ISC2 CGRC exam details and process

Greg Belding
December 21, 2021 by
Greg Belding

If you work in Governance, Risk and Compliance (GRC) and the Risk Management Framework (RMF), earning a certification can help prove to organizations that you are a cut above the rest. The Certified Authorization Professional (CAP) certification may be for you. 

This certification verifies that you have the knowledge and skills to understand, apply, and implement a risk management program for IT systems within an organization and other vital responsibilities of a GRC professional. However, you have to pass the CAP certification exam to earn this certification. 

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

What is the CAP exam?

The CAP exam is the certification exam that must be passed to earn the certification. It evaluates your expertise across the seven domains that make up the exams Common Body of Knowledge, or CBK. Passing the exam demonstrates to hiring organizations that you have the advanced knowledge to manage governance, risk management and compliance with industry and government regulations.

What are the CAP exam topics?

The CAP exam covers seven exam topics, referred to as domains of knowledge. They are:

  • Information Security Risk Management Program
  • Scope of the Information System
  • Selection and Approval of Security and Privacy Controls
  • Implementation of Security and Privacy Controls
  • Assessment/Audit of Security and Privacy Controls
  • Authorization/Approval of Information System
  • Continuous Monitoring

What are the CAP exam questions like?

The questions on the CAP exam will challenge your knowledge and skill level of the material covered by the seven domains of knowledge above, but the questions are not impossible. They are said to be of most managerial level certification exams with a narrow focus on GRC knowledge.

Based on their experience with the CAP certification exam questions, those who have passed the CAP exam have credited their success with the CAP examination material hosted by Infosec. For those interested in this material, it can be found here.

How long is the CAP exam?

The length of the CAP certification exam is three hours long. This does not mean that it will necessarily take you three full hours to complete it, as it is the maximum amount of time you will be allotted to complete it.

How many questions are on the CAP exam?

There are 125 questions on the CAP certification exam. The exam questions are given in English, and the exam is offered at a Pearson VUE testing center near you. More details about the CAP certification exam process can be found later in the article.

How much does the CAP exam cost?

The cost to take the CAP certification exam depends on what region of the world you live in. For those living in the United States (and everywhere else in the Americas), the cost is $599. 

How to pass the CAP exam?

Passing the CAP certification exam comes down to your effort in preparing for it. Remember that the preparation technically begins a couple of years before you decide to sit for the exam. To be eligible for the CAP exam, you are required to have at least two years of cumulative, paid experience in one or more of the seven domains of knowledge that the CAP certification exam covers. This real-world experience sets the groundwork for the knowledge base that your subsequent exam preparation will both build upon.

While there is no “one way” that you have to prepare for the CAP exam to pass it, there are a couple of different options you have to pass it:

  • Self-study (in other words, going it entirely on your own with any study materials such as books you can find)
  • Enrolling in an ISC2 official training seminar
  • Enrolling in third-party training or CAP exam boot-camps

When do I get my CAP exam results?

There are two classifications of CAP exam results that you will receive — unofficial results and official results. In most cases, you will receive the unofficial results of your CAP exam when you check out at the Pearson VUE testing center (in some cases, unofficial real-time results will not be available on exam day). ISC2 will email you the official CAP exam testing results. However, the timing of this is not set in stone. All CAP exam results are subject to a psychometric and forensic evaluation which could affect your results. If these evaluations affect your CAP exam score, ISC2 will notify you. Please remember that this may delay your official CAP exam results by six to eight weeks. 

What happens after I pass the CAP exam?

After you receive your official CAP exam results, ISC2 will send you instructions on how to complete the rest of the CAP certification process. In most cases, you will need to prove that you have earned the required work experience to become fully certified, but the buck stops with the instructions ISC2 sends you.

What happens if I don’t pass the CAP exam?

Below are the rules for retaking the CAP exam based upon how many attempts you’ve had:

  • After the first attempt, you may retest after 30 test-free days
  • Second attempt — 60 test-free days
  • Third and subsequent attempts — 90 test-free days after the last attempt

How do I register for the CAP exam?

  • Create an account with Pearson VUE here
  • Select the CAP exam
  • Schedule your exam and choose your testing center

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Earning the CAP certification 

Information Security and IT professionals working in RMF may want to earn the CAP certification to verify their top-flight knowledge and skills to hiring organizations. They will have to pass the CAP certification exam to earn the cert. With determination, preparation and following the exam details and process roadmap above, you will be in a solid position to pass the CAP exam.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.