To provide some background, I have been an IT program manager for the fast fourteen years. Having been certified as an MCSE (NT 4.0 and Win2K) and CCNA earlier in my career I let both certs lapse as they were no longer directly relevant for my career. I also picked up the PMP several years ago which I continue to maintain.
During the past couple of years I have developed a strong affinity for Risk Management especially with regards to the IT security program I manage. Having passed the CISSP in early 2017, I decided the the CAP with its focus on the NIST Risk Management Framework would be a good next step.
Unlike the CISSP (or any other exam I have taken) there is very little in the way of published study guides and virtually no practice tests banks that I found useful. I rented the "Official (ISC)2 Guide to the CAP CBK" 2nd edition and read it in its entirety, but honestly found the freely available NIST 800 series (800-39, 800-37, 800-30, 800-53 & 53A etc..) as well as the FIPS 199 & 200 to be the best source of information. In addition, I found a few very good lectures on the NIST RMF provided by NIST on YouTube.
As for the exam, it consists of 125 questions and you are permitted three hours to finish. A sage piece of advice that I was given for the CISSP, "you need to think your way through the test" is equally applicable to the CAP. All 125 questions for multiple choice with only one answer. That said many were of the "best our of four poor choices" variety. Like the CISSP this is very much a management level exam, albeit with a much narrower focus. Unlike the CISSP there were no false "technical" answers to tempt you.
The best advise I can give anybody looking to take on the CAP is be very familiar with the NIST Risk Management Framework and how it map to the System Development Lifecycle. Roles & Responsibilities as well as vocabulary are critically important as well. Always remember that "plans" happen before "reports" and it is "Reports" that contain information on your implementation. When given a choice between multiple more or less correct answers, choose the one that is the most "all encompassing". For example if you are having trouble deciding between "Threat Sources" and "Vulnerabilities", choose "Risk Factors" as threat sources and vulnerabilities are both risk factors. When in doubt about who the responsibility belongs to, it is probably the "System Owner"
This post probably adds another 25% to the total amount of direct feedback I was able to find online about this exam, but I must say of all the exams I have taken, this one has the most direct applicability to my daily on-the-job responsibilities.
Should you decide to tackle the CAP, Good Luck, hope this information is helpful!
thanks for sharing the very useful information in your post. Regarding the youtube videos you recommended, what exactly should I search for? There are so many information out there so I was wondering if you could point me in the right direction with some suggestions of videos/topics to search for.
This is just some general advice on studying for ISC2 exams that works for me:
Look at the suggested reference list. All questions you will see on the exam can supposedly be referenced back to text found somewhere in that list.
Read items from the list that will help raise your existing knowledge. If they are not free to obtain like NIST documents are, then look at purchasing them used from Amazon, or find texts on the same subject that are freely available.
Do you need to read all of the references cover to cover? Maybe. It depends on your current level of knowledge on the subject covered by each reference. If you already know a subject well maybe skim reading might be appropriate or don't read references on that subject at all. If the reference covers a subject you don't know then, yes, read it all.
Once you've read a couple of NIST documents you'll realise they are often verbose and very repetitive, so read sections where you're learning new things and skim read/skip over things you already know or have already been covered earlier in the document.
The CAP suggested references can be found here:
Good luck with your studies!
Thank you very much for responding to my questions. I will pay particular attention to the references. I found a few paid websites that have practice questions with money back guarantee should a student fail the exam. Will you recommend a service like that? I posted a link to one of them but I believe it was flagged down.
Thanks again, I appreciate you help!
I use practice tests to help me gauge where my weak areas are so I can focus my studies on those areas. They can also help you to understand the types of questions you might be asked, and the level of detail you might need to know. I then keep those things in mind when I'm studying to make sure I'm covering the correct topics to the right level of detail.
However, don't expect to be able to brain dump your way through an ISC2 test!
Thank you for your response and kindness. Are there any practice you can recommend? I have seen a couple of practice test online but people claim most of the questions have nothing to do with the cap exams.
I don't have any personal experience of CAP practice tests, so can't make any recommendations.
I note CCCure (a site run by a respected member of this forum) is developing one, although the pool of questions appears to be quite small at the moment (32).
I sat for the CAP yesterday, 10 April 2019...Passed!
Why did I decide on CAP? I have been involved for the last 5 years on a DoD effort wherein my company provides a contractor owned and operated IS to support the mission of a DoD agency. The CAP satisfies the DoD 8140.01 and 8570.01-M requirements up to IAM Level II. This is a contract we have held for 12 years; however, with our re-compete in 2014 the Risk Management Framework for DoD IT became a contract requirement. If you work in the DoD space, then you know that DoD RMF was not fully adopted until February 2014 as defined in DoD 8500.01 and DoD 8510.01. So, my company was one of the first defense industry small business contractors who had to contend with this new requirement. No small feat considering our DoD agency was learning the ropes at the same time. Prior to RMF, DoD followed DIACAP which is significantly less granular that RMF for DOD IT.
To make matters more daunting, we elected to rebuild from the ground up our existing platform to bake the RMF controls in rather than bolt them on...and host in AWS GovCloud. So, we had to also address the requirements of DoD Cloud SRG at Impact Level 4. My point? Most of what I learned about RMF, beyond a 5 day in-depth RMF for DoD IT course I took early on from BAI, Inc (aka www.rmf.org), has been all hands-on from system requirements scoping....to PIA, RA, ISCP, COOP, et al...and DISA STIGs.
My advice to anyone sitting for the CAP 1) take an in-depth RMF course from a company like BAI (rmf.org) as contrary to popular belief and what I've seen in some of this thread, there are excellent trainers out there with real-world RMF experience and you do not need to spend $2600, 2) buy the CAP BOK, while the current version 2 is dated (does not address cloud, nor does it address RMF for DoD IT, and still relies on NIST 800-37 r1) it does an overall good job, 3) definitely use the ISC(2) CAP flashcards...specifically in test mode, 4) if you are a government employee, veteran, or government contractor you can gain free access to 17 hours of CAP exam prep coursework via https://fedvte.usalearning.gov/ as long as you have a government email address (.gov or .mil). The courses are taught by Carnegie Mellon University, 5) read the applicable NIST special pubs (800-37, 800-53/53A, 800-60, et al), and 6) get to know a professional that lives RMF daily and engage with them
Lastly, I am willing to be a resource to anyone interested in doing more than just passing an exam. Frankly, the exam is great to have, but it is just that...an exam. If you are going to use this new found knowledge you need to be committed to learning as much as you can especially if you work in the DoD space as they have fully embraced RMF.
Hope this helps!
Congratulations on passing the exam! Thanks for the in-depth information you provided.
How do you obtain the ISC(2) CAP flash cards? I placed an order on their website and provided my address but never received anything. I did this twice in the past 6 weeks or so.
Thanks for offering to be a resource!