CAP: Certified Authorization Professional


Duration: 5 Days
CPE Credits: 35
Course Number: SEC-309

This authorized CAP training seminar is a five day, 35 CPE course offered to you by Intrinsec Security – an official training partner of (ISC)².

CAP Training Information

The Certified Authorization Professional (CAP) course is designed for the information security practitioner who champions system security commensurate with an organization’s mission and risk tolerance while meeting legal and regulatory requirements.

Led by an (ISC)² authorized instructor, the training and included course material for this official training seminar provides students with a comprehensive review of the knowledge and skills required to assess risk and establish security requirements and documentation. Additionally, this course will also help students successfully prepare for the CAP exam as it covers all seven domains of the CAP Common Body of Knowledge (CBK).

Aside from a reserved seat in an upcoming CAP training seminar, the resources provided to students include (ISC)²’s official courseware and “Study tools”, such as the CAP flashcards and student handbook. When you combine (ISC)²’s instructor-led training with the provided course material, this CAP training seminar is a great resource for those interested in passing the CAP exam or reviewing/refreshing their knowledge of authorizing and maintaining information systems.

What Comes With This Course

  • Five Days of Official (ISC)² Training from an Authorized CAP Instructor
  • Official (ISC)² CAP Courseware
  • Official (ISC)² CAP Student Handbook
  • Official (ISC)² CAP Interactive Flashcards
  • Practical Experience with Realistic Scenario Based Learning Activities
  • 60 Days of OnDemand Access to the Recordings of your CISSP Session (Video & Audio)
    • NOTE: for virtual training only

*CAP Exam Voucher Available for Additional Cost ($419 USD)*



What You Will Learn

This official CAP training seminar is based on the seven CAP domains of the (ISC)² Common Body of Knowledge (CBK), ensuring students successfully prepare for the CAP exam while also enhancing their overall competencies in authorizing and maintaining information systems.

Domain 1: Risk Management Framework (RMF)

Domain 1: Risk Management Framework (RMF)

Security authorization includes a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise. The authorization process incorporates the application of a Risk Management Framework (RMF), a review of the organizational structure, and the business process/mission as the foundation for the implementation and assessment of specified security controls. This authorization management process identifies vulnerabilities and security controls and determines residual risks. The residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risk. The system may be deployed only when the residual risks are acceptable to the enterprise and a satisfactory security plan is complete.

CAP Domain 1 Lessons
  • Describe the Risk Management Framework (RMF)
  • Describe and Distinguish between the RMF Steps
  • Identify Roles and Define Responsibilities
  • Understand and Describe How the RMF Process Relates to Key Factors
  • Understand the Relationship between the RMF and System Development Life Cycle (SDLC)
  • Understand Legal, Regulatory, and Other Security Requirements
Domain 2: Categorization of Information Systems

Domain 2: Categorization of Information Systems

Categorization of the information system is based on an impact analysis. It is performed to determine the types of information included within the security authorization boundary, the security requirements for the information types, and the potential impact on the organization resulting from a security compromise. The result of the categorization is used as the basis for developing the security plan, selecting security controls, and determining the risk inherent in operating the system.

CAP Domain 2 Lessons
  • Categorize the System
  • Describe the Information System
  • Register the System
Domain 3: Selection of Security Controls

Domain 3: Selection of Security Controls

The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline, as well as the plan for monitoring it, is documented in the security plan (SP).

CAP Domain 3 Lessons
  • Identify and Document Common Controls
  • Select, Tailor, and Document Security Controls
  • Develop Security Control Monitoring Strategy
  • Review and Approve SP
Domain 4: Security Control Implementation

Domain 4: Security Control Implementation

The security controls specified in the security plan are implemented by taking into account the minimum organizational assurance requirements. The security plan describes how the controls are employed within the information system and its operational environment. The security assessment plan documents the methods for testing these controls and the expected results throughout the systems life-cycle.

CAP Domain 4 Lessons
  • Implement Selected Security Controls
  • Document Security Control Implementation
Domain 5: Security Control Assessment

Domain 5: Security Control Assessment

The security control assessment follows the approved plan, including defined procedures, to determine the effectiveness of the controls in meeting security requirements of the information system. The results are documented in the Security Assessment Report.

CAP Domain 5 Lessons
  • Prepare for Security Control Assessment
  • Develop Security Control Assessment Plan
  • Assess Security Control Effectiveness
  • Develop Initial Security Assessment Report (SAR)
  • Review Interim SAR and Perform Initial Remediation Actions
  • Develop Final SAR and Optional Addendum
Domain 6: Information Systems Authorization

Domain 6: Information Systems Authorization

The residual risks identified during the security control assessment are evaluated and the decision is made to authorize the system to operate, deny its operation, or remediate the deficiencies. Associated documentation is prepared and/or updated depending on the authorization decision.

CAP Domain 6 Lessons
  • Develop Plan of Action and Milestones (POAM)
  • Assemble Security Authorization Package
  • Determine Risk
  • Determine the Acceptability of Risk
  • Obtain Security Authorization Decision
Domain 7: Monitoring of Security Controls

Domain 7: Monitoring of Security Controls

After an Authorization to Operate (ATO) is granted, ongoing continuous monitoring is performed on all identified security controls as well as the political, legal, and physical environment in which the system operates. Changes to the system or its operational environment are documented and analyzed. The security state of the system is reported to designated responsible officials. Significant changes will cause the system to re-enter the security authorization process. Otherwise, the system will continue to be monitored on an ongoing basis in accordance with the organization’s monitoring strategy.

CAP Domain 7 Lessons
  • Determine Security Impact of Changes to System and Environment
  • Perform Ongoing Security Control assessments
  • Conduct Ongoing Remediation Actions
  • Update Key Documentation
  • Perform Periodic Security Status Reporting
  • Perform Ongoing Risk Determination and Acceptance
  • Decommission and Remove System

This CAP Training Program Is Brought To You By:



Two Things You Should Know About Intrinsec


With the YOU PASS WE PAY promo, you’re eligible to receive $300 if you pass the CAP exam within 90 days of completing this course!

*See terms & conditions for details.


Our PRICE MATCH GUARANTEE is simple – not only do you get the most effective training available, but you also pay the best price!


Why Yes, We Do Provide Group Training!

We have multiple options for you to lower costs and get more of your people trained.


Oct 2 - 6, 2017 9:00am - 5:00pm EST Live Online USD $2,295.00
Oct 16 - 20, 2017 9:00am - 5:00pm EST Live Online USD $2,295.00

Request Group Training