How to get a certification: CAP Exam part 1

by Bruce Brown | 9 Comments

CAP Exam

passed the cap exam

me with picture of CAP notificaiton

I had studied all night after freaking out about the test. I was sick and had to drive to another city to take that damn test. I was exhausted and tired.. lame excuse for being ugly lol. Its all good.. I still get laid.. but enough about ME.. lets talk about the test 😀

How to get a certification

– ISC2 Certified Authorization Professional (ISC2 CAP)
– Risk Management Certification
– Passing Score 700 out of 1000 points (125 questions on the test *25 test questions not counted toward the results)
– Application Fee: $419
– Verify 2 years experience in this field
– Endorsement Form
– Answer questions to criminal history and background
– Other Info: its a CBT, 3 hours to test, based on NIST 800 series

How Hard is the CAP Exam

I just took the ISC2 Certified Authorization Professional test (CAP Exam). I just want to give others who are about to take this test some idea of what they are up against. I noticed there is not a lot of Security Professionals talking about it. I keep hearing that there are only *1000 CAP certified people on Earth (circa 2011). I don’t think its because of the difficulty level (lol.. i mean i would not call it an EASY test, but its no CISSP or CCIE.. btw CCIE has about 25,000 certified as of about 2010 individuals on early despite being around for since 1993… according to Cisco, “fewer than 3% of Cisco certified individuals attain CCIE certification”). I think there are so few CAP certified people because its not a well know certification and its in a specialized field. Perhaps the numbers of CAP certified individuals will always be low.

My overall impression is that it is much harder than Security+ but much easier than CISSP. If you have recent experience with DoD Information Assurance Certification & Accreditation Process (DIACAP) you should have an easy time grasping the National Institute of Standards & Technology (NIST) Special Publication 800 series concepts allowing you to pass the CAP exam. I would say the same about all the C&A frameworks, NIACAP, NISPOM, DCID 6/3, DITSCAP etc. If you know the certification & accreditation process well than you will pick up risk management framework fast. If you have been doing the NIST C&A and/or Risk Management Framework, the test should be a mere refresher course for you and a couple of weeks of reviewing NIST 800 regulations and OMBs you already know might be enough for you to pass the CAP Exam and get this certifications. You should know, however, that quite a bit has changed since 2009 in the certification & accreditation process of getting authorization.

The test is in the style of the CISSP in that you must choose what is MOST right in many cases. All questions are 4-multiple choice type questions.

Study Material for the Certified Authorization Professional

One of my biggest issues about the CAP material is that is has almost NO decent study material. There is “The CISSP and CAP prep guide” by Russell Dean & Ronald L. Krutz, this is the ONLY book I have found aside from one or two lame ebooks (as of 2011).

What I used to get a CAP Certification

The very first thing you should do is become a member of Isc2.org and download the ISC2 CAP Candidate Information Bulletin. The CAP Exam CIB breaks down all the objectives that you need to be knowledgeable in.

Read and/or be very familiar with the following NIST & OMB documents:
– NIST 800-37
– NIST 800-53
– NIST 800-53A
– NIST 800-64
– NIST 800-30
– NIST 800-100
– NIST 800-83
– NIST 800-53
OMB circular A-130
Privacy Act of 1974
FISMA Act of 2002
**The full list of documents & regs to be familiar with are located in CAP CIB

Another great resource is practice tests. Ucertify.com has GREAT content for the CAP, some of the best you will find for the Certified Authorization Professional.

Areas to Spend a LOT of time on:

I would definitely know and fully understand the Risk Management Framework (800-37). You need to know the tasks on each of the six steps of the Risk Management Framework (800-37). System Development Lifecycle is also HUGE on this test(800-64). I would know how Risk Management Framework lines up with SDLC and Risk Assessment process (800-37, 64, 30). Risk Assessment process, Risk Management Framework and SDLC are all interconnected. You should know how they work together. Tasks that are done at each stage and step in all those process and what role does each task is a need to know. Roles and Responsibilities should be fully understood and memorized. Although everyone of the steps in the Risk Management framework are covered pretty good, I feel like the following two steps were beaten to death: Continuous Monitoring & assessments (security control assessor)

The test is computer based and randomized so you might get a completely different set of subject areas. Your best bet is to study what is in the CAP-CIB and use a bunch of practice tests.

What I DID NOT see on the Exam:

I was surprised not to see anything on the NIACAP, DIACAP, FITSAP, DCID 6/3 and DITSCAP. I was fully expecting it and prepared for it. Many of the practice test go on and on about Project/Program Management subject areas. But the only question I recall on that had to do with knowing the role of a Program Manager… thats about it.

Pro & CON on the ISC2 CAP Cert

CONS: I feel like the CAP is currently (2011) not in great demand. If you do a search on any job database (monster, indeed, simplyhired) you see that there are not many employees listing it as a requirement. For example, a 2011 search on isc2 CAP anywhere in the US gives 49 results — http://jobsearch.monster.com/search/?q=isc2-cap
I also think that the certification is WAY over priced. Its $419 which I think is even more than the ISC2 CISSP concentrations.
There is almost no study material for it.

PROS: Covers very important risk management framework material. Its computer based, so the results are instant. Its good lead up and practice for the ISSEP. The ISSEP covers a lot of what is in the CAP. NIST will get increasingly more important as DoD, NSA and other national security system agencies take on the NIST.

*CAP Exam: CAP certified people in the world (circa 2011):
Canada 6
Germany 1
Korea, Republic of 2
Puerto Rico 2
United States 997
reference: https://www.isc2.org/member-counts.aspx#cap

**Certification Authorization Professional Candidate Information Bulletin is on ISC2.org. May have to be a member to get the document

9 Comments on How to get a certification: CAP Exam part 1

  1. M. K. Zaidan
    April 6, 2012 at 9:15 am (7 years ago)

    this is very helpful…thanks

    Reply
  2. xlt futures trading
    October 15, 2012 at 7:28 am (6 years ago)

    It is worth noting that one of the factors behind the 1992 reforms was the need to reach agreement with the EU's external trade partners at the Uruguay round of the General Agreement on Tariffs and Trade (GATT) talks with regards to agricultural subsidies.

    Reply
  3. xlt futures trading
    October 15, 2012 at 9:02 pm (6 years ago)

    The basic shape, including curved bill, is similar to some styles of 19th century sun bonnets.

    Reply
  4. alicia
    October 20, 2012 at 3:30 pm (6 years ago)

    Thanks for the info, I've been in IA for almost 12 years, and I'm just now getting my self together to be 8570 compliant. Thanks for your help.

    Reply
  5. Jenifier
    April 8, 2013 at 1:51 am (6 years ago)

    This is very useful contents, thanks for sharing

    Reply
  6. pmp examination
    May 27, 2013 at 4:42 am (5 years ago)

    lAways good to see, this was really a brilliant post. In theory would like to be such a good writer too. It takes time to create that brilliant and additionally real effort to make a brilliant article…

    Reply
  7. pmp certification
    August 7, 2013 at 2:04 am (5 years ago)

    ..I will always bookmark your blog and may come back later on. I want to encourage you to definitely continue your great job…

    Reply
  8. Passed2016
    February 17, 2016 at 11:12 am (3 years ago)

    Everything that is mentioned here is absolutely correct. NIST Pubs and FIPS, official CBK book, and FEDVTE training (but if you don’t have the book or access to FEDVTE, NIST Pubs 800-37 concentration may be all you need) and you are well on your way. Just took the exam 2016. All RMF related. Most practice exam had info for Project Management and DIACAP all which were not mentioned so don’t let practice exams discourage you. Everything was RMF and SDLC steps, task, and roles. Oh and by the way download quizlet app for ios and android and search for every isc2 cap related, this was great prep help! Hope this helps anyone in 2016.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *