topic Re: CAP Certification in Exams

CAP Certification

scasc — Tue, 11 May 2021 12:03:06 GMT

Dear all,

Am new to this board so please bear with me :). I am interested in pursuing the CAP certificate as I do a lot of work in Cyber risk, security auditing of controls etc. However, the question I have is that is the CAP only suitable for people working in US Government/DOD?

I am from the UK myself and wanted to pursue to learn and grow but if it is more catered towards US market then I can reconsider.

Thanks in advance

Re: CAP Certification

AlecTrevelyan — Tue, 11 May 2021 16:29:50 GMT

Hi and welcome!

Correct, the CAP really only has any relevance inside the US federal space, which is probably why there are relatively few people who hold it from outside the US:

https://www.isc2.org/About/Member-Counts#accordion-20cdd133bc6a464890f28cc7fc4ec5bb

The CAP is tied to a process called Assessment & Authorization which is part of the Risk Management Framework (RMF) mandated for use within US federal organisations, but used almost nowhere else - not even within the US commercial space.

If you've ever been to a security industry event in the UK where ISC2 had a booth, you would see ISC2 EMEA don't even mention the CAP at all in any of the literature they hand out there. (They also don't mention the CISSP-ISSEP which also has links to the RMF, but the CISSP-ISSEP does at least cover other valuable areas including systems security engineering fundamentals, and technical project management.)

That's not to say there's no value in studying for the CAP if you're not looking to work in the US federal space. You'll learn a lot about the RMF which will obviously teach you a lot about risk management.

If you want to study for a certification to help you learn and grow as a security professional, seeing as you already have CISSP and CCSP, then I would highly recommend one of the CISSP Concentrations.

Good luck with whatever you choose!

Re: CAP Certification

scasc — Tue, 11 May 2021 16:57:34 GMT

Many thanks for the response and letting me know. Pretty much thought so, just had the inkling that as the syllabus is being updated in August this might change too.

Thanks for pointing me in the direction of the concentrations. My next question was going to be finding a bootcamp class for the ISSAP. Any recommendations on providers will be greatly appreciated.

I have heard that one has to read all the reference material/recommended sources but I am looking to get a head start by attending a training course for this.

I am doing a lot more in the architecture space and am going for Sabsa training this year too (already have Togaf). I mainly do training with SANS and did the GDSA which was a mind blowing course. It will be great to get the ISSAP to solidify my credentials in this space.

Thanks again.

Re: CAP Certification

AlecTrevelyan — Tue, 11 May 2021 17:40:42 GMT

I self-studied for the ISSAP using the suggested reference list:

https://www.isc2.org/certifications/References#accordion-204b5a1dc3534ba2b24f703df5e067ea

ISC2 have their own online self-paced courses, although having never done any of them I can't really give a recommendation:

https://www.isc2.org/Training/Online-Self-Paced

If you want to use a 3rd party, as long as they're listed as official training providers you should be fine:

https://www.isc2.org/Training/Partners#accordion-654fa166cecf442b86de627cf392c6f3

Re: CAP Certification

scasc — Tue, 11 May 2021 18:05:52 GMT

Thanks for your help and posting the links. Will check these out.

How long did it take you to go through all self study reference list?

Re: CAP Certification

AlecTrevelyan — Tue, 11 May 2021 18:33:36 GMT

I spent over 100 hours studying for the ISSAP.

I made a couple of posts about my ISSAP studies in this thread which is well worth a read:

https://community.isc2.org/t5/Exam-Preparation/ISSAP-Passed-Study-Sharing/m-p/13660

My specific posts are:

https://community.isc2.org/t5/Exam-Preparation/ISSAP-Passed-Study-Sharing/m-p/21249/highlight/true#M1710

https://community.isc2.org/t5/Exam-Preparation/ISSAP-Passed-Study-Sharing/m-p/21249/highlight/true#M1713

You might find the last one interesting with reference to SABSA and TOGAF.

Re: CAP Certification

scasc — Tue, 11 May 2021 18:54:11 GMT

Thanks again for all your help. Will check everything out.

Re: CAP Certification

ddrake — Wed, 12 May 2021 14:59:18 GMT

Greetings,

Historically, the CAP has been US-centric. However, the recently revised blueprint goes into effect August 15, 2021, and it is focused on risk management as a whole, and no longer focused on the US federal audience.

The new blueprint can be found at:

https://www.isc2.org/-/media/ISC2/Certifications/Exam-Outlines/CAP-Exam-Outline.ashx

Please let us know if you have any further questions!

Sincerely,

Damon

Re: CAP Certification

scasc — Wed, 12 May 2021 15:38:55 GMT

Hi - thanks for letting me know. That is great news. Syllabus seems to have had a face lift to look at cyber risk holistically.

Re: CAP Certification

ToniHahn — Wed, 12 May 2021 18:31:58 GMT

@scasc - The CAP is relevant for anyone. The current outline has more about the RMF but the risk management practices can be applied to any organization. In fact, we have seen many non-DoD people take and pass the CAP and they let us know that it is helpful to manage risk following a framework for any organization. The recent JTA last fall modified the outline which takes effect August 15, 2021 (as Ddrake mentioned above) to include various risk frameworks (such as ISO, COBIT and more) and to make it a more international certification.

From our website:
"The CAP shows employers you have the advanced technical skills and knowledge to understand Governance, Risk and Compliance (GRC) and can authorize and maintain information systems utilizing various risk management frameworks, as well as best practices, policies and procedures established by the cybersecurity experts at (ISC)²."

Re: CAP Certification

scasc — Thu, 13 May 2021 08:00:52 GMT

Thanks - that's great to know. Does the CAP go deeply into the intricacies of these other frameworks or mention them as an alternative to manage risk whilst still mainly focusing on RMF?

Also, I have seen a module on security auditing/assessment of controls so wanted to find out if this is derived mainly from the workings of the framework or can it cover more technical risk items?

Re: CAP Certification

ToniHahn — Thu, 13 May 2021 12:05:25 GMT

I can't tell you what is on the exam. However, depending on when you are going to take the exam, download the right outline and it will give you what is covered on the exam.