Am new to this board so please bear with me :). I am interested in pursuing the CAP certificate as I do a lot of work in Cyber risk, security auditing of controls etc. However, the question I have is that is the CAP only suitable for people working in US Government/DOD?
I am from the UK myself and wanted to pursue to learn and grow but if it is more catered towards US market then I can reconsider.
Thanks in advance
Hi and welcome!
Correct, the CAP really only has any relevance inside the US federal space, which is probably why there are relatively few people who hold it from outside the US:
The CAP is tied to a process called Assessment & Authorization which is part of the Risk Management Framework (RMF) mandated for use within US federal organisations, but used almost nowhere else - not even within the US commercial space.
If you've ever been to a security industry event in the UK where ISC2 had a booth, you would see ISC2 EMEA don't even mention the CAP at all in any of the literature they hand out there. (They also don't mention the CISSP-ISSEP which also has links to the RMF, but the CISSP-ISSEP does at least cover other valuable areas including systems security engineering fundamentals, and technical project management.)
That's not to say there's no value in studying for the CAP if you're not looking to work in the US federal space. You'll learn a lot about the RMF which will obviously teach you a lot about risk management.
If you want to study for a certification to help you learn and grow as a security professional, seeing as you already have CISSP and CCSP, then I would highly recommend one of the CISSP Concentrations.
Good luck with whatever you choose!
Many thanks for the response and letting me know. Pretty much thought so, just had the inkling that as the syllabus is being updated in August this might change too.
Thanks for pointing me in the direction of the concentrations. My next question was going to be finding a bootcamp class for the ISSAP. Any recommendations on providers will be greatly appreciated.
I have heard that one has to read all the reference material/recommended sources but I am looking to get a head start by attending a training course for this.
I am doing a lot more in the architecture space and am going for Sabsa training this year too (already have Togaf). I mainly do training with SANS and did the GDSA which was a mind blowing course. It will be great to get the ISSAP to solidify my credentials in this space.
I self-studied for the ISSAP using the suggested reference list:
ISC2 have their own online self-paced courses, although having never done any of them I can't really give a recommendation:
If you want to use a 3rd party, as long as they're listed as official training providers you should be fine:
I spent over 100 hours studying for the ISSAP.
I made a couple of posts about my ISSAP studies in this thread which is well worth a read:
My specific posts are:
You might find the last one interesting with reference to SABSA and TOGAF.
Historically, the CAP has been US-centric. However, the recently revised blueprint goes into effect August 15, 2021, and it is focused on risk management as a whole, and no longer focused on the US federal audience.
The new blueprint can be found at:
Please let us know if you have any further questions!
Hi - thanks for letting me know. That is great news. Syllabus seems to have had a face lift to look at cyber risk holistically.
@scasc - The CAP is relevant for anyone. The current outline has more about the RMF but the risk management practices can be applied to any organization. In fact, we have seen many non-DoD people take and pass the CAP and they let us know that it is helpful to manage risk following a framework for any organization. The recent JTA last fall modified the outline which takes effect August 15, 2021 (as Ddrake mentioned above) to include various risk frameworks (such as ISO, COBIT and more) and to make it a more international certification.
From our website:
"The CAP shows employers you have the advanced technical skills and knowledge to understand Governance, Risk and Compliance (GRC) and can authorize and maintain information systems utilizing various risk management frameworks, as well as best practices, policies and procedures established by the cybersecurity experts at (ISC)²."