To provide some background, I have been an IT program manager for the fast fourteen years. Having been certified as an MCSE (NT 4.0 and Win2K) and CCNA earlier in my career I let both certs lapse as they were no longer directly relevant for my career. I also picked up the PMP several years ago which I continue to maintain.
During the past couple of years I have developed a strong affinity for Risk Management especially with regards to the IT security program I manage. Having passed the CISSP in early 2017, I decided the the CAP with its focus on the NIST Risk Management Framework would be a good next step.
Unlike the CISSP (or any other exam I have taken) there is very little in the way of published study guides and virtually no practice tests banks that I found useful. I rented the "Official (ISC)2 Guide to the CAP CBK" 2nd edition and read it in its entirety, but honestly found the freely available NIST 800 series (800-39, 800-37, 800-30, 800-53 & 53A etc..) as well as the FIPS 199 & 200 to be the best source of information. In addition, I found a few very good lectures on the NIST RMF provided by NIST on YouTube.
As for the exam, it consists of 125 questions and you are permitted three hours to finish. A sage piece of advice that I was given for the CISSP, "you need to think your way through the test" is equally applicable to the CAP. All 125 questions for multiple choice with only one answer. That said many were of the "best our of four poor choices" variety. Like the CISSP this is very much a management level exam, albeit with a much narrower focus. Unlike the CISSP there were no false "technical" answers to tempt you.
The best advise I can give anybody looking to take on the CAP is be very familiar with the NIST Risk Management Framework and how it map to the System Development Lifecycle. Roles & Responsibilities as well as vocabulary are critically important as well. Always remember that "plans" happen before "reports" and it is "Reports" that contain information on your implementation. When given a choice between multiple more or less correct answers, choose the one that is the most "all encompassing". For example if you are having trouble deciding between "Threat Sources" and "Vulnerabilities", choose "Risk Factors" as threat sources and vulnerabilities are both risk factors. When in doubt about who the responsibility belongs to, it is probably the "System Owner"
This post probably adds another 25% to the total amount of direct feedback I was able to find online about this exam, but I must say of all the exams I have taken, this one has the most direct applicability to my daily on-the-job responsibilities.
Should you decide to tackle the CAP, Good Luck, hope this information is helpful!
I would say your post is spot on. I passed the CAP late last year and my experience was about the same with yours. I was able to take the ISC2 bootcamp. The mappings with the SDLC cannot be over-emphasized. That simple piece was what took me over the top, I believe.
Good job on passing the exam and good luck..
That is a great question and unfortunately I must confess that was unable to find any unable to find any practice tests that were of value. In fact many of the practice tests were soo bad, that I was afraid to continue using them for fear they would cloud my judgement on the actual exam.
The best I was able to find were of limited value because the subject matter had little to do with the CAP exam, lots of questions on the PMBOK (Project Management Body of Knowledge) and other topics which are not relevant to the CAP which in mu experience was purely on the NIST documents regarding the RMF and SDLC.
As uncomfortable as it is, this is a test that you need to think your way through. Making and reviewing my own flash cards from the NIST documentation was the biggest aid in my passing the exam.
First congratulations on passing the test. I am looking at doing a Risk certification and wondered why you chose the CAP over some of the other risk certs out there? I am CISSP and CCSP certified so I obviously believe in the ISC2 eco-system, but to be honest when you look at risk positions these days, CAP certification is not usually listed. Now I am not looking to change jobs but when ever I decide to under take a certification, I do consider how marketable the certification would be.
Thank for the kind words. The CAP is a highly targeted certification for those working with the NIST Risk Management Framework (RMF). The RMF is mandated for Federal information systems under the Federal Information Systems Management Act (FISMA). Unless you work with a Federal agency, or a contractor supporting the Federal government, the CAP may have limited appeal for you.
I have been looking into the CRISC from ISACA as well as the OpenFAIR certification. RiskLens has a discount available for training in the FAIR (Factor Analysis for Information Risk) including the exam fees. Although the CRSC is better known across the industry, the FAIR taxonomy is an excellent methodology for quantitative risk analysis.
I would be interested to know what other Risk certs you have been considering!
I was specifically looking at the CRISC which is why I posed the question after I saw your post about the CAP certification. Since I am not a federal employee and don't work under the NIST RMF I will probably do the CRISC, but will decide when I get a chance to actually concentrate on it.