The April 1, 2026 deadline ISC2 announced in October 2025 is now in effect. Any CISSP certification application submitted on or after April 1 must use the updated, reduced credential list for the one-year experience waiver. The list dropped from approximately 50 credentials to 25, removing CISA, CRISC, CEH, OSCP, most GIAC certifications, and a range of vendor-specific credentials. Six were added — including the newly standalone ISSAP, ISSEP, and ISSMP.
For candidates who held affected credentials and submitted their endorsement applications before April 1, nothing changes. ISC2 has been clear that the cutoff is application submission date, not exam date or endorsement completion date. If the paperwork was in before the deadline, the old list applies. For everyone else applying now, the new list is in effect with no exceptions. The full current approved credential list is on ISC2’s CISSP experience requirements page.
What Affected Candidates Should Actually Do
If you hold a credential that was removed and have four years of qualifying experience but missed the deadline, you have three practical options. The first is straightforward: work toward five years of experience and apply without a waiver. The full experience requirement has always been the primary pathway, and it remains entirely viable. The second option is to earn one of the 25 credentials that remain on the approved list — CompTIA Security+, CySA+, CASP+, or SecurityX are the most accessible, with CISM representing the strongest alignment with CISSP’s management focus for professionals already working in security leadership. The third option is the Associate of ISC2 pathway: pass the CISSP exam, hold Associate status, and use the six-year window to accumulate the remaining qualifying experience.
One waiver pathway remains completely unaffected: a four-year college degree in computer science, information technology, or a related field still satisfies the one-year waiver just as it always has. Candidates with a qualifying degree don’t need to hold any approved credential — they already have access to the maximum one-year reduction. For this group, the April 2026 changes are irrelevant to their certification timeline.
The credentials that remain on the approved list are not arbitrary. CompTIA’s full security track, CISM, ISC2’s own credential family, Cisco’s enterprise security path, AWS Security Specialty, and Microsoft Cybersecurity Architect all stayed. The pattern is broad security knowledge and management alignment rather than narrow technical specialization. That pattern also happens to describe what employers are consistently asking for in the market right now — the 2025 ISC2 Workforce Study’s shift to a skills-over-headcount framing said the same thing from a different direction. CISSP has always been a management credential at its core, and the waiver list now more clearly reflects that positioning.
For candidates currently in the middle of their preparation journey: keep going. The exam content hasn’t changed, the experience requirements outside of the waiver haven’t changed, and the credential’s market value hasn’t changed. The waiver modification is one input into your timeline planning — it affects some candidates significantly and others not at all. Verify where your specific situation falls, adjust your timeline if needed, and focus on the preparation that matters regardless of which pathway you’re on.