ISC2 CGRC domain #2: Scope of the information system

Dan Virgillito
May 10, 2022 by
Dan Virgillito

If you consider a role in information security, the Certified Authorization Professional (CAP) certification is a great way to demonstrate your knowledge and skills. Issued by (ISC)², this certification requires professionals to take an exam comprising questions related to different aspects of information systems.

Domain 2 of this certification covers Scope of the Information System, including describing information system purpose, architecture, and functionality. You’ll also learn how to determine information system categorization and document results.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

What is scoping of information systems?

The scoping of the information system is performed to determine the types of information present within the security authorization boundary. It describes the information system, including the system boundary and interconnections.

The system's boundaries should be all under the same operational control, support the same mission, and be located in the same place. It’s also crucial to specify the scope of the boundary, which can be either too small or too large. Plus, authorization boundaries have additional considerations such as operational authority, business objectives, and programmatic.

When it comes to interconnecting systems, SP800-47 defines four phases a professional must go through. These include planning, establishing, maintaining and disconnecting systems. Additionally, interconnecting systems have interconnecting documents like memorandum of understanding/agreement (MOU/A) and interconnection security agreement (ISA) that need to be categorized.

Another aspect of scoping relates to categorizing information systems based on impact analysis. Categorization starts with identifying the information types in the system, which can be done using OMB’s business reference model and SP 800-60. It could be information based on privacy, medical, financial, proprietary, etc. You can also list information sources by having a unique identifier and information flows.

After successfully identifying information types, you can select the provisional impact level of each on confidentiality, integrity and availability. The potential impact levels may be specified as low (minor damage or effectiveness reduced), moderate (financial loss or harm to individuals) or high (loss of mission capability). Review the provisional impact level, then adjust them based on guidance from 800-60. The final step is to assign a system-level high-water mark based on the aggregate of all impact levels.

Once the impact levels have been assigned, you can move for the formal approval of system categorization. The process requires that the designated approving authority (DAA) or authorization officer (AO) sign the document. The document goes with the registration document. It defines minimum security baseline control requirements for systems in the next RMF phase.

Organizations can use the categorization result to choose initial security controls, determine the risk inherent in operating the system, and build the security plan.

How will scoping information systems help my career?

Strong categorization skills are key to maintaining information systems and data integrity in modern corporations. Professionals who show competence in this process can classify systems by identifying the stored or processed data assets. Proper categorization offers a structured way to determine the sensitivity and confidentiality of the data and evaluate whether an organization is complying with different information security standards.

Most companies store many different types of information with varying importance, depending on the policies, procedures, and compliance levels required for their sector. This makes it quite nuanced and complex when classifying and labeling information to implement appropriate security controls and retention policies. This makes the skills you will learn while certifying your CAP highly desirable for organizations processing massive volumes of data on an ongoing basis.

Having a CAP certification can also help you land a security role in the government sector. Domain 2 of CAP equips you with the knowledge and ability required to determine national security systems' categorization and impact level. As such, CAP broadens your horizons in more ways than you might realize.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

What’s covered in CAP domain 2 of the exam?

 The second domain of the CAP covers the basics of categorizing information systems and documenting results. Candidates are also tested for skills required to categorize national security systems by Federal Information Processing Standards (FIPS) 199. 

The key points covered in domain 2 of the CAP include:

  • Scope the information system by describing its boundary and interconnections
  • Describe the system architecture, such as data flow and internal and external connections
  • Explain information system functionality and purpose (e.g., support people at the operational level, facilitate day-to-day business)
  • Identify the information types transmitted, processed, or stored by the system
  • Determine the impact level on CIA (confidentiality, integrity and availability) using information security standards like FIPS 199 and data protection assessment
  • Finalize information system categorization and document the results         

You will need to look at the scope of information systems when you are responsible for determining their impact level and categorization.

The management and security teams need to have a clear idea about the availability, integrity, and confidentiality of each information type processed by these systems. If there are no clear procedures for defining an information system, there can be consequences for regulatory remediation and data theft. 

The CAP will give you all the basic skills to define and categorize information systems effectively. Overall, Domain 2 will teach you valuable skills for classifying information systems and documenting results in the real world, which will help you to advance your career as an information security professional.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.