The CISSP is one of the most respected credentials in cybersecurity, but its experience requirement is a real barrier for early-career professionals. ISC2 recognized this and created a formal pathway: the experience waiver, which lets you pass the exam first and earn the experience credential later, without losing your exam results.
What Is the CISSP Experience Waiver?
The term "experience waiver" is a bit of a misnomer. ISC2 isn't waiving your experience requirement; they're deferring it. If you pass the CISSP exam but don't yet have 5 years of paid, full-time work experience in at least 2 of the 8 CISSP domains, you become an Associate of ISC2 rather than a full CISSP holder.
As an Associate, you have 6 years to accumulate the required experience. Once you meet it, you submit an endorsement application and upgrade to full CISSP status. Your exam results are preserved the entire time, so you won't need to retake the exam.
Key Distinction
The experience waiver doesn't eliminate the experience requirement; it splits the process. You earn the knowledge credential now and the full professional credential once your career validates it. This is by design: ISC2 wants CISSPs to have real-world security leadership experience, not just exam knowledge.
Who Qualifies for the Associate of ISC2 Path?
Anyone who passes the CISSP exam without meeting the full experience requirement automatically becomes an Associate of ISC2. There's no separate application to "apply" for Associate status; it happens automatically when you pass but can't yet submit a full endorsement.
Common candidates for this path include:
- Recent graduates who passed CISSP early in their career
- IT professionals transitioning into cybersecurity roles
- System administrators with fewer than 5 years in dedicated security roles
- Professionals with relevant experience in some domains but not yet 5 years total
Full CISSP from Day One
- 5+ years paid experience
- At least 2 CISSP domains
- Pass the CISSP exam (≥700/1000)
- Submit endorsement within 9 months
- Annual AMF: $125/year
- No waiting period for full credential
Pass First, Experience Later
- Pass the CISSP exam (≥700/1000)
- Become Associate of ISC2 immediately
- 6 years to earn full experience
- Reduced AMF: $50/year as Associate
- Submit endorsement when ready
- Upgrade to CISSP automatically
What Counts as Qualifying Experience?
ISC2 is specific about what counts. Experience must be paid, full-time work (or part-time equivalent: 2,000 hours/year). Volunteer, intern, or part-time hours can count if they reach the equivalent of full-time work. The experience must be in the security work described in one or more of the 8 CISSP domains.
Domain 1: Security & Risk Management
Risk analysis, security governance, compliance frameworks, ethics
Domain 2: Asset Security
Data classification, data lifecycle, privacy protection
Domain 3: Security Architecture
Secure design principles, models, and frameworks
Domain 4: Communication & Network Security
Network protocols, secure communications, firewalls
Domain 5: Identity & Access Management
IAM, authentication systems, authorization mechanisms
Domain 6: Security Assessment & Testing
Vulnerability assessments, pen testing, audit strategies
Domain 7: Security Operations
Incident response, logging, monitoring, investigations
Domain 8: Software Development Security
Secure SDLC, code review, application security controls
Can Education Substitute for Experience?
Yes. ISC2 allows two types of academic waivers that reduce the total experience requirement:
- 4-year college degree (or equivalent): Waives 1 year of the 5-year experience requirement. You'll only need 4 years of qualifying work experience instead of 5.
- Master's degree in Information Security or a related field: Also waives 1 year. However, these two academic waivers are not cumulative; the maximum waiver is 1 year regardless of how many degrees you hold.
- Approved certifications: Holding certain certifications (like CCSP, SSCP, or others on ISC2's approved list) can waive 1 year of experience.
Bottom line: With a bachelor's degree, you need 4 years of experience across 2 CISSP domains. With a master's, same thing: 4 years. With both a bachelor's and a relevant certification, still 4 years (1-year max waiver). Without any degree or credential, you need the full 5 years.
Step-by-Step: The Associate of ISC2 Journey
Register and sit the CISSP exam
Schedule through Pearson VUE. The CAT exam delivers 125–175 adaptive questions. Passing score is 700/1000 on a scaled score. Cost: approximately $749 USD.
Receive your preliminary pass result
You'll receive a paper notice at the testing center immediately after. The official pass letter arrives via email within a few weeks.
Create your ISC2 account (if you haven't already)
Go to isc2.org and create your member account. Your exam results will be linked to this account automatically.
Automatically receive Associate of ISC2 status
If you don't yet have the 5-year requirement, ISC2 will contact you about your Associate status. You can use "Associate of ISC2" in your professional credentials immediately.
Pay your annual AMF ($50/year)
Associates pay a reduced Annual Maintenance Fee. This keeps your credential active and counts toward your experience window.
Accumulate qualifying experience (up to 6 years)
Track your experience in ISC2's online system. Aim for at least 2 domains. Keep documentation: job titles, dates, responsibilities.
Submit your endorsement application
An active CISSP member must endorse you. They verify your experience is real and aligns with the domains. Submit through your ISC2 online profile.
ISC2 review and CISSP status granted
ISC2 audits approximately 10% of endorsements. If approved, you're upgraded to full CISSP. Your AMF increases to $125/year and your renewal cycle begins.
What Happens If You Don't Meet Experience in 6 Years?
If 6 years pass and you still don't have the qualifying experience, your Associate of ISC2 status expires and your exam results are forfeited. You would need to retake the CISSP exam from scratch, paying the full exam fee again and starting the process over.
This is rare, but it's a real risk for professionals who pass the exam very early in their career and then move into non-security roles. The safest approach: ensure your current or upcoming role involves at least some work that maps to CISSP domains, and document it consistently.
Tips for Documenting Your Experience
Use ISC2's Online Experience Tool
ISC2 provides an online portal to log your work experience by domain as you accumulate it. Don't wait until year 6 to document everything from memory.
Keep Job Descriptions
Save copies of your job descriptions, performance reviews, and project documentation. These help your endorser verify your domain alignment confidently.
Find Your Endorser Early
Your endorser must be an active CISSP in good standing. Identify someone now (a manager, mentor, or professional contact) rather than scrambling later.
Map Your Role to Domains
Review each CISSP domain and identify which tasks in your current role align with them. Even a general IT role often overlaps with Security Operations or IAM.
Associate of ISC2 vs. Full CISSP on a Resume
The Associate of ISC2 credential is publicly listed in ISC2's online member directory and is considered a legitimate, verified credential. Many employers view it favorably because it demonstrates:
- You passed one of the hardest certification exams in cybersecurity
- You have the knowledge base of a CISSP, even without the experience yet
- You're committed to earning the full credential
On your resume, list it as "Associate of ISC2 (CISSP Candidate)", never as "CISSP" alone, as that would be misrepresenting a credential you haven't fully earned. ISC2 takes misrepresentation seriously and has revoked credentials for it.
Comparing the CISSP Experience Requirement to Other Certs
Pass CISSP on Your First Attempt! Guaranteed!
The CertLabz CISSP Domain Refresher course cert covers all 8 domains with 125+ practice questions and detailed explanations. Pair it with the Cybersecurity Analyst Skill Track (10 lab modules, 30 hands-on labs, 75-question SkillTracker exam, 11.5 to 13 CPE credits, blockchain-verified, LinkedIn-shareable) to build the real-world security experience that fast-tracks your Associate of ISC2 to full CISSP.
Frequently Asked Questions
The CISSP experience waiver allows candidates who pass the CISSP exam but lack the required 5 years of paid work experience to become an Associate of ISC2 instead of a full CISSP. They have 6 years to earn the remaining experience.
Yes. A 4-year college degree (or regional equivalent) can waive 1 year of the required experience. A master's degree in information security can also waive 1 year. However, these are not cumulative; the maximum waiver from education is 1 year total.
Associates of ISC2 have 6 years from the date they pass the CISSP exam to accumulate the required 5 years of paid, full-time work experience in at least 2 of the 8 CISSP domains.
Yes. Associates of ISC2 must pay a reduced Annual Maintenance Fee (AMF) of $50 per year, compared to the full CISSP AMF of $125 per year.
If 6 years pass without meeting the experience requirement, your Associate of ISC2 status expires and your exam results are forfeited. You would need to retake the CISSP exam from scratch.
No. You must use the designation "Associate of ISC2", never "CISSP" alone. Misrepresenting your credential status violates ISC2's Code of Ethics and can result in revocation of your Associate status.
Part-time work counts on a prorated basis. ISC2 requires full-time equivalent experience, so 2 years of half-time security work equals 1 year of qualifying experience. You must document the hours worked to demonstrate the equivalence.
A master's degree in information security or a related field can waive 1 year of the 5-year experience requirement. However, the education waiver is capped at 1 year total regardless of how many degrees you hold.
If you cannot find an active CISSP holder to endorse you, ISC2 can act as your endorser. Contact ISC2 directly to request this option. They will conduct a more thorough audit of your experience documentation.
No. Associates of ISC2 are not required to earn Continuing Professional Education (CPE) credits. They only need to pay the annual $50 AMF. CPE requirements begin once you achieve full CISSP status (40 CPEs per year).
Yes, military information security experience absolutely counts. Many DoD and military roles align directly with CISSP domains, especially Security Operations, Identity and Access Management, and Security Architecture. Document your military duties mapped to specific domains.
CertLabz offers the CISSP Domain Refresher course cert with 125+ practice questions across all 8 domains, detailed explanations for every answer, domain-by-domain progress tracking, and flashcards. Plans start at just $10 per month.
The Cybersecurity Analyst Skill Track gives Associates of ISC2 hands-on practice across 10 lab modules and 30 real-world labs that map directly to CISSP domains such as Security Operations, Identity and Access Management, and Security Assessment and Testing. After completing the 75-question SkillTracker exam, you earn 11.5 to 13 CPE credits and a blockchain-verified, LinkedIn-shareable certificate that documents domain-aligned work for your endorsement application.