cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
StevenJ6052
Newcomer III

Passed the CAP Exam This Morning: My Thoughts

To provide some background, I have been an IT program manager for the fast fourteen years. Having been certified as an MCSE (NT 4.0 and Win2K) and CCNA earlier in my career I let both certs lapse as they were no longer directly relevant for my career. I also picked up the PMP several years ago which I continue to maintain.

 

During the past couple of years I have developed a strong affinity for Risk Management  especially with regards to the IT security program I manage. Having passed the CISSP in early 2017, I decided the the CAP with its focus on the NIST Risk Management Framework would be a good next step.

 

Unlike the CISSP (or any other exam I have taken) there is very little in the way of published study guides and virtually no practice tests banks that I found useful. I rented the "Official (ISC)2 Guide to the CAP CBK" 2nd edition and read it in its entirety, but honestly found the freely available NIST 800 series (800-39, 800-37, 800-30, 800-53 & 53A etc..) as well as the FIPS 199 & 200 to be the best source of information. In addition, I found a few very good lectures on the NIST RMF provided by NIST on YouTube.

 

As for the exam, it consists of 125 questions and you are permitted three hours to finish. A sage piece of advice that I was given for the CISSP, "you need to think your way through the test" is equally applicable to the CAP. All 125 questions for multiple choice with only one answer. That said many were of the "best our of four poor choices" variety. Like the CISSP this is very much a management level exam, albeit with a much narrower focus. Unlike the CISSP there were no false "technical" answers to tempt you.

 

The best advise I can give anybody looking to take on the CAP is be very familiar with the NIST Risk Management Framework and how it map to the System Development Lifecycle. Roles & Responsibilities as well as vocabulary are critically important as well. Always remember that "plans" happen before "reports" and it is "Reports" that contain information on your implementation. When given a choice between multiple more or less correct answers, choose the one that is the most "all encompassing". For example if you are having trouble deciding between "Threat Sources" and "Vulnerabilities", choose "Risk Factors" as threat sources and vulnerabilities are both risk factors. When in doubt  about who the responsibility belongs to, it is probably the "System Owner"

 

This post probably adds another 25% to the total amount of direct feedback I was able to find online about this exam, but I must say of all the exams I have taken, this one has the most direct applicability to my daily on-the-job responsibilities. 

 

Should you decide to tackle the CAP, Good Luck, hope this information is helpful!

78 Replies
doffejr
Viewer II

Extremely insightful and helpful!  Congrats on passing, and thanks for sharing.

sophia_cart
Newcomer II

very helpful! congratulations on passing, and thanks for sharing.

Valentino76
Newcomer I

Hey good day. As a beginner who want to take CAP exam with no familiarity, what additional information can you give. Thanks.
Stpn2me
Newcomer III

Make sure you mirror the SDLC with the 7 stages of the CAP. If you do that and you know which stage corresponds with the other, you will have no problem.

StevenJ6052
Newcomer III

Valentino76,

 

Thank you for the kind words.

 

As with all (ISC)2 there are strict experience requirements in addition to passing the test to become certified. As stated earlier in this thread, a thorough knowledge of the NIST documents detailing the RMS and SDLC are essential. especially knowing the various roles and responsibilities and the ability to map the phased of the SDLC to the RMF.

 

Your statement that you have "no familiarity" would make any (ISC)2 exam more challenging, this is especially so with the CAP due to the low availability of study aids other than the NIST documents. Try and focus on the "process" of system authorization and try and understand not just the roles and responsibilities, but the relationships as well.

 

Good Luck and please post your experience to share with others!

 

 

Valentino76
Newcomer I

Thank you sir.
billclancy
Contributor I


@bsilbiger wrote:

Steve,

    First congratulations on passing the test.  I am looking at doing a Risk certification and wondered why you chose the CAP over some of the other risk certs out there?   I am CISSP and CCSP certified so I obviously believe in the ISC2 eco-system, but to be honest when you look at risk positions these days, CAP certification is not usually listed.  Now I am not looking to change jobs but when ever I decide to under take a certification, I do consider how marketable the certification would be.

 

Barry


Barry,

 I chose the CRISC from ISACA over the CAP, as it seemed to have  good acceptance in industry, and I like the way ISACA assists in exam preparation. ISACA has an online database of questions, that is a great way to prep for the exam. 

 

https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=XMXCR14-12M

 

Granted I took the exam in 2014, and I'm sure it has changed a bit, but the database of questions is pretty slick. You rent it for 12 months. When you go in the first time, you put in a potential test date (I think I studied for 6 months), and take your first quiz. It grades you, and estimates how much time you need to spend daily to successfully prep for the exam. Mine told me 45 min. Each morning I'd read various books and documents, and each evening I'd use the test database for 45 min. It grades you, and tracks your progress, by domain, so you can see how you're doing from a high level, and a bit further in the weeds. Later on you can choose new questions or questions often gotten wrong to focus on soft spots.

 

If you're a member of ISACA it's only $185, a deal in my estimation.

 

A caution though...I dislike the ISACA books on their certifications, They are overly organized if there is such a thing, and just don't talk to me.

 

I wish ISC2 had a similar product for their tests.

BrandonAnt
Viewer III

Hello, is DIACAP AND DITSCAP included on the exam? many practice exams include these old processes. Also, were there any questions that required you to choose multiple answers.

 

Congrats on passing

CraginS
Defender I


@BrandonAnt wrote:

Hello, is DIACAP AND DITSCAP included on the exam? many practice exams include these old processes. Also, were there any questions that required you to choose multiple answers.

 

Congrats on passing


If DITSCAP and DIACAP are on the exam, then the exam is woefully out of date. Both of those programs are defunct U.S. Department of Defense (DoD) processes for certification and accreditation (C&A) of DoD information systems. In fact, DIACAP replaced DITSCAP many years ago, and the Risk Management Framework (RMF) replaced DIACAP four years ago, doing away wit C&A and moving to assessment and authorization (A&A). 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
BrandonAnt
Viewer III

Thank you for your answer, that's what I was thinking! Do you know if the CAP includes questions that require you to choose 2 or more answers?