When ISC2 announced in October 2025 that 31 credentials would be removed from the CISSP experience waiver list effective April 1, 2026, the ISC2 community forum thread filled quickly with questions, reactions, and strategic planning. With the deadline now weeks away, the conversation has shifted from surprise to action — and in some cases, to pointed criticism of ISC2’s rationale.
The change reduces the approved credential list from approximately 50 certifications to 25. Removed credentials include CISA, CRISC, CEH, OSCP, most GIAC certifications, and several Cisco, Microsoft, and vendor-specific credentials. Six were added — the newly standalone ISSAP, ISSEP, and ISSMP, along with three Zscaler certifications focused on zero trust architecture. Our full breakdown of the waiver changes covers which credentials remain and which are being removed.
What Practitioners Are Doing About It
The most common response in community forums has been accelerated exam scheduling. Candidates who hold CISA, OSCP, GCIH, or other affected credentials and have four years of qualifying experience are rushing to submit endorsement applications before April 1. The key deadline is application submission date, not exam date — so candidates needed to have already passed the exam to benefit from the existing list. Those who passed months ago but hadn’t yet submitted endorsement are the ones most urgently affected.
Some community members have noted one underappreciated detail: the four-year degree waiver is entirely unaffected by these changes. Candidates with a bachelor’s or master’s degree in computer science, information technology, or a related field can still reduce the experience requirement from five years to four, regardless of which credentials are on or off the approved list. The waiver changes only affect those relying on a certification rather than a degree as their waiver source.
The debate about ISC2’s reasoning has been substantive. One frequently cited community comment noted that the retention of all ISC2-issued credentials while removing competitors’ certifications raises legitimate questions about competitive motivation versus professional standards. ISC2 framed the change as adding rigor and ensuring candidates have directly relevant security management experience — the removal of highly technical credentials like OSCP and GCIH fits that rationale more clearly than the removal of governance credentials like CISA and CRISC, which demonstrably overlap with CISSP’s own domain content.
ISC2’s response in community threads has been to point candidates toward the official announcement and the updated approved list without engaging directly in the competitive motivation debate. For candidates whose plans are affected, the practical path is clear: apply before April 1 if you have the experience and a credential currently on the list, or proceed with the full five-year requirement after April 1. The ISC2 experience requirements page has the current approved list and eligibility details.