ISC2 CGRC domain #6: Authorization and approval of information system

Graeme Messina
January 12, 2022 by
Graeme Messina

If you're thinking about a career in data security, this certificate can prove your skills and knowledge. The Certified Authorization Professional (CAP) exam is aimed at information security professionals that need to understand the many different components that govern access to systems.

Domain 6 of this certification, authorization and approval, focuses on this aspect more specifically as there are many controls involved in the processes that enable authorization and approval. These include creating the necessary documentation, system risk evaluation, and authorization terms.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

ISC2 CAP explained

The ISC2 issues the Certified Authorization Professional (CAP) credential to information security professionals that complete the CAP exam. Successful candidates must demonstrate a comprehensive understanding of how to implement a specific policy or a procedure in a given scenario. 

Other competency areas include best practices related to authorization and maintaining information systems. The CAP certification material is categorized into seven different domains that cover different aspects of the exam.

The sixth domain of the CAP deals with authorization and approval of information systems. This domain accounts for 10% of the exam total, so you must understand these concepts to pass the exam.

What is authorization and approval?

Authorization and approval are vital in any information system where important data and access to sensitive systems exist. The authorization covers many aspects of users' access to specific resources. This is determined by things such as the role that the user has in the company to the location where the user works. The approval covers how the decision to allow a user access is determined. 

How will authorization and approval help my career?

Candidates who can demonstrate their understanding of the authorization and approval process show potential employers that they can work with and manage sensitive IT systems. These include financial systems, network environments and any other application or system that has employee/contractor specific access.

By showing competence in this process, candidates are seen as capable of weighing up the consequences and operational benefits of the organization when deciding on what authorizations and approvals can be made and which need to be escalated for further approval.

Most companies have many different layers of authorization and approval, depending on the procedures, policies and compliance levels required for each region and sector they operate in. This makes it very complicated and quite nuanced when designing policies that regulate this kind of access. 

This makes the skills you will learn while certifying your CAP highly desirable for companies operating in highly regulated sectors. Earning this certificate will help show that you understand authorization and access for users for the safety and security of the organization. 

What's covered in CAP Domain 6 of the exam?

The sixth domain of the CAP covers all of the most important aspects of granting access and approving users to access information systems.  

This is one of the shorter exam objectives, with there being only three subsections to cover, but that does not make this any less important. 

You must ensure that you understand how the documentation works within the large context of authorization, information risk, and each system's terms to which authorization is granted. Below are the points covered in more detail for this exam.

The key points covered in Domain 6 of the CAP include:

  • Compile security and privacy authorization/approval documents. You will learn how to compile the required security and privacy documentation needed to support the authorization/approval decision by the designated official. This is very important as it will give you a better understanding of the criteria for approval and authorization on these systems.
  • Determine information system risk. You must evaluate information system risk when granting access to a system. Think about the legal and regulatory issues that could arise from improper access being granted. You must also determine your risk treatment options when they are encountered. Examples of these are: accept, avoid, transfer, mitigate, share. Next, you will need to determine residual risk as it applies to authorization and approval. This includes unintended or secondary consequences and how you can mitigate them.
  • Authorize/approve information system. Most people know the terms and conditions when logging on and what constitutes misuse that could have your access revoked. You will learn how to develop the terms of authorization/approval for information systems as part of this section.

Experience requirements

Candidates for the CAP program must have a minimum of two years of accumulated work experience across at least one of the seven domains of the CAP exam objectives. 

An individual that does not have the relevant job history relating to these domains can earn Associate status of ISC2 by passing the CAP exam. After earning the Associate of ISC2 certification, the candidate will have three years to earn the two years experience required. 

More information about CAP experience requirements and how part-time work and internships are accounted for can be found at

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Getting started with authorization and approval of information systems

Controlling who has access to systems starts with determining the authorization and approval process. It lays out the foundations for very important access to systems. 

This must be covered and understood. This is especially true if you work within a compliance team that handles access and security to information systems. 

If there are no clear procedures to properly allow and disallow users to access systems, then there can be consequences such as data loss, fines and regulatory remediation. This can lead to a company suffering from reputational and financial damage.

The CAP certification shows you why it is important to understand how the authorization process works and how approval standards are arrived at in the planning stages of processes. 

Once these key functions have been decided on, implementation becomes much easier and more uniform, making the organizational procedures more consistent and efficient. 

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.