By Kathryn Daily, CISSP, CAP (soon to be CGRC), RDRP
What is GRC? GRC stands for Governance, Risk, and Compliance. GRC is a set of processes and procedures to help organizations achieve business objectives, address uncertainty, and act with integrity.
In August of 2021 ISC2 updated the exam outline and content. On the ISC2 Community Forum I asked for clarification on the change. ToniHahn stated, “With this new outline, the CAP is expanding its horizons. Everyone always thinks of it as the RMF certification, but it is not – it is the Certified Authorization Professional. During the JTA and throughout the past few years, we have seen a lot of people earning their CAP who do not work for the government and do RMF. There are many risk management frameworks and under Domain 1 on the new outline you will see some listed (COBIT, ISO 27001, ISO 31000) and those are just some of the risk management frameworks out there that a Certified Authorization Professional should know about and therefore the CAP outline was expanded. The whole purpose of having a Job Task Analysis every 3 years and updating the exam outline is to see what is new and how the certification is being used.“ If you reference the ISC2 CAP updated exam outline that became effective in August 2021 you’ll notice they changed the domains to reflect the move away from the Risk Management Framework to include broader terminology. Domain 2 changed from “Categorization of Information Systems to Scope of Information Systems. Domain 3 and 4 changed to include privacy controls which is likely a reflection of the updated NIST SP 800-53 Rev. 5. Domain 5 changed from Assessment of Security Controls to Assessment/Audit of Security and Privacy Controls. Domain 6 changed from Authorization of Information Systems to Assessment/Audit of Security and Privacy Controls. The addition of the terms audit and assessment definitely point to the inclusion of other frameworks which tracks with the guidance provided above.
This update sounds great. It should provide a greater opportunity for certified professionals to move to other positions in industry, rather than just the US federal government.
Fast forward to December 2022, ISC2 announced the name of the certification will change from Certified Authorization Professional (CAP) to Certified in Governance, Risk, and Compliance (CGRC). Again, they stated, “This change better represents the knowledge, skills and abilities required to earn and maintain this certification. The subject matter is broader and more inclusive to frameworks used around the world.” Again, this tracks with the information provided when the exam outline changed. They appear to be including other frameworks. I of course followed this up by asking if a new CBK will be published, as the current CBK, “OFFICIAL (ISC2)2 GUIDE TO THE CAP CBK, Second Edition,” has a copyright date of 2013. This didn’t track in my head, so I dug further. I asked in the ISC Community Forum if ISC was planning to release a new CBK. See the response below, dated 12-14-2022.
Now, let’s take a look at the CAP Exam Outline, (Effective Date: August 15, 2021).
Domain 1: Understand the foundation of an organization information risk management program
One bullet item states, “Risk management frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)”. Again, this tracks with the certification moving away from pure RMF. If we look at the “still applicable CBK” we find that the only *ISO standard mentioned is ISO 17799 which has been withdrawn and incorporated into the ISO 27000 series.
Under regulatory and legal requirements, we see Federal Information Security Modernization Act (FISMA) which was released 3 years after this book was published, in 2015, so we know that’s not included. The next regulatory requirement is the Federal Risk and Authorization Management Program (FedRAMP) which was released in 2011, but not included in the CBK. Next we see General Data Protection Regulation (GDPR) which was approved by the EU Parliament in 2016 so again, we know that regulation is not included in the CBK.
Domain 3: Selection and Approval of Security and Privacy Controls
Section 3.4 mentions Information Security Management System, a component of the ISO 27001, which we’ve already seen is not included in the CBK.
Domain 4: Implementation of Security and Privacy Controls
First, we see the inclusion of Technical Security Standard for Information Technology (TSSIT) out of Canada. There is no mention of this in the CBK. Additionally, the United States Government Configuration Baseline (USCGB) and the Center for Internet Security (CIS) benchmarks are not mentioned in the CBK.
Based on this we can clearly see that the CBK published in 2013 does not include many of the topics listed in the updated exam outline. So let’s move on to the provided supplementary resources provided.
The first observation is that they are ALL NIST 800 series documents. There are no references for the other frameworks and regulatory requirements provided. It also lists the CBK and lists the publication date as April 2016. The issue there, is the Amazon page that is linked states that the book was published in 2012. There are 2 other reference books not published by ISC2 which were published in 2020, but that is still before the exam outline change in 2021 so the applicability is questionable. ISC2 even advertising this book seems unethical to me given that the references page clearly states the updated NIST publications and not the superseded or non-existent publications at the time of the CBK publishing.
Given this information, if the supplied CBK and references are accurate, this does NOT reflect the objective of the exam update and name change. If the CBK and references are NOT accurate, and these other frameworks are included, ISC is providing zero resources or guidance on the level of knowledge required for these other frameworks. Their blog post seems to indicate that any professional with experience in any of the GRC frameworks are qualified to sit for the exam, but I’m not so sure that’s true. It also sounds like employers can assume that job applicants that possess the CGRC certification are knowledgeable in these other frameworks, and that too is questionable.
I wrote this article about 2 weeks ago, and since then it’s been in the review phase prior to publishing. During that time, ISC updated their references list to include the ISOs, but none of the other frameworks. They also removed the reference to the Official CBK that they said a month ago was still relevant. Based on a search of http://web.archive.org, the change was made after December 2, 2022, but I was unable to ascertain an exact date. That change, resolves several of the issues I outlined above. It’s curious that they changed the list of references in December of 2022/January 2023, immediately preceding the name change, a change that is JUST to reflect the update of the exam that occurred a year and a half ago.