ISC2 CGRC domain #1: Information security risk management program

Dan Virgillito
March 17, 2022 by
Dan Virgillito

Those authorizing and maintaining information systems while also managing risk have the option of getting certified to help advance their career. One of the leading certifications for these authorization security professionals is Certified Authorization Professional (CAP). Hosted by ISC2, this credential requires candidates to clear an exam comprising seven CAP knowledge domains.

What is information security risk management?

Information security risk management is the process of identifying, evaluating and addressing the uncertainties and threats around an organization’s information assets. Risk is fundamentally inherent in most aspects of information security, and thus risk management helps the authorization and management of systems to be effective in the field.

The major components of information security risk management crucial for CAP are

  • Threat modeling: identify human or non-human vulnerabilities that threaten IT systems.
  • Asset: the process, information or technology that could be affected by the risk.
  • Risk assessment: determine the likelihood of actors exploiting the identified vulnerabilities. 
  • Outcome: highlight the impact of exploiting the vulnerability. 
  • Response and mitigation: implement measures to restore or preserve system capabilities impacted by a security threat.
  • Policy and guidelines: choose an incident response policy per organizational and governmental privacy and security standards.
  • Monitoring compliance: track and document the remediation efforts to provide external and internal auditors with assurance. 

In general terms, these components are sometimes referred to as phases of the risk management lifecycle, which can be categorized into the following: risk identification, risk acceptance, risk evaluation and risk treatment. Standards like ISO 27001 have a similar structure for information security management, making it a good foundation to build on for organizations reliant on IT services.

It’s also worth noting that information security risk management is presumed to prevent external threats from getting in, but cybersecurity threats exist internally too. Therefore, organizations should leverage physical protection and access control for internal threat management.

How will risk management help my career?

The capabilities and performance of an IT professional dealing with information systems can be judged through an understanding of risk. Without properly identifying and evaluating risks, you may struggle to implement proper controls to safeguard your organization’s systems. Learning risk management will help you design remediation strategies that distinguish our skills and knowledge from the IT pack.

If critical risks are to be managed, then your knowledge is even more important to the continuation and safety of the organization. You’ll learn industry-defined methodologies and develop proposals that mirror those approaches. Just make sure your business goals and processes align. Being proficient in domain 1 of CAP will help you demonstrate an understanding of the steps required to manage and work with critical IT systems.

Risk management skills also help demonstrate your preparedness for what’s to come. Effective risk management is flexible and will evolve as new threats emerge and old risks become redundant. Adjusting your risk management program to changes shows you’re capable of keeping security controls relevant and successful against new developments in cybercrime. This vision is often rewarded in IT teams where career advancement is tied to risk management and uninterrupted business. 

What’s covered in CAP domain 1 of the exam?

The first domain of the CAP covers the basics of information security risk management programs and their authorization processes. Candidates are also tested for familiarity with governmental and international regularity security and privacy requirements, such as the European GDPR and U.S. HIPAA.

The key points covered in domain 1 of the CAP include: 

  • Keep the basic principles (tenets) of information security in mind as you store critical data on your company’s information systems. These principles span three key areas: confidentiality, integrity and availability.
  • Follow risk management frameworks (e.g., National Institute of Standards and Technology (NIST) to ensure asset protection, reputation management and reduced risk of competitive advantage loss. 
  • Meet information system boundary requirements set out by regulatory bodies such as the National Institute of Standards and Technology (NIST).
  • Embed security into all stages of the system development life cycle (SDLC). This includes performing risk assessments, threat modeling, vulnerability detection and quality assurance. 
  • Understand the roles and responsibilities in the authorization and approval process. This is important for demonstrating the ability to manage sensitive IT systems such as network environments. 
  • Choose program management controls in a manner consistent with an organization’s information security and privacy architecture. 
  • Determine third-party hosted information systems. This will form the basis of your risk management controls for external suppliers. The more in advance you know about third-party systems, the more protections and contingencies you will be able to put in place to protect against privilege misuse and data theft.
  • Familiarize with organizational, governmental and global privacy and security standards, such as the Federal Information Security Modernization Act (FISMA), International Organization for Standardization (ISO) 27001 and Federal Risk and Authorization Management Program (FedRAMP).

IT professionals interested in becoming CAP-certified must have a minimum of two years of accumulated work experience in at least one of the seven domains of the CAP common body of knowledge. The subjects within CAP domain 1 lay the foundation for the rest of the CAP domains. 

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Getting started with the information security risk management program

Security and privacy risks are some of the most pressing concerns surrounding today’s information systems. From viruses and worms to third-party data theft to insider hacks, advertisers have a variety of ways to infiltrate a company’s IT system. 

Unauthorized access to company data can have serious implications, so learning what’s necessary to manage information security risks is of utmost importance. The CAP certification will help you learn about the different methods and processes you can use to secure an organization’s information assets. Overall, Domain 1 will help you build a strong foundation for sensitive IT system management, which will help you to progress in your cybersecurity career.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.