CISSP Requirements - Certified CISSP

CISSP certification requires more than passing an exam. ISC2 designed the credential for experienced security professionals, which means meeting specific experience thresholds, completing an endorsement process, subscribing to a code of ethics, and maintaining ongoing education requirements. Understanding these requirements upfront helps you plan your certification path and avoid surprises after exam day.

The core requirements are straightforward: five years of professional security experience across at least two CISSP domains, successful completion of the exam, endorsement by an existing ISC2 member, and commitment to the ISC2 Code of Ethics. Candidates without the full experience can still take the exam and earn the Associate of ISC2 designation while building qualifying work history.

This isn’t a certification you can rush. The experience requirement alone takes years to satisfy, and ISC2 verifies claims through the endorsement process. But that’s precisely why CISSP carries weight — employers know certified professionals have demonstrated both knowledge and real-world application.

Professional Experience: The Foundation

The experience requirement is what separates CISSP from entry-level certifications. ISC2 requires five years of cumulative, paid, full-time work experience in at least two of the eight CISSP domains. This isn’t a suggestion or preference — it’s a hard requirement verified through the endorsement process before you receive certification.

Understanding the terminology matters:

Cumulative means years don’t need to be consecutive. You could have three years at one company, a gap in a non-security role, then two more years in security. The five years can be assembled from your entire career, not just continuous employment. ISC2 does not penalize candidates for career gaps.

Paid excludes internships, volunteer work, and academic projects. ISC2 wants professional experience where you had accountability and consequences for your security decisions. Hobbyist security work, however sophisticated, doesn’t count. Contract and freelance work qualifies as long as it was compensated.

Full-time means at least 35 hours per week. Part-time work counts proportionally — 20 hours weekly for 10 years equals five years of full-time equivalent. This calculation benefits candidates who worked security part-time while in another role: track your actual hours and calculate accordingly.

The two-domain requirement ensures broad experience. Someone who spent five years exclusively in penetration testing has deep but narrow expertise. CISSP represents comprehensive security knowledge, so candidates must demonstrate work spanning multiple areas of the field.

What Actually Counts as Qualifying Experience

Many candidates underestimate their qualifying experience because their job titles don’t include the word “security.” ISC2 evaluates what you actually did, not what your business card said. A network administrator who managed firewall rules, reviewed intrusion detection alerts, responded to security incidents, and enforced access control policies was working in at least three CISSP domains — Communications and Network Security, Security Operations, and Identity and Access Management — regardless of whether “security” appeared anywhere in their title.

Consider how different roles map to domains in practice. A database administrator enforcing encryption at rest and in transit (Asset Security) who also manages database user permissions (Identity and Access Management) and participates in quarterly access reviews (Security Assessment and Testing) covers three domains through routine DBA work. A compliance analyst building security policies (Security and Risk Management) who works with development teams on secure SDLC requirements (Software Development Security) and tracks control effectiveness (Security Assessment and Testing) does the same.

The key question ISC2 asks through the endorsement process is whether your described duties genuinely demonstrate domain knowledge and application. Vague descriptions like “responsible for security” or “supported the security team” don’t establish domain-specific experience. Specific descriptions do: “managed Okta identity lifecycle for 800 users including provisioning, deprovisioning, access reviews, and MFA policy enforcement” clearly establishes Identity and Access Management experience.

Military veterans, government employees, and cleared professionals working on classified programs can claim qualifying experience even when they cannot name clients or describe specific programs. Describe duties at the highest unclassified level possible. Endorsers with appropriate clearances can vouch for classified experience without revealing details.

The Eight CISSP Domains

Your experience must span at least two of these domains, as defined in the official CISSP exam outline. Domain weightings reflect how much of the exam each area covers — more heavily weighted domains have more questions:

✓Security and Risk Management (16% of exam) covers governance, compliance, legal issues, professional ethics, security policies, business continuity, and risk management concepts. Anyone involved in policy development, audit preparation, risk assessments, or compliance programs works here. This is the largest domain on the exam.
✓Asset Security (10% of exam) addresses data classification, ownership, privacy protection, retention requirements, and secure handling. Database administrators, data governance professionals, and privacy specialists operate in this domain.
✓Security Architecture and Engineering (13% of exam) encompasses security models, design principles, cryptography, physical security, and secure system design. Security architects, engineers implementing controls, and those designing secure infrastructure qualify.
✓Communication and Network Security (13% of exam) covers network architecture, secure protocols, network components, and communication channels. Network engineers, firewall administrators, and telecommunications security professionals work here.
✓Identity and Access Management (13% of exam) includes authentication mechanisms, identity lifecycle, authorization systems, and access control models. IAM administrators, directory services engineers, and anyone managing user access qualifies.
✓Security Assessment and Testing (12% of exam) addresses vulnerability assessments, penetration testing, security audits, and testing strategies. Penetration testers, vulnerability analysts, and security auditors primarily work in this domain.
✓Security Operations (13% of exam) encompasses incident response, logging and monitoring, disaster recovery, investigations, and physical security operations. SOC analysts, incident responders, and security operations staff qualify.
✓Software Development Security (10% of exam) covers secure coding practices, application security testing, development environments, and software security controls. Application security engineers and developers implementing security work here.

Most security professionals work across multiple domains without realizing it. A system administrator managing Active Directory (Identity and Access Management), reviewing security logs (Security Operations), and implementing group policies (Security Architecture) touches three domains through routine work. Map your actual job duties to domains rather than assuming your title determines qualification.

Experience Waivers: Reducing the Requirement to Four Years

A four-year college degree or an approved credential from ISC2’s prerequisite list waives one year of experience, reducing the requirement from five years to four. Only one waiver applies regardless of how many qualifying credentials you hold — a degree plus Security+ still reduces the requirement by one year, not two.

The degree waiver accepts any four-year degree from an accredited institution. Computer science, cybersecurity, and information technology degrees qualify, but so do degrees in business, engineering, liberal arts, or any other field. ISC2’s position is that completing a four-year program demonstrates intellectual discipline that partially substitutes for professional experience.

Important — April 2026 Waiver Changes: Effective April 1, 2026, ISC2 reduced the approved credential list from approximately 50 certifications to 25. CISA, CRISC, CEH, OSCP, most GIAC certifications, and several other previously approved credentials were removed. Applications submitted before April 1, 2026 could use the previous expanded list. Applications submitted on or after that date must use the current reduced list. Always verify the current approved credentials on ISC2’s experience requirements page before planning your waiver strategy.

The credentials currently on the approved list share a common thread: they demonstrate broad security management knowledge or deep alignment with CISSP’s domain structure rather than narrow technical specialization. Here’s how the current list breaks down by category:

ISC2 Certifications (All Qualify)

Every ISC2 credential remains on the approved list: SSCP (Systems Security Certified Practitioner), CCSP (Certified Cloud Security Professional), CGRC (Certified in Governance, Risk and Compliance), CSSLP (Certified Secure Software Lifecycle Professional), HCISPP (HealthCare Information Security and Privacy Practitioner), and the three advanced certifications ISSAP, ISSEP, and ISSMP — which became standalone credentials in 2025. If you hold any ISC2 certification, you already have your waiver.

CompTIA Certifications (Full Track Qualifies)

Security+, CySA+ (Cybersecurity Analyst+), CASP+ (Advanced Security Practitioner), and SecurityX all qualify. The entire CompTIA security track remains approved, making it one of the most accessible waiver pathways for candidates building toward CISSP. Security+ in particular is widely held in the profession, so many candidates already have their waiver without realizing it applies.

ISACA Certifications (CISM Only)

Only CISM (Certified Information Security Manager) remains on the approved list from ISACA. CISA (Certified Information Systems Auditor) and CRISC (Certified in Risk and Information Systems Control) were removed effective April 1, 2026. For GRC professionals who hold CISA or CRISC but not CISM, the practical path forward is either working toward four years of qualifying experience with the degree waiver, earning the full five years, or pursuing CISM as the next credential — which has genuine career value independent of the CISSP waiver.

Other Approved Credentials

Additional credentials on the current approved list include Cisco CCNA, CCNP Security, and CCIE Security; AWS Certified Security Specialty; Microsoft Certified Cybersecurity Architect; and four GIAC certifications — GICSP (Global Industrial Cyber Security Professional), GISF (Information Security Fundamentals), GISP (Information Security Professional), and GSLC (Security Leadership). Three Zscaler zero trust certifications (ZDTA, ZDTE, ZDXA) were added in 2026. CEH, OSCP, and most other GIAC certifications are no longer on the approved list.

The CISSP Examination

The CISSP exam uses Computerized Adaptive Testing (CAT) across all available languages. As of April 2024, ISC2 completed the CAT transition globally — the previous 250-question, 6-hour linear format for non-English exams has been retired. Candidates testing in French, German, Japanese, Korean, Spanish, or Chinese now sit the same adaptive format as English-language candidates.

Key exam specifications from ISC2’s official documentation:

Exam Format Details

Length: 100 to 150 questions (CAT determines when statistical confidence is reached)

Time: 3 hours maximum

Passing Score: 700 out of 1000 points on a scaled score

Question Types: Multiple choice and advanced innovative questions

Languages: English, French, German, Japanese, Korean, Spanish, Chinese (all CAT format since April 2024)

Testing Centers: Pearson VUE locations worldwide

Cost: $749 USD (single attempt); $998 with Peace of Mind Protection (covers a second attempt if needed)

CAT adjusts question difficulty based on your responses — answer correctly and questions get harder, answer incorrectly and they ease off. The algorithm determines pass/fail with statistical confidence rather than a fixed percentage score. This means some candidates finish in 100 questions while others use all 150. The number of questions you receive does not indicate whether you passed or failed. Of the minimum 100 questions, 25 are unscored pretest items being evaluated for future exams — you cannot identify which are which, so answer every question with full attention.

The exam doesn’t test memorization of specific technical commands or vendor configurations. It assesses your ability to apply security concepts to scenarios, make risk-based decisions, and think like a security manager rather than a technician. Many questions present situations where multiple answers seem partially correct — you must identify the best answer based on security principles and business context. The official CISSP exam outline is available on ISC2’s website and is the authoritative guide to what’s tested.

What CISSP Costs: The Full Picture

Planning for CISSP means budgeting beyond the exam fee. The $749 exam cost is the most visible number, but the total investment is higher once you account for preparation materials, ongoing maintenance, and the time commitment involved.

Study materials range from the free resources ISC2 provides to formal training courses that can run $1,500 or more. Most candidates spend between $200 and $800 on preparation materials — typically an official study guide, a practice question bank, and one or two supplemental resources. The free resources available through ISC2 and government publications are genuinely useful and reduce the need for expensive courses if you’re disciplined about self-study.

Time is the largest investment most people overlook. Candidates with solid experience backgrounds typically spend three to six months of focused preparation — a few hours per week on top of a full-time job. Some stretch to a year; others with stronger domain coverage move faster. This is not a weekend certification.

Ongoing maintenance costs $125 per year in Annual Maintenance Fees after certification. Over a three-year cycle, that’s $375 plus whatever you spend earning CPE credits. Many CPE activities are free (conference attendance, webinars, professional reading), so the ongoing cost is manageable for most working professionals.

Endorsement: Verifying Your Experience

Passing the exam doesn’t immediately grant CISSP certification. Within nine months of passing, you must complete the endorsement process where an existing ISC2 certified member vouches for your professional experience claims. Miss this deadline and your exam results expire — you’d have to retake the test from scratch.

The endorsement application requires detailed documentation of your professional experience: employer names, job titles, dates, and descriptions of duties mapped to CISSP domains. Your endorser reviews these claims and attests to their accuracy under their own professional reputation. ISC2 then reviews the application, potentially requesting additional documentation or clarification, and processes it within four to eight weeks.

Finding an endorser is straightforward if you work in security — colleagues, supervisors, or professional contacts likely include ISC2 members. If you don’t know any personally, joining a local ISC2 chapter, connecting with the r/cissp community, or attending security meetups typically yields willing endorsers. ISC2 itself can act as your endorser if you genuinely cannot find anyone — this option takes longer, but it exists and no qualified candidate is blocked purely by network limitations.

Start the endorsement process immediately after passing. Don’t wait until month seven to look for an endorser. Candidates who submit early give themselves room to handle delays — endorsers go on vacation, email requests go to spam, and ISC2 review queues lengthen during busy periods. Nine months sounds like plenty of time until it isn’t.

The ISC2 Code of Ethics

CISSP certification requires subscribing to the ISC2 Code of Ethics. This isn’t a formality — it’s a binding commitment that can result in certification revocation if violated. The code establishes four mandatory canons:

✓Protect society, the common good, necessary public trust and confidence, and the infrastructure. Security professionals have obligations beyond their employers. Decisions affecting public safety, critical infrastructure, or widespread trust carry ethical weight regardless of business pressures.
✓Act honorably, honestly, justly, responsibly, and legally. This covers truthfulness in professional representations, fair dealing with colleagues and clients, and compliance with applicable laws. Falsifying credentials, misrepresenting capabilities, or engaging in illegal activities violates this canon.
✓Provide diligent and competent service to principals. You owe clients and employers your best professional effort. This includes staying current in your field, acknowledging limitations, and avoiding work outside your competence without appropriate support.
✓Advance and protect the profession. CISSPs should contribute to the security community, mentor newcomers, and avoid actions that damage the profession’s reputation. This includes maintaining certification integrity and supporting ISC2’s mission.

Ethics complaints against CISSPs are investigated by ISC2. Substantiated violations can result in sanctions ranging from required training to permanent certification revocation. The code applies to all professional conduct, not just activities directly related to your certification or employer.

Maintenance Requirements: Keeping Your Certification Active

CISSP certification requires ongoing maintenance through continuing education and annual fees. These requirements ensure certified professionals stay current rather than coasting on credentials earned years ago.

Continuing Professional Education (CPE): You must earn 40 CPE credits every year, totaling 120 over each three-year certification cycle. At least 90 of those 120 must be Group A credits — activities directly related to cybersecurity. Up to 30 can be Group B credits covering broader professional development. CPE activities include training courses, conferences, self-study, publishing, teaching, and volunteer work in security.

Annual Maintenance Fee (AMF): The $125 yearly fee funds ISC2 operations, exam development, and member services. Payment is due annually on your certification anniversary. Missing payment suspends your certification regardless of CPE status.

Three-Year Certification Cycle: While CPE and AMF requirements are annual, CISSP operates on three-year certification cycles. At the end of each cycle, ISC2 reviews your compliance before renewing certification for the next cycle. Consistent annual compliance makes this renewal automatic. Let it slide and the catch-up process is unpleasant.

Failure to meet maintenance requirements results in suspension, then eventually revocation. Suspended certifications can be reinstated by satisfying outstanding requirements and back fees. Revoked certifications require retaking the exam entirely. Given the effort to earn CISSP initially, most professionals find maintenance straightforward when they treat CPE accumulation as an ongoing professional habit rather than an annual scramble.

The Associate Path: When You Don’t Yet Meet Experience Requirements

Candidates who pass the exam without meeting the five-year experience requirement become Associates of ISC2 rather than full CISSPs. The Associate designation provides a six-year window to accumulate qualifying experience while holding a recognized credential. Many candidates deliberately pursue this path — passing the exam while the material is fresh, then gaining experience toward full certification over the following years.

Associates passed the same exam as full CISSPs and demonstrated equivalent knowledge. The only difference is work history. For career changers, recent graduates, or professionals pivoting into security from adjacent roles, the Associate path allows immediate credential recognition rather than waiting years to even attempt the exam.

The Associate designation appears on the DoD 8140 approved baseline certifications list, qualifying holders for certain government and contractor positions. This makes the Associate path particularly valuable for those targeting federal security careers where even the Associate status moves candidates ahead of uncertified applicants.

Associates pay reduced maintenance fees — $50 annually versus $125 for full CISSPs — and earn fewer required CPE credits (15 annually versus 40) while building experience. Once they accumulate qualifying experience, they complete the standard endorsement process to convert to full CISSP status without retaking the exam.

How Long Does It Actually Take to Get CISSP?

The honest answer depends almost entirely on where you are in your career when you start. The experience requirement is the binding constraint for most candidates, not exam preparation.

Someone who enters the field at 22 with a security-adjacent degree and works consistently in security roles won’t be eligible for the full five-year path until they’re 27 at the earliest — or 26 with a degree waiver. Realistically, including time to prepare for and pass the exam, most people earn CISSP in their late twenties or early thirties following a direct path from entry-level security work.

Career changers who bring substantial adjacent experience — IT management, network engineering, compliance, software development — often qualify faster than they expect once they map their actual work history to CISSP domains. A network engineer with eight years of experience managing enterprise infrastructure may have been working in Communications and Network Security and Security Operations for years without categorizing it that way.

For candidates who already meet the experience requirement, exam preparation typically takes three to six months of serious study on top of a full-time job. People who rush it in four to six weeks generally struggle with the scenario-based questions that make CISSP genuinely hard. People who stretch it beyond a year often find their earlier study has faded. Three to four months of focused preparation, averaging 10 to 15 hours per week, is the range where most successful candidates land.

Planning Your Path to CISSP

The requirements create a logical sequence for certification planning:

1Assess Your Current Experience

Map your work history to CISSP domains. Calculate cumulative qualifying years. Identify whether you meet the five-year, two-domain requirement or need the Associate path. Determine if you qualify for the one-year waiver through your degree or an approved credential — check ISC2’s current approved list, not a third-party summary.

2Prepare for the Exam

Study the eight domains through the official ISC2 study guide, practice questions, and supplemental reading. Plan three to six months of preparation for most candidates. The exam tests broad knowledge and decision-making, not memorization of technical details. Practice applying concepts to realistic security scenarios, not reciting definitions.

3Take and Pass the Exam

Schedule through Pearson VUE when you’re consistently scoring well on practice tests. The $749 exam fee is significant — ensure you’re prepared before booking. Consider ISC2’s Peace of Mind Protection ($998 for two attempts) if you want backup coverage. The CAT format means you could finish in as few as 100 questions or as many as 150.

4Complete Endorsement Within Nine Months

Begin the endorsement process immediately after passing. Document your experience with specific, domain-mapped descriptions. Identify your endorser before you need them. Submit your application well before the nine-month deadline and allow four to eight weeks for processing. Missing this deadline means retaking the exam — don’t let it happen over a paperwork delay.

5Maintain Your Certification

Track CPE credits throughout the year rather than scrambling at deadlines. Pay AMF annually. Engage with the profession through conferences, training, reading, and community involvement. Maintenance becomes routine when integrated into normal professional development rather than treated as a separate annual chore.

Common Questions About CISSP Requirements

Can I take the exam before having five years of experience?

Yes. You can take the exam at any point. If you pass without meeting experience requirements, you become an Associate of ISC2 with six years to accumulate qualifying experience. Many candidates prefer this approach — passing the exam while knowledge is fresh, then building experience toward full certification. There’s no penalty for taking this route.

Does IT experience without a security focus count?

Often, yes — more than candidates expect. General IT work frequently includes security-relevant activities that people overlook when assessing their eligibility. Managing user access, implementing patches, configuring firewalls, reviewing logs, responding to incidents, or developing security policies all count when they occurred within broader IT roles. Review your actual duties against CISSP domain descriptions, not just your job title.

What if I only have experience in one domain?

You don’t meet the experience requirement yet. The two-domain minimum is firm. However, most professionals working in security touch multiple domains without categorizing their work that way. Review the domain definitions carefully — you may have qualifying experience in a second domain that you hadn’t mapped to CISSP yet. If you genuinely only have single-domain experience, gaining exposure to a second domain should be a deliberate career development goal before pursuing certification.

What if I can’t find an endorser?

ISC2 can act as your endorser if you don’t know any ISC2 members personally. This option takes longer — ISC2 conducts more thorough verification when they’re the endorser — but it ensures no qualified candidate is blocked by network limitations. You can also connect with endorsers through local ISC2 chapters, professional security organizations like ISSA or ISACA, or the r/cissp community where many certified members offer to endorse qualified candidates they’ve gotten to know through the forum.

How strictly does ISC2 verify experience claims?

ISC2 relies primarily on endorser attestation and application review, but they may request additional documentation during random audits or when applications raise questions. False experience claims violate the Code of Ethics and can result in permanent certification bar. More practically, experienced endorsers recognize inflated descriptions — be specific and accurate rather than exaggerating scope or seniority.

Does CISSP expire?

CISSP operates on three-year cycles and requires ongoing maintenance rather than expiring like a driver’s license. As long as you earn 40 CPE credits annually, accumulate 120 over each three-year cycle, and pay the $125 Annual Maintenance Fee each year, your certification remains active indefinitely. Let the CPE or AMF lapse and your certification is suspended, then eventually revoked. There’s no age-out or automatic expiration for compliant holders.

Is CISSP recognized internationally?

Yes. CISSP holds ISO/IEC 17024 accreditation — the international standard for personnel certification programs — which ISC2 renewed in 2024. The certification is formally approved for U.S. Department of Defense cybersecurity workforce requirements under DoD 8140. It appears in government and enterprise security hiring frameworks in the United Kingdom, Canada, Australia, Singapore, and numerous other countries. The global holder base exceeds 165,000 professionals across more than 170 countries.

CISSP requirements exist to ensure the certification represents genuine expertise, not just exam performance. The experience threshold, endorsement process, and ongoing maintenance separate CISSP from credentials anyone can obtain through study alone. That’s what makes it worth the effort — and why it remains the benchmark credential for experienced security professionals in any market where it’s recognized.