ISC2 CGRC domain #5: Assessment and audit of security and privacy controls

Graeme Messina
January 11, 2022 by
Graeme Messina

This is an excellent certification to demonstrate your skills and knowledge if you want to work in information security or advance your current company to a better position in the realm of security or compliance in general.

Domain 5 of this certification covers the assessment and audit of the security and privacy controls, which are very important from a compliance perspective. This domain also concentrates on important skills like preparing for an audit or assessment, how to conduct them, initial preparations and developing reports among other things. Many people forget about how important reporting is in cybersecurity, as information needs to be laid out properly and easy to ingest for anyone who needs to read the reports you generate.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

(ISC)² CAP explained in relation to domain 5

The (ISC)² issues the Certified Authorization Professional (CAP) credential to information security professionals that successfully complete the CAP exam. 

Successful candidates must demonstrate a comprehensive understanding of how to implement a specific policy or a procedure in a given scenario. This includes auditing and assessment of security and privacy controls.

The CAP certification material is categorized into seven different domains that each cover different aspects of the exam. Domain 5 goes into great detail about important auditing and reporting skills. 

One of the goals of this domain is to teach candidates the importance of information gathering and reporting while also allowing them to learn how to develop remediation plans and audit reports.

What's involved in auditing controls?

Generally speaking, auditing controls are put in place to limit the activities of users and employees as they perform their daily duties in the organization. 

This controls what can and can't be done and ultimately lets the directive of the executive and management levels be done by the policies and procedures of the business. 

The same applies to cybersecurity and the information systems that drive the organization forward. Access controls, privacy policies and security all need to be documented and reported so that any risks associated with that data are properly managed.

If data is selectively available to certain users, then proper authorization controls need to be in place to allow for access, and the access needs to be documented. There must be a clear history of data use so that the proper audits can occur at set intervals to maintain data security. 

How will auditing security controls help my career?

If you are looking to get into a security compliance role, or your role requires that you deal with reporting for your organization's security and data life cycle, then learning about auditing security controls will help you immensely.

The way your reports are structured, the data you collect and collate, and how it is all laid out are critical for the security control audits necessary for modern IT environments. You will learn how to collect audit evidence and how to apply remediations when lapses in security are found. This is critical when maintaining security and compliance in real-world scenarios. 

If critical risks are uncovered, then your findings are even more important to the safety and continuation of the business. The remediation proposals you offer are what the technical teams will base their solutions on, so the knowledge you gather is critical to business operations to maintain regulatory compliance in a specific market or industry.

What's covered in CAP Domain 5 of the exam?

The fifth domain of the CAP is a technical section. Items that you will learn include preparing an audit, conducting the audit, generating reports and presenting your findings. You will also learn how to develop a remediation plan and remedy the vulnerabilities and lapses in security and compliance that you come across.

The key points covered in Domain 5 of the CAP include:

  • Preparing for an assessment or audit. This includes how to determine the requirements for your audit, the scope and objectives, and how it will be carried out. This section will determine what resources and access you will need and how to finalize your assessment and audit plan.
  • Conducting an assessment or audit. Here you will learn about the collection of documentation and evidence and compliance validation.
  • Preparation of initial assessments and audit reports. You will learn about analyzing assessments, your audit results and identifying the vulnerabilities you uncover in the collected data. 
  • Reviewing the initial assessment and audit report. This teaches you to analyze and assess the risk response, remediation application and validation of remediated controls.
  • Development of final assessments and audit reports. This is one of the most crucial steps in the process as it is the readable output of your work and information gathering.
  • Remediation plan development. Here, you will learn about identified residual vulnerability analysis and the discovered deficiencies and prioritize responses according to the level of risk associated with each finding. You will also identify resources and determine the right time horizon to have each issue looked at. 

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Getting started with assessment and audit of the security and privacy controls

Security and privacy issues are some of the most pressing considerations that companies have to contend with in the interconnected world of IT systems. 

Unauthorized access to digital and physical assets can have serious security implications, so learning what is necessary for secure environments is crucial. It is also an excellent way to get started on your information security journey or as a way to fortify and expand your knowledge as it currently stands.

The CAP certification will teach you all about the correct way to perform assessments and audits of security and privacy controls while maintaining standards that are in line with the policies and procedures of the organization that you work with. 

Overall, Domain 5 will teach you valuable skills about finding the correct information for the reports and audits you will conduct in the field, which will ultimately help with your career progression as an information security professional.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.