The CISSP is one of the most respected cybersecurity certifications in the world, and it comes with a meaningful barrier to entry: you must demonstrate real, paid work experience in information security before ISC2 will issue the full credential. This experience requirement is not a formality. It exists to ensure that CISSP holders have the practical background to apply security management principles in enterprise environments, not just pass a multiple-choice test.
Understanding the experience requirements before you sit the exam is critical. Many candidates pass the CISSP exam only to discover their work history doesn't qualify for the full credential, leaving them scrambling to find an endorser or re-categorize their experience. This guide walks through every aspect of the ISC2 experience and endorsement requirements so you can plan ahead.
Key Rule
You need 5 cumulative years of paid, full-time work experience in at least 2 of the 8 CISSP domains. A 4-year college degree or a credential from the ISC2 approved education waiver list substitutes for 1 year of the 5-year requirement, reducing the threshold to 4 years. Part-time experience counts on a prorated basis.
The 8 CISSP Domains and What Qualifies
Your work experience must fall within at least 2 of the 8 CISSP Common Body of Knowledge (CBK) domains. The experience must be paid (volunteer work doesn't qualify), full-time (or prorated part-time), and directly related to security work within that domain. Here's a practical summary of what each domain covers and what types of roles would qualify.
Security & Risk Management
Risk assessments, policy development, compliance programs, governance frameworks, BCP/DRP planning
Asset Security
Data classification, asset inventory management, data lifecycle, retention and disposal policies
Security Architecture & Engineering
Security system design, cryptography implementation, secure architecture review, physical security design
Communication & Network Security
Network security design, firewall administration, VPN management, secure protocol implementation
Identity & Access Management
IAM platform administration, directory services, SSO/MFA implementation, privileged access management
Security Assessment & Testing
Penetration testing, vulnerability assessments, security audits, compliance assessments, code reviews
Security Operations
SOC operations, incident response, forensics, threat hunting, SIEM management, patch management
Software Development Security
Secure SDLC implementation, code review, DevSecOps, application security testing, SAST/DAST
Education Waivers: Reduce 5 Years to 4
ISC2 allows certain educational credentials to substitute for one year of the required work experience. This reduces the requirement from 5 years to 4 years of qualifying work experience. The following qualify for this waiver:
- A 4-year college degree (bachelor's degree or regional equivalent)
- A master's degree in information security or a related field
- ISC2-approved credentials on the official waiver list, including CISSP concentrations, CCSP, SSCP, and dozens of other certs from CompTIA, EC-Council, ISACA, and more
The full list of approved credentials is published on the ISC2 CISSP experience requirements page. If you hold a relevant certification, check the list before assuming it qualifies. Not all security certifications are on the approved waiver list.
Part-Time Experience Rules
Part-time work experience counts toward CISSP eligibility on a prorated basis. ISC2 calculates this based on a 35-hour work week as the baseline for full-time equivalency. If you worked 17.5 hours per week in a qualifying role, that year of part-time work counts as 6 months toward your 5-year requirement. Document your hours carefully.
Two Paths to CISSP: Standard vs. Associate
Standard CISSP Path
- Have 5 years qualifying experience (or 4 with education waiver)
- Pass the CISSP CAT exam (700/1000)
- Submit endorsement within 9 months
- ISC2 approves your application
- Pay AMF, agree to Code of Ethics
- Receive CISSP certification immediately
Associate of ISC2 Path
- Don't have 5 years experience yet
- Pass the CISSP exam first
- Become an Associate of ISC2
- Accumulate qualifying experience within 6 years
- Submit endorsement when experience is met
- Upgrade to full CISSP credential
The Endorsement Process: Step by Step
After passing the CISSP exam, you have 9 months to have your experience endorsed by an active ISC2 member in good standing. The endorser doesn't need to be your direct manager or employer. They need to attest that your claimed work experience is accurate and represents genuine security work within the stated CISSP domains. Here's exactly how the endorsement process works:
Step 1: Pass the CISSP Exam
Your 9-month endorsement window begins after your exam date. You'll receive a Candidate ID from ISC2 that you'll use throughout the application process.
Step 2: Identify an Endorser
Find a currently active ISC2 member (CISSP, CCSP, SSCP, etc.) in good standing who can vouch for your work experience. This can be a colleague, manager, client, or even a professional contact who knows your work history. They must have an active ISC2 membership and no disciplinary record.
Step 3: Complete the Endorsement Application
Fill out the online endorsement application in your ISC2 account portal. Document your work experience by domain, employer, dates, and a description of your responsibilities. Be specific and use CISSP CBK terminology to describe your tasks.
Step 4: Endorser Reviews and Submits
Your endorser receives an email to review and digitally sign your application. They are attesting to the accuracy of your stated experience. They are not required to provide detailed verification, but they are professionally and ethically responsible for their attestation.
Step 5: ISC2 Reviews and Approves
ISC2 reviews your application. Random audits do occur where additional documentation may be requested. Typical review takes 4–6 weeks after submission.
Step 6: Pay AMF and Agree to Ethics
After approval, pay the annual maintenance fee ($125/year) and subscribe to the ISC2 Code of Ethics. Your CISSP certification is then issued and you're listed in the ISC2 directory.
What If You Can't Find an Endorser?
If you genuinely cannot find an ISC2 member to serve as your endorser, perhaps because you're transitioning into cybersecurity from another field, ISC2 has a process where they can endorse you directly. This ISC2 self-endorsement process takes longer and involves more scrutiny, but it ensures that candidates without existing ISC2 network connections are not blocked from certification. Contact ISC2 support to initiate this process before your 9-month window expires.
Common Documentation Mistakes
Vague descriptions like "managed security" fail. Use domain-specific language: "Conducted quarterly vulnerability assessments using Nessus across 300+ servers in Domain 6." Be precise about dates, hours, and responsibilities.
Don't Wait Until the Last Minute
Many candidates procrastinate on endorsement. Your 9-month window goes fast. Start identifying potential endorsers and documenting your experience immediately after passing the exam.
Build Your ISC2 Network Now
Join ISC2 local chapters, LinkedIn groups, and online communities before you need an endorser. Professional relationships built over months are easier to convert to endorsement relationships than last-minute requests to strangers.
Audit Risk is Real
ISC2 audits a percentage of applications. Keep documentation of your employment (pay stubs, tax records, project documentation, reference letters) for at least 3 years after certification in case you're selected for audit.
Pass CISSP on Your First Attempt! Guaranteed!
The ISC2 5-year, 2-domain experience requirement rewards real, hands-on security work. CertLabz Skill Tracks are designed to map directly to CISSP CBK domains so the time you put in translates into qualifying experience and audit-ready evidence. Pair the CISSP Domain Refresher certificate course with the Cybersecurity Analyst Skill Track to cover Security Operations, Identity & Access Management, Security Assessment & Testing, and Communication & Network Security with practical labs you can document on your endorsement application.