ISC2 CGRC: Overview & career path

Dan Virgillito
March 16, 2022 by
Dan Virgillito

If you’re looking to work in Governance, Risk and Compliance (GRC) and demonstrate expertise in the Risk Management Framework (RMF), the Certified Authorization Professional (CAP) certification may be for you. 

CAP is a highly sought-after cybersecurity certification offered by the International Information System Security Certification Consortium ISC2. For those unfamiliar, ISC2 is a global non-profit that offers vendor-neutral security certifications that demonstrate an individual’s expertise in different aspects of information security. CAP also helps in showing compliance with the ISO 17024 standard.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

What is ISC2 CAP certification?

The ISC2 CAP is an advanced-level certification meant to validate the knowledge and skills required for an IT professional to authorize and maintain information systems. Specifically, this credential applies to those responsible for organizing processes within the RMF using procedures and best practices established by the cybersecurity experts at ISC2.

There are seven CAP job practice areas on which candidates are examined:

  1. Information Security Risk Management Program (16%)
  2. Scope of the Information System (11%)
  3. Selection and Approval of Security and Privacy Controls (15%)
  4. Implementation of Security and Privacy Controls (16%)
  5. Assessment/Audit of Security and Privacy Controls (16%)
  6. Authorization/Approval of Information System (10%)
  7. Continuous Monitoring (16%)

These job practice areas serve as the basis for the requirements and exams to earn the certification.

Who is the CAP certification for?

CAP is primarily ideal for IT, information assurance and information security practitioners who work in GRC positions and need to understand, apply and implement risk management programs for IT systems within a corporation. It shows you have what it takes to help align an organization’s business objectives with its information technology while fulfilling regulatory compliance and risk management requirements.

Additionally, U.S. government professionals who’ve been tasked to manage information system security for DoD will also benefit from earning CAP, as it meets the requirements of DoD Directive 8570.1 for those working in Information Assurance Management (IAM) Level 1 and Level II roles. 

What are the CAP requirements?

To take the CAP certification exam, you must have at least two years of cumulative paid work experience in one or more of seven domains of knowledge that the CAP Common Body of Knowledge (CBK) sets out. Internships and part-time work may also count towards your experience. 

Valid experience includes work that demands security risk management knowledge and involves the practical application of that knowledge or information systems security-related work done in pursuit of information system authorization. 

If you don’t have the required experience to become a CAP, successfully passing the CAP examination will make you an Associate of ISC2. ISC2 associates get three years to earn the two-year mandatory experience.  

Is CAP worth it?

If you’re trying to climb the IT security career ladder and want a way to stand out, CAP is for you. Being the only ISC2 credential that specifically tests IT professionals tasked with RMF compliance, it’s worth the money, time and effort for those who need a boost in their career so they can be more competitive and marketable.

Another advantage of CAP? It’s vendor-neutral, meaning the skills you acquire can be applied to different methodologies and technologies. 

Moreover, the certification grants you access to a global network of more than 160,000 like-minded cybersecurity professionals. You can hold discussions on how to be better prepared to stem security breaches and inspire a safe cyber world.  

What are possible CAP career paths?

The CAP certification targets a certain skillset, namely IT/IS risk management. However, the job roles it can help you secure vary. This can be attributed to the growing importance of risk management in the eyes of companies trying to stay ahead of the proverbial cybersecurity curve. Below is a list of potential career paths that CAP holders can pursue:

  • IT risk manager
  • Chief information security officer
  • Information security risk manager
  • Information systems auditor
  • Information systems manager
  • Information security manager
  • Information assurance manager
  • Information assurance engineer
  • Authorization specialist
  • Security consultant
  • IT security manager
  • Cyber security analyst
  • Cyber security engineer

When applying for any of these roles, map your work experiences to the CAP certification in your interview. Doing so will reinforce to the prospective employer that the credential is a realistic verification of your knowledge and skills. 

What are the CAP benefits to employers?

The CAP helps employers in a multitude of ways. For one, it increases the credibility of their respective organization when working with contractors and vendors. Having CAP-certified professionals on their cybersecurity team shows their commitment towards managing governance, risk management and compliance with government and industry regulations.

Other ways CAP helps employers: 

  • Levels the playing field for candidates as ISC2 certifications are recognized globally.
  • Ensures personnel use a universal language, avoiding ambiguity with industry-accepted jargon and practices.
  • Increases confidence that prospective and current employees keep their skills current and continue their education through Continuing Professional Education (CPE).
  • Satisfies DoD certification requirements for subcontractors or service providers.

How do I get CAP certified?

You’ll need to undertake the CAP certification exam to become CAP certified. This is a three-hour exam with 125 questions given in English. You’ll need to score at least 700 out of 1,000 to pass the exam. Visit a Pearson VUE testing center near you to apply for the CAP certification exam.

The cost to take the CAP exam varies depending on what region of the globe you reside in. For people in the U.S. (and elsewhere in the Americas), it costs $599.

Passing the CAP certification exam comes down to your dedication and willingness to succeed. Although there’s no best way to prepare for the CAP exam to pass it, there are a few things you should consider: 

  • Enroll in an official ISC2 official training seminar
  • Enroll in CAP exam boot camps or third-party training
  • Self-study through any materials such as books you can find 

Why the CAP certification is important 

The CAP certification equips security practitioners with the skills needed to advance in the ever-competitive information security field. Those awarded the credential can showcase an ability to use a broad range of frameworks to authorize and maintain information systems and manage risk. Due to this, globally recognized organizations and government agencies are much more likely to hire individuals with this highly desirable certification.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.