
|||
Assessment of Security Controls |
14% |
Assessment/Audit of Security and Privacy Controls |
16% |
Domain 6: |
|||
Authorization of Information Systems |
14% |
Authorization/Approval of Information System |
10% |
Domain 7: |
|||
Continuous Monitoring |
16% |
Continuous Monitoring |
16% |
100% |
100% |
We have also published a CAP Domain Refresh Guide for additional information on the changes in domains and subdomains.
If you already hold the CAP certification and want to be involved in the process of updating the certification again in the future, please email workshops@isc2.org with your member ID #. Toni and her team hold virtual exam item writing workshops and participants can earn as many as 21 CPE credits.