Blog

Updates to the (ISC)² CAP Exam. What is Changing?

Apr 13, 2021

Endorsed_CAP-Horizontal-web Earlier this year, we announced an upcoming update to the Certified Authorization Professional (CAP) certification. This (ISC)² certification exam will be updating on August 15, 2021.

During the last Job Task Analysis (JTA), the decision was made to expand the CAP to reflect the more diverse day to day work of professionals who were earning the certification.

What started built primarily for U.S. government professionals using the Risk Management Framework (RMF) has now expanded to professionals working in the private sector and or organizations around the world. We spoke with the Content Development Manager here at (ISC)², Toni Hahn, about these changes. Toni – who holds both the CISSP and CAP certifications – oversees a team of certified content experts and works with her team and volunteers to manage the process of updating all (ISC)² exams.

“RMF is no longer the sole framework referenced,” said Toni. “Other frameworks like NIST SP 800-37 (Rev 2), ISO 27001, ISO 31000, FedRAMP, COBIT and many others are now included.” Professionals who hold the CAP certification are essential to any successful risk management program, not just those in the U.S. or in government roles.

Additionally, privacy is more prevalent in the August 2021 exam outline. “Privacy and cybersecurity used to be separate entities,” said Toni. “Within the past few years, we have seen that line blur. Privacy and security are converging, and the outline reflects that.”

Implementing a risk management program can be a tremendous task and holding the CAP certification demonstrates your understanding of the core of this responsibility and best practices for implementation.

While the CAP exam format (time allowed to complete the exam, cost and number of items) will remain the same following the August updates, details on the content changes are shown below:

CAP Currently

%

CAP as of August 15, 2021

%

Domain 1:

Information Security Risk Management Program

15%

Information Security Risk Management Program

16%

Domain 2:

Categorization of Information Systems

13%

Scope of the Information System

11%

Domain 3:

Selection of Security Controls

13%

Selection and Approval of Security and Privacy Controls

15%

Domain 4:

Implementation of Security Controls

15%

Implementation of Security and Privacy Controls

16%

Domain 5:

Assessment of Security Controls

14%

Assessment/Audit of Security and Privacy Controls

16%

Domain 6:

Authorization of Information Systems

14%

Authorization/Approval of Information System

10%

Domain 7:

Continuous Monitoring

16%

Continuous Monitoring

16%

 

100%

 

100%

CAP-Resource-Ctr-225x180 We have also published a CAP Domain Refresh Guide for additional information on the changes in domains and subdomains.

If you already hold the CAP certification and want to be involved in the process of updating the certification again in the future, please email workshops@isc2.org with your member ID #. Toni and her team hold virtual exam item writing workshops and participants can earn as many as 21 CPE credits.