ISC2 CGRC domain #4: Implementation of security and privacy controls

Graeme Messina
January 10, 2022 by
Graeme Messina

If you are considering a career in information security, the ISC2 Certified Authorization Professional certification is an excellent way to demonstrate your knowledge and skills.

Domain 4 of this certification covers the Implementation of Security Controls, including applying, implementing, tailoring, documenting and verifying them. 

Other skills that you will learn include implementing access control systems and configuring network devices for segmentation or isolation purposes.

This article will take a look at what's involved in implementing security controls and what's covered in CAP domain 4 of the exam.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

ISC2 CAP Explained in relation to domain 4

The ISC2 issues the Certified Authorization Professional (CAP) credential to information security professionals that successfully complete the CAP exam.

Successful candidates must demonstrate a comprehensive understanding of how to implement a specific policy or a procedure in a given scenario. 

Other competency areas include best practices related to authorization and maintaining information systems. The CAP certification material is categorized into seven different domains covering various aspects of the exam.

The fourth domain of the CAP deals with implementing security and privacy controls. When taking the CAP exam, 16% of the applicant's grade is based upon their knowledge of Domain 4.

What's involved in implementing security controls?

Implementing security controls is quite an involved process that requires planning and research ahead of implementation. This takes time, and it requires a full understanding of the regulations and laws surrounding the industry that the company is in and the country and region.

The goal of implementing security controls is to keep the information systems you are responsible for secure, mitigating risks associated with data loss or interruptions in service by limiting access and maintaining security. 

How will implementing controls help my career?

Showing strong security awareness is key to maintaining data systems and infrastructure in modern businesses. Even the most elementary IT roles require security awareness training

Implementing security controls will demonstrate that you understand risks and how to mitigate them.

By implementing security controls, you will protect sensitive information against unauthorized access, data loss, or other forms of compromise. This reduces the risk of downtime and ensures the organization's decision-making can continue uninterrupted in case of a disaster.

Implementing security controls is part of the normal process of running an IT department or network infrastructure. Adherence to the security controls and best practices ensures that you can avoid liability and costly fines if a data breach happens.

Implementing and maintaining security controls also demonstrates your ability to take responsibility for an organization's cyber assets. This type of mindset is often rewarded in IT departments where advancement opportunities are tied to risk management and minimizing downtime.

What's covered in CAP Domain 4 of the exam?

The fourth domain of the CAP tests security professionals on their knowledge of implementing security controls within an organization and the document control implementation process. 

This includes minimum security measures for USGCB, NIST, STIGs, CIS and GDPR regulations. Candidates must also document all critical points as they relate to planned controls, as well as expected behaviors and outputs, as well as deviations.

The key points covered in Domain 4 of the CAP include:

  • Assess current industry standards and determine mandatory configuration settings and implementation verification controls
  • Implement controls in a manner consistent with the organization's architecture as well as the security and privacy architecture 
  • Ensure inherited controls are implemented in coordination with control providers 
  • Compensatory/alternative security measures should be identified and implemented
  • Document the inputs, expected behavior, and outputs or deviations for the planned controls
  • Confirm that the information system's purpose, scope and risk profile are met by the documentation of controls
  • Gather and document implementation details from relevant organization entities (e.g., physical security, personnel security, privacy)

Experience requirements

Candidates for the CAP program must have a minimum of two years of accumulated work experience across at least one of the seven domains of the CAP exam objectives. 

An individual that does not have the relevant job history relating to these domains can earn Associate status of ISC2 by passing the CAP exam. After earning the certification and becoming a certified CAP holder, the candidate will have three years to earn the two years of experience required. This makes it easier to accrue the time needed to qualify for the exam. 

More information about CAP experience requirements and how part-time work and internships are accounted for can be found at

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Getting started with the implementation of security and privacy controls

Security and privacy issues are some of the most pressing considerations that companies have to contend with in the interconnected world of IT systems. 

Unauthorized access to digital and physical assets can have serious security implications, so learning what is necessary for secure environments is crucial. It is also an excellent way to get started on your information security journey or fortify and expand your knowledge as it currently stands.

The CAP certification will teach you all about the correct way to assess and implement security controls while documenting the expected controls and deviations. Overall, Domain 4 will teach you valuable skills about implementing and documenting security solutions in the real world, which will help you to progress in your career as a cybersecurity professional.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.