ISC2 announced a significant reduction to the list of credentials that satisfy a one-year experience waiver for CISSP certification. Effective April 1, 2026, the approved credential list shrinks from approximately 50 certifications to just 25. Candidates holding credentials like Certified Ethical Hacker, CISA, CRISC, OSCP, and most GIAC certifications will no longer be able to use them to reduce the five-year experience requirement.
The change applies to anyone who submits their CISSP certification application on or after April 1, 2026. Candidates who apply before that date can still use the current expanded list. This creates a sixteen-month window for professionals who want to leverage existing credentials toward CISSP eligibility under the more lenient rules.
What the Experience Waiver Actually Does
CISSP requires candidates to demonstrate a minimum of five years cumulative, full-time work experience in two or more of the eight CISSP domains. ISC2 allows candidates to reduce this requirement by one year through two pathways: holding a four-year college degree in computer science, IT, or related fields, or holding an approved industry credential from ISC2’s list.
The waiver doesn’t stack. You cannot use both a degree and a credential to eliminate two years from the requirement. One year is the maximum reduction regardless of how many qualifying credentials or degrees you hold. This limitation means the waiver primarily benefits candidates who are close to meeting the full requirement and need that extra year to qualify.
For candidates without the required experience, the Associate of ISC2 pathway remains unchanged. You can pass the CISSP exam and hold Associate status for up to six years while accumulating the necessary work experience. The credential waiver changes only affect those seeking to use existing certifications to reduce the experience requirement.
Major Certifications Getting Cut
The removal list includes several high-profile certifications that many security professionals assumed would always count toward CISSP. The decision to cut these credentials signals ISC2’s effort to ensure candidates have directly relevant security management experience rather than specialized technical skills that may not transfer to CISSP’s broad scope.
31 Certifications Being Removed After April 1, 2026
ISACA Certifications: Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Internal Auditor (CIA)
EC-Council Certifications: Certified Ethical Hacker (CEH) v8+, Computer Hacking Forensic Investigator (CHFI), EC-Council Certified Security Specialist (ECSS), EC-Council Certified SOC Analyst (CSA)
GIAC Certifications: GCIH, GCFA, GSEC, GCIA, GCED, GCTI, GSTRT, GSNA
Microsoft Certifications: AZ-500 Azure Security Engineer Associate, Identity and Access Management, Security Operations Analyst
Offensive Security: OSCP/OSCE (Offensive Security Certified Professional/Expert)
Other: INE eCPPT, INE eJPT, Cisco CyberOps Associate/Professional, CWSP, CCE, CPP from ASIS, CIW Web Security Professional/Specialist, IRCA Lead/Principal Auditor, JNCIE-SEC, CSA CCSK
The removal of ISACA certifications like CISA and CRISC stands out as particularly significant. These credentials represent substantial investment and demonstrate expertise in audit and risk management, domains that overlap considerably with CISSP content. Similarly, the removal of OSCP surprises many professionals who view it as one of the most rigorous technical certifications available.
The wholesale removal of nearly all GIAC certifications except four sends a clear message. GIAC credentials emphasize deep technical specialization in areas like incident handling, forensics, and penetration testing. While valuable for technical roles, ISC2 apparently determined these don’t adequately prepare candidates for CISSP’s management and governance focus.
What Stays on the Approved List
The credentials remaining on the approved list share common characteristics: they either demonstrate broad security management knowledge, represent ISC2’s own certification portfolio, or cover foundational security concepts that align with CISSP’s scope.
- CompTIA Track: Security+, CySA+, CASP+, and SecurityX all remain on the approved list. These certifications emphasize broad security knowledge rather than narrow technical skills, which aligns with CISSP’s management orientation.
- ISACA’s CISM: Certified Information Security Manager survives while CISA and CRISC do not. CISM focuses specifically on security management, making it philosophically aligned with CISSP’s approach.
- ISC2 Certifications: SSCP, CCSP, CGRC, CSSLP, HCISPP, and the newly standalone ISSAP, ISSEP, and ISSMP concentrations all remain. These credentials share CISSP’s philosophical approach to security.
- Enterprise Networking: Cisco CCNA, CCNP Security, and CCIE Security stay on the list, recognizing that enterprise network security experience translates to CISSP domains.
- Select GIAC: Four GIAC certifications survive: GICSP (Industrial Cyber Security), GISF (Information Security Fundamentals), GISP (Information Security Professional), and GSLC (Security Leadership).
- Cloud Security: AWS Certified Security Specialty and Microsoft Certified Cybersecurity Architect remain, along with three new Zscaler certifications focused on zero trust architecture.
The full CompTIA security certification track remains intact. Security+, CySA+, CASP+, and the newer SecurityX all continue to qualify. These certifications emphasize broad security knowledge rather than narrow technical skills, which aligns with CISSP’s management orientation.
ISC2’s own certifications dominate the remaining list. SSCP, CCSP, CGRC, CSSLP, and HCISPP all stay, along with the newly standalone ISSAP, ISSEP, and ISSMP concentrations. This makes strategic sense from ISC2’s perspective while also recognizing that these credentials share CISSP’s philosophical approach to security.
Six Credentials Added to the List
While cutting 31 certifications, ISC2 added six new ones to the approved list. Three of these represent ISC2’s CISSP concentration credentials that recently became standalone certifications: ISSAP for security architecture, ISSEP for security engineering, and ISSMP for security management. These advanced credentials previously required active CISSP status, so their inclusion makes logical sense for the pathway.
The remaining three additions come from Zscaler: ZDTA (Digital Transformation Administrator), ZDTE (Digital Transformation Engineer), and ZDXA (Digital Experience Administrator). These vendor-specific credentials focus on zero trust architecture and cloud security transformation. Their inclusion signals ISC2’s recognition that zero trust concepts have become fundamental to modern security architecture, a topic receiving increased emphasis in recent CISSP exam updates.
Why ISC2 Made This Change
ISC2’s announcement frames this change as adding rigor to the certification process. The organization wants to ensure CISSP candidates have directly relevant security experience rather than tangentially related credentials. A penetration tester with OSCP has demonstrated remarkable technical skills, but those skills may not translate to the governance, risk management, and strategic thinking that CISSP emphasizes.
The pattern in removed certifications suggests ISC2 prioritized cutting credentials that focus on technical execution over security management. Incident handlers, forensic analysts, penetration testers, and security auditors all do essential work, but their day-to-day activities differ significantly from the security leadership CISSP targets. The certification has always positioned itself as a management credential, and this waiver change reinforces that positioning.
Some community members view this skeptically, seeing it as an attempt to funnel candidates toward ISC2’s own certifications. The complete retention of ISC2 credentials while cutting competitors’ certifications certainly supports this interpretation. However, ISC2 also retained the full CompTIA track and CISM from ISACA, suggesting the decision wasn’t purely competitive.
The timing aligns with broader industry discussions about certification value. As the cybersecurity workforce grows, distinguishing between candidates becomes more difficult. Tightening CISSP’s experience requirements helps maintain its premium positioning in a market increasingly crowded with security certifications.
Impact on Different Candidate Profiles
CEH or OSCP Holders Planning CISSP
Professionals who invested in Certified Ethical Hacker or Offensive Security certifications expecting to use them toward CISSP have until March 31, 2026 to submit their certification application under the current rules. If you have four years of qualifying experience and one of these credentials, acting before the deadline lets you use the waiver. After April 1, 2026, you’ll need the full five years regardless of your penetration testing credentials.
CISA or CRISC Holders in GRC Roles
Governance, risk, and compliance professionals often hold ISACA certifications alongside or instead of CISSP. If you planned to use CISA or CRISC toward CISSP, the deadline matters. These credentials demonstrate significant expertise that overlaps with CISSP domains, but ISC2 no longer considers them equivalent for waiver purposes after April 2026. Consider whether pursuing CISM first makes strategic sense, as it remains on the approved list.
Security Analysts with GIAC Certifications
GIAC certifications like GCIH, GCFA, and GSEC represent substantial time and financial investment. Security analysts who pursued this track expecting to apply credits toward CISSP face a decision point. The waiver removes most GIAC credentials except four (GICSP, GISF, GISP, GSLC). If you hold one of the remaining credentials, you’re unaffected. If you hold only removed GIAC certifications, you’ll need full experience or must apply before April 2026.
Cloud Security Professionals
The removal of CCSK while adding Zscaler certifications creates an interesting dynamic for cloud security specialists. AWS Security Specialty stays, Microsoft Cybersecurity Architect stays, but the vendor-neutral CCSK goes. Cloud professionals might consider which credentials align with both their cloud platform focus and CISSP pathway goals. The addition of Zscaler certifications suggests zero trust expertise may carry increasing weight in security credentialing.
Strategic Options for Affected Candidates
Candidates holding credentials being removed have several strategic options depending on their timeline and current experience level.
Apply before the deadline. If you have four years of qualifying experience and a credential currently on the list, submitting your CISSP application before April 1, 2026 lets you use the waiver under existing rules. This requires passing the exam and completing endorsement before the deadline, so plan accordingly. The CISSP exam typically requires three to six months of serious preparation for most candidates.
Earn a credential that stays on the list. If you’re not ready to pursue CISSP immediately, consider whether earning Security+, CySA+, CISM, or another remaining credential makes sense for your career anyway. These certifications have value beyond the CISSP waiver and might fill gaps in your professional profile. CISM in particular pairs well with CISSP goals given their shared management focus.
Accept the full experience requirement. For candidates early in their careers, the one-year difference may not significantly impact their timeline. Focus on gaining qualifying experience across multiple CISSP domains rather than credential chasing. Quality experience matters more than marginal time savings.
Use the Associate pathway. Pass the CISSP exam when ready and hold Associate of ISC2 status while accumulating experience. The six-year window provides flexibility for career development without pressure to meet experience requirements immediately.
Critical Deadline Reminder
The waiver change takes effect based on application submission date, not exam date. You must submit your complete CISSP certification application by March 31, 2026 to use the current credential list. This means passing the exam and gathering all endorsement documentation well before the deadline. Don’t wait until March 2026 to start your CISSP journey if you need the waiver.
The Four-Year Degree Waiver Remains Unchanged
Importantly, the four-year degree waiver continues without modification. Candidates with bachelor’s or master’s degrees in computer science, information technology, or related fields can still reduce the experience requirement by one year. This pathway remains available regardless of credential changes.
The degree waiver and credential waiver don’t stack. Holding both a qualifying degree and a qualifying credential still only reduces the requirement by one year total. If you have a relevant degree, the credential waiver changes may not affect you at all, since you already have access to the maximum one-year reduction.
For candidates without degrees in technical fields, the credential waiver provided an alternative pathway to the same one-year reduction. The narrowing of the approved credential list makes this alternative more selective but doesn’t eliminate it entirely.
What This Means for CISSP’s Market Position
ISC2’s decision to tighten experience waiver requirements reflects confidence in CISSP’s market position. The certification doesn’t need to make concessions to attract candidates. According to O’Reilly’s 2025 Technology Trends report, CISSP remains the certification most commonly required by employers, with usage up 11% year over year on their learning platform.
The change also positions CISSP more clearly as a management credential distinct from technical certifications. By removing OSCP, GCFA, GCIH, and similar technical credentials from the waiver list, ISC2 signals that hands-on security skills don’t automatically translate to security leadership qualifications. This reinforces CISSP’s target audience: experienced security professionals moving toward or already in management roles.
Critics argue the change creates artificial barriers that benefit ISC2 financially by driving candidates toward ISC2’s own certifications. Supporters counter that maintaining rigorous standards protects the credential’s value for everyone who holds it. Both perspectives have merit, and the long-term impact will depend on how the market responds.
Timeline Summary and Action Items
For candidates affected by these changes, here’s the practical timeline:
Now through early 2026: Evaluate whether you need the credential waiver, determine if your credentials are being removed, and decide whether to accelerate your CISSP timeline.
Q3-Q4 2025: If pursuing CISSP under current rules, begin serious exam preparation. Most candidates need three to six months of focused study.
Q1 2026: Final window to pass the exam and submit endorsement application under current waiver rules. Don’t wait until March, as processing takes time.
April 1, 2026: New credential list takes effect. Applications submitted on or after this date must use the reduced list of 25 approved credentials.
The credential waiver change represents one of the most significant modifications to CISSP requirements in recent years. Whether you view it as necessary quality control or unnecessary barrier creation, the practical reality is that affected candidates have a defined window to act. Those who need the waiver should plan accordingly; those who don’t can focus on the more important work of building genuine security expertise that CISSP is designed to validate.