ISC2 CGRC domain #3: Selection and approval of security and privacy controls

Dan Virgillito
May 12, 2022 by
Dan Virgillito

If you’re looking to secure a rewarding position or accelerate your career in data security, the Certified Authorization Professional (CAP) certification is an excellent way to demonstrate your knowledge and skills.

Domain #3 of this certification relates to selecting and approving security and privacy controls, including defining the applicability of baseline and inherited controls. You’ll also learn to develop a continuous control monitoring strategy based on determining its effectiveness, timeline and the capacities needed for implementation.

This domain accounts for 15% of the exam total, so it’s important to understand these concepts to pass the CAP exam.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

What's involved in selecting and approving controls?

Generally speaking, selecting and approving controls lays the foundation for establishing the security control baseline. The baseline is supplemented and tailored in accordance with an organizational assessment of local and risk parameters. The security control baseline and the monitoring plan are documented in the security plan.

Professionals must identify common controls that provide consistent and more cost-effective security across an organization. The controls accelerate implementation, reduce cost, and provide a more consistent behavior. Tailoring of controls is accomplished through scoping, parameterization and compensating guide. This follows supplementing them through additional controls using enhancements in SP 800-53 Sets of Controls. Tailoring should also be aligned with the operating environment and operational activities.

You’ll also learn about overlays, whose purpose is to provide tailoring on a community level. Examples of communities include ICS (Industrial Control Systems), space, CDS (Cross Domain Solutions) etc. Overlays can add or eliminate controls and provide interpretations and applicability for specific information technologies. Their core function is to develop community-wide parameter values for security controls’ and control enhancements’ selection statements.

Further, overlays can extend the supplemental guidance for security controls where necessary. For those working in the government sector, it’s important to know that the U.S. government official overlays are found as supplements to CNSSI-1253.

Circling back to tailoring, you’ll also become familiar with layers of tailoring. Controls can be tailored at the system layer (where you can negotiate interfaces). The authorizing official can make some changes, and regulations, location and command/Org can also tailor system controls.

The result of tailoring controls sufficiently mitigates the risks to organizational assets and operations, people, other organizations and the nation. The decision is always risk-based and never for convenience. 

Selecting and approving controls also involves managing different controls, such as common, hybrid, and system-specific ones. Additionally, professionals are expected to be proficient in determining types of controls, which can have a technical focus, management focus or operational focus. Regarding threat mitigation, you should know which controls reduce the likelihood of a threat event and which ones protect the system if the threat actor attempts to exploit a vulnerability.

How will understanding controls help my career?

If you are looking to work in a security compliance role, or your position requires that you review and approve your organization’s security plan, then learning about controls will help you immensely.            

Today, evaluating and documenting security controls is a regular part of an organization’s workflow. It helps them ensure system integrity with spam and malware protection, continuous system monitoring, and business continuity plans. And this isn’t an area to cut corners on — your company must prove the appropriate use of control enhancements (e.g., overlays, countermeasures or security practices) to achieve compliance certifications like ISO 27001. Only then will implementing an information security management system (ISMS) be deemed valid.

By showing competence in common controls and security control inheritance, candidates are seen as capable of doing risk assessment as part of the risk management framework (RMF). This skill is often rewarded in security teams where career advancement is tied to establishing strong data security controls that meet regulatory compliance. Plus, understanding controls is key to developing best practices for avoiding costly fines and liability should a data breach occur.

The skills you learn while studying the third CAP domain are highly desirable for firms operating in heavily regulated sectors such as defense and manufacturing. The domain equips you with the ability and knowledge to identify and document baseline and inheritable controls in sensitive security systems per compliance standards. Therefore, earning a CAP certification broadens your career horizons in more ways than you might realize. 

What’s covered in CAP domain 3 of the exam?

 The third domain of the CAP covers the fundamentals of selecting and approving security and privacy controls. Exam takers are also tested for skills required to develop a continuous monitoring strategy, which allows for robust review and near real-time awareness of the current security state of the system.

 The key points covered in domain 3 of the CAP include: 

  • Identifying and documenting baseline and inherited controls (based on the security categorization of the system)
  • Choosing and tailoring controls to the system
  • Determining appropriate use of control enhancements (e.g., overlays, practices, countermeasures and security)
  • Tailoring controls at different levels in the security architecture
  • Providing security control applicability and interpretations for types of information systems, operating modes, computing paradigms, industry sectors and regulatory/statutory requirements
  • Conducting risk assessment as part of the risk management framework (RMF)
  • Identifying which controls need to be monitored, frequency of monitoring and assessment approach
  • Reviewing and approving the security plan (SSP)
  • Implementing Information Security Management System (ISMS) with ISO 27001 compliance

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Implementation of security controls brings challenges that organizations need to address if they want to stay at the forefront of data security and safety. Fortunately, allowing CAP professionals allows them to delegate the task of overcoming control-related difficulties to experienced professionals. 

As a CAP professional, you’ll need to show strong control awareness so that the organization can maintain its data systems and infrastructure. Domain 3 of CAP will equip you with all the knowledge and skills to identify, assess, tailor and document security controls.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.