Passing the CISSP exam doesn’t make you a CISSP. The exam proves you possess the knowledge; the endorsement process verifies you have the professional experience to apply it. Within nine months of passing, you must complete endorsement or your exam results expire — forcing you to retake the test from scratch.
The endorsement requirement exists because ISC2 positions CISSP as a certification for experienced professionals, not entry-level candidates. Before starting this process, confirm you meet the full CISSP eligibility requirements, including domain coverage and paid work verification. ISC2 requires five years of cumulative, paid work in at least two of the eight CISSP domains, with a four-year degree or approved credential waiving one year for qualifying candidates.
The process itself is straightforward once you understand what ISC2 expects. You document your experience, find an endorser to vouch for your claims, submit the application, and wait for ISC2 review. Most candidates complete endorsement within six to eight weeks of submission, though the timeline varies based on application complexity and ISC2 workload.
Understanding the Experience Requirement
ISC2 requires five years of cumulative, paid, full-time work experience in two or more of the eight CISSP domains. “Cumulative” means the years don’t need to be consecutive — you can have gaps between qualifying positions. “Paid” excludes volunteer work, internships, and academic projects. “Full-time” means at least 35 hours per week, though part-time work counts proportionally: 20 hours weekly for 10 years equals five years full-time equivalent.
The two-domain minimum ensures broad experience rather than narrow specialization. Someone who spent five years exclusively on network monitoring might have deep expertise in one area but lacks the breadth CISSP represents. The domain requirement pushes candidates toward demonstrating wider security knowledge through their work history.
The eight domains cover substantial ground, and most security-adjacent work touches multiple areas:
- Security and Risk Management includes governance, compliance, policies, business continuity, and legal requirements. Anyone involved in security policy development, audit support, or compliance programs works in this domain.
- Asset Security covers data classification, handling requirements, retention policies, and privacy protection. Database administrators, data governance specialists, and privacy officers operate here.
- Security Architecture and Engineering encompasses security design principles, cryptography, and physical security. Security architects, engineers implementing security controls, and those designing secure systems qualify.
- Communication and Network Security addresses network architecture, transmission methods, and network security controls. Network engineers, firewall administrators, and anyone securing network infrastructure works in this domain.
- Identity and Access Management includes authentication, authorization, identity lifecycle, and access control implementation. Anyone managing user accounts, implementing SSO, or administering IAM systems qualifies.
- Security Assessment and Testing covers vulnerability assessments, penetration testing, security audits, and control testing. Penetration testers, vulnerability analysts, and security auditors work primarily here.
- Security Operations encompasses incident response, logging, monitoring, disaster recovery, and investigations. SOC analysts, incident responders, and security operations staff qualify.
- Software Development Security addresses secure coding, application security testing, and software security lifecycle. Application security engineers, developers implementing security controls, and DevSecOps practitioners work in this domain.
Many candidates underestimate their qualifying experience because their job titles don’t include “security.” A system administrator who manages access controls, implements patches, monitors logs, and participates in incident response works across Identity and Access Management, Security Operations, and potentially Security Architecture. Review your actual job duties, not your title, when assessing domain coverage.
The One-Year Experience Waiver
A four-year college degree or an additional credential from ISC2’s approved credential waiver list reduces the experience requirement from five years to four. The waiver applies once regardless of how many qualifying credentials you hold — having both a degree and Security+ doesn’t reduce the requirement to three years.
Qualifying credentials include certifications from ISC2 (SSCP, CCSP), ISACA (CISM, CISA), CompTIA (Security+, CASP+), and various others. If you hold any of these, indicate it in your endorsement application to claim the waiver. The degree waiver applies to any four-year degree — a bachelor’s in business or English qualifies equally with a cybersecurity degree. ISC2’s position is that completing a four-year program demonstrates discipline and capability that partially compensates for professional experience.
Candidates without the required experience who pass the exam become Associates of ISC2 rather than full CISSPs. The Associate designation provides a six-year window to accumulate qualifying experience while holding a recognized credential. If you’re close to but not quite at the experience threshold, passing the exam still yields valuable certification status.
Documenting Your Experience
The endorsement application requires detailed descriptions of your professional experience. For each position you claim, you provide the employer name, your job title, employment dates, and a description of duties that maps to specific CISSP domains. ISC2 reviewers assess whether your descriptions demonstrate genuine security work, not just IT operations that happened to touch security occasionally.
Write descriptions that clearly connect to domain content. Rather than “managed firewalls,” explain “configured and maintained Palo Alto firewall policies, reviewed logs for security events, and participated in rule optimization to balance security requirements with business connectivity needs.” The second description explicitly demonstrates Communication and Network Security domain work; the first is vague enough to be questioned.
Quantify where possible. “Managed access for 500 users across three Active Directory domains” carries more weight than “handled user access.” Numbers demonstrate scope and suggest meaningful responsibility rather than peripheral involvement. Include details about security tools you used, frameworks you followed, and outcomes you achieved.
Don’t inflate or fabricate experience. ISC2 may request documentation — pay stubs, HR letters, or other verification — during audit processes. False claims violate the ISC2 Code of Ethics and its four mandatory canons and can result in permanent certification bar. More practically, experienced endorsers recognize inflated descriptions and may decline to vouch for claims that seem exaggerated.
Finding an Endorser
Your endorsement application requires sponsorship from an active ISC2 certified professional in good standing. The endorser reviews your experience claims, confirms they’re accurate to the best of their knowledge, and submits their endorsement electronically. They’re vouching for your professional character and the truthfulness of your application, not personally verifying every detail of your work history.
Ideal endorsers know your work firsthand — supervisors, colleagues, or clients who witnessed your security contributions. They can confidently attest that your described experience matches reality. If you’ve worked in security for five years, you likely know at least one CISSP holder professionally. Start by asking colleagues at your current or former employers.
If you don’t know any CISSPs personally, three options exist:
Professional Network Expansion
Join local chapters through the ISC2 chapter directory, attend security meetups, or participate in professional organizations like ISSA or ISACA. These communities include numerous CISSPs willing to endorse qualified candidates they meet through professional engagement. Building genuine professional relationships takes time, so start early if your network lacks ISC2 members.
LinkedIn Outreach
Some CISSPs publicly offer endorsement services, particularly those active in security communities or certification coaching. A respectful LinkedIn message explaining your situation may yield willing endorsers. Provide your resume and be prepared to discuss your experience in detail — serious endorsers won’t sign off without understanding your background.
ISC2 as Endorser
If you cannot find any ISC2 member to endorse you, ISC2 itself can act as your endorser. This option takes longer — ISC2 conducts a more thorough review when they’re the endorser — but ensures no qualified candidate is blocked by network limitations. Select this option during the application process, and ISC2 staff will review your application directly.
When approaching potential endorsers, make their job easy. Provide your detailed resume, a draft of your endorsement application descriptions, and any supporting documentation. Explain which domains your experience covers and how. The easier you make it for someone to verify your claims, the more likely they’ll agree to endorse you.
The Application Process Step by Step
1Log Into Your ISC2 Account
After passing the exam, your results flow through Pearson VUE’s ISC2 candidate portal before appearing in your ISC2 account — allow 24 to 48 hours for the systems to sync. Once your passing score is confirmed, the endorsement application becomes available in your member dashboard. Don’t wait weeks to log in; starting early gives you maximum runway before the nine-month deadline.
2Complete the Experience Section
Enter each qualifying position with employer details, dates, and domain-mapped descriptions. Be thorough but honest — reviewers appreciate detail that demonstrates genuine experience. If claiming the one-year waiver, indicate your qualifying degree or credential in the appropriate section. Review the ISC2’s full domain experience breakdown to make sure your descriptions map correctly to each domain’s scope.
3Identify Your Endorser
Provide your endorser’s name, ISC2 member number, and contact email. ISC2 will send them an electronic endorsement request. Confirm with your endorser beforehand so they expect the email and respond promptly. Unresponsive endorsers are a common cause of delayed applications — have a backup identified before you submit.
4Subscribe to the Code of Ethics
The application includes acknowledgment of the ISC2 Code of Ethics and its four mandatory canons. This isn’t a checkbox formality — you’re committing to ethical principles that govern your professional conduct as a CISSP. Read the code, understand the obligations, and confirm your subscription.
5Submit and Wait
Once your endorser completes their portion, your application enters ISC2’s review queue. Standard processing takes four to eight weeks. You’ll receive email updates on status changes. Resist the urge to contact ISC2 for status updates unless you’re well past the normal timeline — high application volumes mean staff prioritize processing over status inquiries.
6Respond to Any Requests
ISC2 may request clarification or additional documentation. Respond promptly and completely — delays extend your timeline and may trigger additional scrutiny. Common requests include clarification of job duties, verification of employment dates, or documentation of claimed credentials for waiver purposes.
Common Endorsement Issues and How to Avoid Them
Vague job descriptions are the most common reason applications get delayed or questioned. Descriptions like “responsible for security” or “managed IT systems” don’t demonstrate domain-specific experience. Before submitting, review each description and ask: does this clearly show work in a specific CISSP domain? If not, add details about tools used, processes followed, and outcomes achieved.
Unresponsive endorsers stall applications more than any other single factor. Your application sits in limbo until your endorser completes their portion. Confirm commitment before listing anyone, provide their correct email, and follow up if they haven’t responded within a week. Identifying a backup endorser before you submit costs nothing and can save weeks.
Employment date discrepancies raise flags with reviewers. Gaps in employment history aren’t problems — the requirement is cumulative, not continuous. But unexplained overlapping positions or dates that don’t match verifiable records create questions. Ensure your dates are accurate, and be prepared to provide documentation if asked.
Missing the nine-month deadline is the fatal error. There’s no extension process. Track your deadline from day one, and work backward to ensure you have time to find an endorser and complete the application comfortably before expiration. Submit the moment you’re ready rather than waiting until you feel everything is perfect.
After Endorsement Approval
Once ISC2 approves your endorsement, your status changes to active CISSP. You receive a congratulatory email with instructions for accessing your digital badge, ordering physical certificates, and setting up maintenance requirements. Your certification date is the date you passed the exam, not the endorsement approval date — something worth knowing when you update your resume.
Your first Annual Maintenance Fee is due within 90 days of certification, then annually on your certification anniversary. The fee is $125 per year. CPE requirements also begin immediately — the full breakdown of what counts, how to log credits, and how the three-year cycle works is covered in the CISSP renewal requirements guide. Missing either the fee or CPE minimums places your certification in jeopardy, so build maintenance habits early rather than scrambling at cycle end.
The ISC2 credential verification tool lets employers confirm your certification status instantly — a detail worth knowing when negotiating roles or responding to background checks. Update your LinkedIn and professional profiles promptly. The CISSP designation carries real weight in hiring decisions, and there’s no reason to delay making it visible.
Endorsement for Special Situations
International Candidates
The endorsement process works identically regardless of country. Experience earned anywhere in the world counts toward the requirement. Documentation in languages other than English may require translation. Endorsers can be any ISC2 member globally — geographic proximity isn’t required, so don’t limit your search to local contacts.
Military and Government Experience
Classified work creates documentation challenges but doesn’t disqualify experience. Describe your duties at the highest unclassified level possible. Endorsers with appropriate clearances can vouch for classified work without revealing details. ISC2 handles applications from cleared professionals regularly and understands the constraints involved.
Career Changers and Adjacent Experience
Adjacent experience in IT, risk management, compliance, or audit may qualify if it included security responsibilities. Map your actual duties to CISSP domains honestly — many IT roles involve more security work than titles suggest. If you’re short on qualifying time, the Associate of ISC2 path lets you hold a recognized credential while building the remaining experience in a role that actively counts toward certification.
Consultants and Contractors
Project-based work counts toward experience requirements. Document each significant engagement with client type (if not named due to confidentiality), duration, and security responsibilities. Multiple short-term projects can collectively demonstrate years of experience across various domains — the cumulative nature of the requirement works in your favor here.
What Endorsement Actually Proves
There’s a reason employers trust CISSP more than most certifications. The exam proves you can think through security problems at a strategic level. The endorsement requirement proves you’ve been doing it professionally, not just studying for tests. Both matter, and neither substitutes for the other. When a hiring manager sees CISSP on your resume, they know someone with standing in the security community vouched for your experience under their own professional reputation. That’s a different signal than a certificate you earned by passing a test alone.
The process also does something useful for you specifically: it forces you to inventory your career in security terms. Most candidates discover they’ve done more domain-relevant work than they realized. A network administrator who spent five years managing firewall rules, responding to security events, and participating in access reviews has likely touched four CISSP domains without ever thinking of it that way. Writing those descriptions out clearly isn’t just paperwork — it prepares you to talk about your experience precisely, which matters in every job interview you’ll have after certification.
One practical note on timing: don’t wait until month eight to start. Endorsers get busy, email requests go to spam, and ISC2 review queues lengthen during peak application periods. Candidates who submit in the first few weeks after passing give themselves room to handle delays without panic. The nine-month window feels generous until a month disappears dealing with an unresponsive endorser or a documentation request you weren’t expecting.
Complete endorsement promptly, maintain your CPEs consistently, and the CISSP you worked for stays active indefinitely. Let it lapse through neglect and you’re starting the exam process over again — something no one who’s sat through 125 questions wants to think about.
Leave a Reply