Course Description

The Certification and Accreditation Professional (CAP®) measures the knowledge, skills and abilities required for security professionals involved in the process of authorizing and maintaining information systems. This credential applies to those responsible for formalizing processes used to assess risk and establish security requirements and documentation. Their decisions made by these individuals ensure that information systems possess security appropriate for the level of exposure to potential risk, as well as damage to assets or individuals.

This course is designed for information security practitioner who advocates system security commensurate with an organization's risk tolerance, while still meeting legal and regulatory requirements. It provides a comprehensive review of security topics and exam preparation for the Certification and Accreditation Professional (CAP®) certification. In this course, students review the 7 domains of the common body of knowledge (CBK) which include: Understanding the Security Authorization of Information Systems, Categorize Information Systems, Establish the Security Control Baseline, Apply Security Controls, Assess Security Controls, Authorize Information System,  and Monitor Security Controls.

Course Outline

Security Authorization of Information Systems and Risk Management Framework (RMF)

  • Introduction
  • Terminology and References
  • Introduction to RMF
  • Key Elements of an Enterprise System Authorization Program
  • NIST Special Publications
  • Fundamentals of Information System Risk Management According to Nist
  • System Authorization Roles and Responsibilities
  • System Authorization Life Cycle
  • Why System Authorization Programs Fail
  • System Authorization Project Planning
  • System Inventory Process
  • Interconnected Systems

Information Systems Categorization

  • Introduction
  • Sensitivity: Data Sensitivity, System Sensitivity, Sensitivity Assessment
  • Data Classification Approaches
  • Responsibility for Data Sensitivity Assessment
  • Ranking Data Sensitivity
  • National Security Information
  • Criticality
  • Criticality Assessment
  • Ranking Criticality
  • Changes in Criticality and Sensitivity
  • NIST Guidance on System Categorization

Establishment of the Security Control Baseline

  • Minimum Security Baselines and Best Practices
  • Assessing Risk
  • System Security Plans
  • NIST Guidance on Security Controls Selection

Implement Security Controls

  • Introduction
  • Security Procedures
  • Remediation Planning
  • NIST Guidance on Implementation of Security Controls

Assess Security Control

  • Introduction
  • Scope of Testing
  • Level of Effort
  • Assessor Independence
  • Developing the Test Plan
  • The Role of the Host
  • Test Execution
  • Documenting Test Results
  • NIST Guidance on Implementation of Security Controls

Authorize Information System

  • Introduction
  • System Authorization Decision Making
  • Essential System Authorization Documentation
  • NIST Guidance on Authorization of Information Systems

Monitor Security Controls

  • Introduction
  • Continuous Monitoring
  • NIST Guidance on Ongoing Monitoring of Security Controls and Security State of the Information System


Candidates must have a minimum of 2 years cumulative paid full-time work experience in 1 or more of the 7 domains of the CAP CBK.  

If you do not have the required experience, you may still sit for the exam and become an Associate of (ISC)² until you have gained the required experience. 


30 Hours | 5 Days or 10 Nights

Thank you for your interest in this course. Unfortunately, the course you have selected is currently not open for enrollment. Please complete a Course Inquiry or call 314-977-3226 so that we may promptly notify you when enrollment opens.

Required fields are indicated by .
*Academic Unit eligibility to be determined by college/university in which you are enrolled in a degree seeking program.