The ISC2 CAP Exam is challenging and thorough preparation is essential for success. This exam study guide is designed to help you prepare for the CAP certification exam. It contains a detailed list of the topics covered on the Professional exam, as well as a detailed list of preparation resources. These study guides for the ISC2 Authorization Professional will help guide you through the study process for your certification.

CAP ISC2 Authorization Professional Exam Summary

● Exam Name: ISC2 Authorization Professional

● Exam Code: CAP

● Exam Price: $550 (USD)

● Duration: 180 mins

● Number of Questions: 125

● Passing Score: 700/1000

● Schedule Exam: Pearson VUE

● Sample Questions: ISC2 CAP Sample Questions

● Recommended Practice: ISC2 CAP Certification Practice Exam

Exam Syllabus: CAP ISC2 Certified Authorization Professional (CAP)

1. Information Security Risk Management Program (15%)

● Understand the Foundation of an Organization-Wide Information Security Risk Management Program

● Understand Risk Management Program Processes

● Understand Regulatory and Legal Requirements

2. Categorization of Information Systems (IS) (13%)

● Define the Information System (IS)

● Determine Categorization of the Information System (IS)

3. Selection of Security Controls (13%)

● Identify and Document Baseline and Inherited Controls

● Select and Tailor Security Controls

● Develop Security Control Monitoring Strategy

● Review and Approve Security Plan (SP)

4. Implementation of Security Controls (15%)

● Implement Selected Security Controls

● Document Security Control Implementation

5. Assessment of Security Controls (14%)

● Prepare for Security Control Assessment (SCA)

● Conduct Security Control Assessment (SCA)

● Prepare Initial Security Assessment Report (SAR)

● Review Interim Security Assessment Report (SAR) and Perform Initial Remediation Actions

● Develop Final Security Assessment Report (SAR) and Optional Addendum

6. Authorization of Information Systems (IS) (14%)

● Develop Plan of Action and Milestones (POAM)

● Assemble Security Authorization Package

● Determine Information System (IS) Risk

● Make Security Authorization Decision

7. Continuous Monitoring (16%)

● Determine Security Impact of Changes to Information Systems (IS) and Environment

● Perform Ongoing Security Control Assessments (SCA)

● Conduct Ongoing Remediation Actions (e.g., resulting from incidents, vulnerability scans, audits, vendor updates)

● Update Documentation

● Perform Periodic Security Status Reporting

● Perform Ongoing Information System (IS) Risk Acceptance

● Decommission Information System (IS)

ISC2 CAP Certification Sample Questions and Answers

To make you familiar with ISC2 Authorization Professional (CAP) certification exam structure, we have prepared this sample question set. We suggest you to try our Sample Questions for CAP CAP Certification to test your understanding of ISC2 CAPprocess with real ISC2 certification exam environment.

CAP ISC2 Authorization Professional Sample Questions:-

01. What key information is used by the authorizing official (AO) to assist with the risk determination of an information system (IS)?

a) Security authorization package (SAP)

b) Plan of action and milestones (POA&M)

c) Security plan (SP)

d) Interconnection security agreement (ISA)

02. According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy?

a) Information system security officer (ISSO)

b) Common control provider

c) Independent assessor

d) Senior information assurance officer (SIAO)

03. Who determines the required level of independence for security control assessors?

a) Information system owner (ISO)

b) Information system security manager (ISSM)

c) Authorizing official (AO)

d) Information system security officer (ISSO)

04. Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization?

a) Leveraged

b) Single

c) Joint

d) Site specific

05. When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive?

a) Authorized to operate (ATO) or denial authorization to operate (DATO), the conditions for the authorization placed on the information system and owner, and the authorization termination date

b) Authorized to Operate (ATO) or Denial Authorization to Operate (DATO), the list of security controls accessed, and an system contingency plan

c) Authorized to operate (ATO) or denial authorization to operate (DATO), and the conditions for the authorization placed on the information system and owner

d) A plan of action and milestones (POA&M), the conditions for the authorization placed on the information system and owner, and the authorization termination date

06. When should the information system owner document the information system and authorization boundary description in the security plan?

a) After security controls are implemented

b) While assembling the authorization package

c) After security categorization

d) When reviewing the security control assessment plan

07. Documenting the description of the system in the system security plan is the primary responsibility of which Risk Management Framework (RMF) role?

a) Authorizing official (AO)

b) Information owner

c) Information system security officer (ISSO)

d) Information system owner

08. Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document?

a) Security assessment report (SAR)

b) System security plan (SSP)

c) Plan of actions and milestones (POA&M)

d) Authorization decision document

09. System authorization is now used to refer to which of the following terms?

a) System security declaration

b) Certification and accreditation

c) Security test and evaluation

d) Continuous monitoring

10. Why is security control volatility an important consideration in the development of a security control monitoring strategy?

a) It identifies needed security control monitoring exceptions.

b) It indicates a need for compensating controls.

c) It establishes priority for security control monitoring.

d) It provides justification for revisions to the configuration management and control plan

Answers:-

Answer 1:- a

Answer 2:- b

Answer 3:- c

Answer 4:- a

Answer 5:- a

Answer 6:- c

Answer 7:- d

Answer 8:- d

Answer 9:- b

Answer 10:- c