NIST guidelines spark change to (ISC)2 credential

New standards reflect interest in continuous monitoring

(ISC)2, a nonprofit organization of certified information security professionals, is changing a key credential in response to the National Institute of Standards and Technology’s changes to risk management guidelines for federal systems.

Formerly called the Certification and Accreditation Professional, the new (ISC)2 credential is now known as a Certified Authorization Professional (CAP).


Related story:

Next steps for continuous network monitoring


The organization is also changing the structure of the credential, from four domains to seven, and places a stronger emphasis on the underlying methodologies and processes associated with the harmonized security authorization process, including continuous monitoring. The domain updates will take effect in November 2010. For existing CAP-holders, nothing will change.

“We felt it critical to update the name and domains of CAP to align with current requirements, technology and thinking,” said Hord Tipton, executive director of (ISC)2.

The original four CAP domains or phases were preparation, certification, execution and continuous monitoring. The seven new domains are:

  1. Understanding the Security Authorization of Information Systems (formerly known as Certification and Accreditation)
  2. Categorize Information Systems (formerly part of the Preparation Phase)
  3. Establish the Security Control Baseline (formerly part of the Preparation Phase)
  4. Apply Security Controls (formerly part of the Preparation Phase)
  5. Assess Security Controls (known previously as the Certification Phase)
  6. Authorize Information System (known previously as the Execution Phase)
  7. Monitor Security Controls (also known as Continuous Monitoring)

NIST’s SP 800-37 publication, “Guide for Applying the Risk Management Framework to Federal Information Systems,” released in November 2009, places a stronger focus on continuous monitoring and stresses that such monitoring is only one piece of a larger, integrated process, said Tipton.

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • artificial intelligence (vs148/Shutterstock.com)

    Advancing AI with grand challenges, greater security

Reader Comments

Wed, Jun 2, 2010

That would be, Certified Registered Authorized Professional...

Wed, Jun 2, 2010

I have to say that I am a little disappointed with several aspects of these changes. First off, they just changed the CAP certification less than 3 months ago. They should have had this all hashed out before they came out with a change. So, a person who started studying for this test in February had to start all over in March only to have to start all over again today. That is UNSAT, (ISC)2.

The acronym is non-comprehensive and bordering on bad english. If I tell somebody I'm a "certified authorized professional", they're going to think I'm full of crap. Certified and authorized professional of what? If the term “authorization” is going to take the place of “accreditation” then wouldn’t it make sense to simply change that word?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group