Certified Authorization Professional (CAP) Training

Commitment 5 days, 7-8 hours a day.
Language English
User Ratings Average User Rating 4.8 See what learners said
Delivery Options Instructor-Led Onsite, Online, and Classroom Live


The Certified Authorization Professional (CAP) Training program is designed for the information security practitioner who champions system security commensurate with an organization’s mission and risk tolerance while meeting legal and regulatory requirements.

Led by an (ISC)² authorized instructor, the training and included course material for this official training seminar provide students with a comprehensive review of the knowledge and skills required to assess risk and establish security requirements and documentation. Additionally, this Certified Authorization Professional (CAP) Training course will also help students successfully prepare for the CAP exam as it covers all seven domains of the CAP Common Body of Knowledge (CBK).

Students will receive several resources including (ISC)²’s official courseware and student handbook. When you combine (ISC)²’s instructor-led training with the provided course material, this CAP training seminar is a great resource for individuals interested in passing the CAP exam or reviewing/refreshing their knowledge of authorizing and maintaining information systems.

  • 5 days of Certified Authorization Professional (CAP) Training with an ISC2 expert instructor
  • ISC2-approved CAP Training Student Guide
  • ISC2-approved CAP Training Labs
  • ISC2-approved CAP Training Practice Exams
  • 1 CAP exam voucher
  • 100% Satisfaction Guarantee
  • Exam Pass Guarantee



This official Certified Authorization Professional (CAP) seminar is based on the seven domains found within the (ISC)2 Common Body of Knowledge (CBK) for CAP, ensuring students successfully prepare for the CAP certification exam while enhancing their overall competencies in authorizing and maintaining information systems.

  • Domain 1: Risk Management Framework (RMF)
  • Domain 2: Categorization of Information Systems
  • Domain 3: Selection of Security Controls
  • Domain 4: Security Control Implementation
  • Domain 5: Security Control Assessment
  • Domain 6: Information Systems Authorization
  • Domain 7: Monitoring of Security Controls
  • We can adapt this Certified Authorization Professional (CAP) Training course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this Certified Authorization Professional (CAP) Training course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the Certified Authorization Professional (CAP) course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Certified Authorization Professional (CAP) course in a manner understandable to lay audiences.

The intended audience for the Certified Authorization Professional (CAP) program is IT professionals who are focused on security assessment and authorization and continuous monitoring issues. It’s also a great fit for those who are interested in improving cybersecurity and learning more about the importance of lifecycle cybersecurity risk management. Typically, the Certified Authorization Professional (CAP) course is ideal for those working in roles such as, but not limited to:

  • IT Professionals
  • Information Security Professionals
  • Information Assurance Professionals
  • Executives Who Must “Sign-Off” on Authority to Operate (ATO)
  • Inspector Generals (IGs) and Auditors Who Perform Independent Reviews
  • Program Managers Who Develop or Maintain IT Systems

The knowledge and skills that a learner must have before attending this Certified Authorization Professional (CAP) course are:

  • One to two years of database/systems development/network experience
  • Strong familiarity with NIST documentation
  • Systems administration
  • Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms



Security authorization includes a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise. The authorization process incorporates the application of a Risk Management Framework (RMF), a review of the organizational structure, and the business process/mission as the foundation for the implementation and assessment of specified security controls. This authorization management process identifies any vulnerabilities, and security controls and determines residual risks. Residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risks. The system may be deployed only when the residual risks are acceptable to the enterprise and a satisfactory security plan is completed.

Certified Authorization Professional Training (CAP) Objectives:
  • Understanding the Risk Management Framework
  • Categorization of information system
  • Selection of security controls
  • Security control implementation
  • Security control assessment
  • Information system authorization
  • Monitoring of security controls

The categorization of an information system is based on impact analysis. This is performed to determine the types of information included within the security authorization boundary, security requirements for the information types, and the potential impact on the organization resulting from a security compromise. The result of the categorization is used as the basis for developing the security plan, selecting security controls, and determining the risk inherent in operating the system.

Certified Authorization Professional (CAP) Objectives:
  • Information system
  • System security plan
  • Categorize a system
  • National security system
  • Privacy activities
  • System boundaries
  • Register system

The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline, as well as the plan for monitoring it, is documented in the security plan (SP).

Certified Authorization Professional (CAP) Objectives:
  • Establish the security control baseline
  • Common controls and security controls inheritance
  • Risk assessment as part of the Risk Management Framework (RMF)

The security controls specified in the security plan are implemented by considering the minimum organizational assurance requirements. The security plan describes how the controls are employed within the information system and its operational environment. The security assessment plan documents the methods for testing these controls and the expected results throughout the system’s life cycle.

Certified Authorization Professional (CAP) Objectives:
  • Implement selected security controls
  • Tailoring of security controls
  • Document security control implementation

The security control assessment follows the approved plan, including defined procedures to determine the effectiveness of the controls in meeting the security requirements of the information system. The results are documented in the Security Assessment Report.

Certified Authorization Professional (CAP) Objectives:
  • Prepare for security control assessment
  • Establish a security control assessment plan (SAP)
  • Determine security control effectiveness and perform testing
  • Develop initial security assessment report (SAR)
  • Perform initial remediation actions
  • Develop final security assessment report and addendum

The residual risks which were identified during the security control assessment are evaluated and the decision is made to authorize the system to operate, deny its operation, or remediate the deficiencies. Associated documentation is prepared and/or updated depending on the authorization decision.

Certified Authorization Professional (CAP) Objectives:
  • Develop a plan of action and milestones (POAM)
  • Assemble the security authorization package
  • Determine risk
  • Determine the acceptability of risk
  • Obtain security authorization decision

After an Authorization to Operate (ATO) is granted, ongoing continuous monitoring is performed on all identified security controls as well as the political, legal, and physical environment in which the system operates. Changes to the system or its operational environment are documented and analyzed. The security state of the system is reported to designated responsible officials. Significant changes will cause the system to re-enter the security authorization process. Otherwise, the system will continue to be monitored on an ongoing basis in accordance with the organization’s monitoring strategy.

Certified Authorization Professional Training (CAP) Objectives:
  • Determine the security impact of changes to the system and environment
  • Perform ongoing security control assessments
  • Conduct ongoing remediation actions
  • Update key documentation
  • Perform periodic security status reporting
  • Perform ongoing risk determination and acceptance
  • Decommission and remove the system
Certified Authorization Professional (CAP) TrainingCertified Authorization Professional (CAP) Training Course Wrap-Up


    Are you Human?