WELCOME TO K2CYBERTEK

ISC2 CAP Exam Summary:

Exam Name ISC2 Certified Authorization Professional (CAP)

Exam Code CAP
Exam Price $599 (USD)
Duration 180 mins
Number of Questions 125
Passing Score 700/1000
Schedule Exam Pearson VUE

Practice Exam ISC2 CAP Certification Practice Exam

 ISC2 CAP Exam Summary:

Topic Details

Information Security Risk Management Program (15%)

- Principles of information security
- National Institute of Standards and Technology (NIST) Risk Management
Understand the Foundation of an Framework (RMF)
Organization-Wide Information - RMF and System Development Life Cycle (SDLC) integration
Security Risk Management Program - Information System (IS) boundary requirements
- Approaches to security control allocation
- Roles and responsibilities in the authorization process

- Enterprise program management controls

Understand Risk Management
- Privacy requirements
Program Processes
- Third-party hosted Information Systems (IS)

- Federal information security requirements

Understand Regulatory and Legal
- Relevant privacy legislation
Requirements
- Other applicable security-related mandates

Categorization of Information Systems (IS) (13%)

- Identify the boundary of the Information System (IS)
Define the Information System (IS) - Describe the architecture
- Describe Information System (IS) purpose and functionality

- Identify the information types processed, stored, or transmitted by the

Information System (IS)
Determine Categorization of the
- Determine the impact level on confidentiality, integrity, and availability for each
Information System (IS)
information type
- Determine Information System (IS) categorization and document results

Selection of Security Controls (13%)

Identify and Document Baseline and
Inherited Controls
Topic Details

- Determine applicability of recommended baseline

Select and Tailor Security Controls - Determine appropriate use of overlays
- Document applicability of security controls

Develop Security Control Monitoring

Strategy

Review and Approve Security Plan

(SP)

Implementation of Security Controls (15%)

- Confirm that security controls are consistent with enterprise architecture
- Coordinate inherited controls implementation with common control providers
- Determine mandatory configuration settings and verify implementation (e.g.,
Implement Selected Security United States Government Configuration Baseline (USGCB), National Institute of
Controls Standards and Technology (NIST) checklists, Defense Information Systems Agency
(DISA), Security Technical Implementation Guides (STIGs), Center for Internet
Security (CIS) benchmarks)
- Determine compensating security controls

- Capture planned inputs, expected behavior, and expected outputs of security

Document Security Control
Implementation
controls
- Verify documented details are in line with the purpose, scope, and impact of the
Information System (IS)
- Obtain implementation information from appropriate organization entities (e.g.,
physical security, personnel security

Assessment of Security Controls (14%)

- Determine Security Control Assessor (SCA) requirements
- Establish objectives and scope
- Determine methods and level of effort
Prepare for Security Control
- Determine necessary resources and logistics
Assessment (SCA)
- Collect and review artifacts (e.g., previous assessments, system documentation,
policies)
- Finalize Security Control Assessment (SCA) plan

Conduct Security Control Assessment - Assess security control using standard assessment methods
(SCA) - Collect and inventory assessment evidence
Topic Details

Prepare Initial Security Assessment - Analyze assessment results and identify weaknesses
Report (SAR) - Propose remediation actions

Review Interim Security Assessment - Determine initial risk responses

Report (SAR) and Perform Initial - Apply initial remediations
Remediation Actions - Reassess and validate the remediated controls

Develop Final Security Assessment

Report (SAR) and Optional
Addendum

Authorization of Information Systems (IS) (14%)

- Analyze identified weaknesses or deficiencies
- Prioritize responses based on risk level
Develop Plan of Action and
- Formulate remediation plans
Milestones (POAM)
- Identify resources required to remediate deficiencies
- Develop schedule for remediation activities

Assemble Security Authorization

- Compile required security documentation for Authorizing Official (AO)
Package

Determine Information System (IS) - Evaluate Information System (IS) risk

Risk - Determine risk response options (i.e., accept, avoid, transfer, mitigate, share)

Make Security Authorization Decision - Determine terms of authorization

Continuous Monitoring (16%)

Determine Security Impact of - Understand configuration management processes
Changes to Information Systems (IS) - Analyze risk due to proposed changes
and Environment - Validate that changes have been correctly implemented

- Determine specific monitoring tasks and frequency based on the agency’s strategy
Perform Ongoing Security Control
- Perform security control assessments based on monitoring strategy
Assessments (SCA)
- Evaluate security status of common and hybrid controls and interconnections

Conduct Ongoing Remediation

- Assess risk(s)
Actions (e.g., resulting from
- Formulate remediation plan(s)
incidents, vulnerability scans, audits,
- Conduct remediation tasks
vendor updates)
Topic Details

- Determine which documents require updates based on results of the continuous

Update Documentation
monitoring process

Perform Periodic Security Status

- Determine reporting requirements
Reporting

Perform Ongoing Information System

- Determine ongoing Information System (IS)
(IS) Risk Acceptance

Decommission Information System - Determine Information System (IS) decommissioning requirements

(IS) - Communicate decommissioning of Information System (IS)