thanks for sharing the very useful information in your post. Regarding the youtube videos you recommended, what exactly should I search for? There are so many information out there so I was wondering if you could point me in the right direction with some suggestions of videos/topics to search for.
This is just some general advice on studying for ISC2 exams that works for me:
Look at the suggested reference list. All questions you will see on the exam can supposedly be referenced back to text found somewhere in that list.
Read items from the list that will help raise your existing knowledge. If they are not free to obtain like NIST documents are, then look at purchasing them used from Amazon, or find texts on the same subject that are freely available.
Do you need to read all of the references cover to cover? Maybe. It depends on your current level of knowledge on the subject covered by each reference. If you already know a subject well maybe skim reading might be appropriate or don't read references on that subject at all. If the reference covers a subject you don't know then, yes, read it all.
Once you've read a couple of NIST documents you'll realise they are often verbose and very repetitive, so read sections where you're learning new things and skim read/skip over things you already know or have already been covered earlier in the document.
The CAP suggested references can be found here:
Good luck with your studies!
Thank you very much for responding to my questions. I will pay particular attention to the references. I found a few paid websites that have practice questions with money back guarantee should a student fail the exam. Will you recommend a service like that? I posted a link to one of them but I believe it was flagged down.
Thanks again, I appreciate you help!
I use practice tests to help me gauge where my weak areas are so I can focus my studies on those areas. They can also help you to understand the types of questions you might be asked, and the level of detail you might need to know. I then keep those things in mind when I'm studying to make sure I'm covering the correct topics to the right level of detail.
However, don't expect to be able to brain dump your way through an ISC2 test!
Thank you for your response and kindness. Are there any practice you can recommend? I have seen a couple of practice test online but people claim most of the questions have nothing to do with the cap exams.
I don't have any personal experience of CAP practice tests, so can't make any recommendations.
I note CCCure (a site run by a respected member of this forum) is developing one, although the pool of questions appears to be quite small at the moment (32).
I sat for the CAP yesterday, 10 April 2019...Passed!
Why did I decide on CAP? I have been involved for the last 5 years on a DoD effort wherein my company provides a contractor owned and operated IS to support the mission of a DoD agency. The CAP satisfies the DoD 8140.01 and 8570.01-M requirements up to IAM Level II. This is a contract we have held for 12 years; however, with our re-compete in 2014 the Risk Management Framework for DoD IT became a contract requirement. If you work in the DoD space, then you know that DoD RMF was not fully adopted until February 2014 as defined in DoD 8500.01 and DoD 8510.01. So, my company was one of the first defense industry small business contractors who had to contend with this new requirement. No small feat considering our DoD agency was learning the ropes at the same time. Prior to RMF, DoD followed DIACAP which is significantly less granular that RMF for DOD IT.
To make matters more daunting, we elected to rebuild from the ground up our existing platform to bake the RMF controls in rather than bolt them on...and host in AWS GovCloud. So, we had to also address the requirements of DoD Cloud SRG at Impact Level 4. My point? Most of what I learned about RMF, beyond a 5 day in-depth RMF for DoD IT course I took early on from BAI, Inc (aka www.rmf.org), has been all hands-on from system requirements scoping....to PIA, RA, ISCP, COOP, et al...and DISA STIGs.
My advice to anyone sitting for the CAP 1) take an in-depth RMF course from a company like BAI (rmf.org) as contrary to popular belief and what I've seen in some of this thread, there are excellent trainers out there with real-world RMF experience and you do not need to spend $2600, 2) buy the CAP BOK, while the current version 2 is dated (does not address cloud, nor does it address RMF for DoD IT, and still relies on NIST 800-37 r1) it does an overall good job, 3) definitely use the ISC(2) CAP flashcards...specifically in test mode, 4) if you are a government employee, veteran, or government contractor you can gain free access to 17 hours of CAP exam prep coursework via https://fedvte.usalearning.gov/ as long as you have a government email address (.gov or .mil). The courses are taught by Carnegie Mellon University, 5) read the applicable NIST special pubs (800-37, 800-53/53A, 800-60, et al), and 6) get to know a professional that lives RMF daily and engage with them
Lastly, I am willing to be a resource to anyone interested in doing more than just passing an exam. Frankly, the exam is great to have, but it is just that...an exam. If you are going to use this new found knowledge you need to be committed to learning as much as you can especially if you work in the DoD space as they have fully embraced RMF.
Hope this helps!
Congratulations on passing the exam! Thanks for the in-depth information you provided.
How do you obtain the ISC(2) CAP flash cards? I placed an order on their website and provided my address but never received anything. I did this twice in the past 6 weeks or so.
Thanks for offering to be a resource!