The five-year figure is the first thing most people check when they look at the CCSP experience requirements. What catches them off guard is that five years in IT is only the starting point. ISC2 structures the CCSP requirement in three distinct layers, and you need to satisfy all three separately. Many candidates with strong general cybersecurity backgrounds assume they qualify, then discover they are short on the one year of domain-specific cloud experience that ISC2 also requires.
Others with real cloud experience assume it automatically counts without checking whether their specific tasks map to what ISC2 actually needs. This guide helps you evaluate your background against all three layers, so you know exactly where you stand.
For a complete overview of all CCSP eligibility requirements, including exam format, fee, waivers, endorsement, AMF, and CPE credits, see our CCSP prerequisites guide. On the other hand, this article focuses specifically on what counts as qualifying work experience and how ISC2 evaluates it.
How ISC2 Evaluates Your CCSP Work Experience
ISC2 evaluates your CCSP work experience with a focus on the relevance and quality of the security tasks you performed rather than the title you held. Having "cloud" or "security" in your job title helps make your application clear, but it is not what determines eligibility. What ISC2 is looking for is evidence that your actual day-to-day responsibilities involve work that maps to the six CCSP domains at the appropriate level of each layer.
This matters because cloud security work shows up in roles that do not always carry obvious titles. Your work as a systems architect who designed cloud-native infrastructure with security controls built in qualifies. Your work as a compliance manager who assessed cloud vendor contracts against regulatory frameworks qualifies. Your work as a DevOps engineer who integrated security into deployment pipelines qualifies. What connects all of these is not the title but the nature of the tasks and how they map to the domains ISC2 uses to define cloud security expertise.
The key is connecting your specific responsibilities to the CCSP's six domains. Focus on what you actually did rather than how your role was described.
Understanding the Three-Layer Requirement
Before mapping your experience to specific domains, it helps to understand how the three layers of the CCSP requirement fit together. They are not three separate pools of experience that add up to a total. They nest inside each other, which means the same years of work can satisfy multiple layers simultaneously:
- Five years of cumulative paid work experience in information technology
- Three of those years in cybersecurity specifically
- One of those years in one or more of the six CCSP domains
Layer 1: Five Years in Information Technology
The broadest layer requires five years of cumulative paid work experience in information technology. This covers the full scope of IT work, including infrastructure, networking, software development, systems administration, and any security-related role. If you have spent five years working in any professional IT capacity, you likely satisfy this layer.
Layer 2: Three Years in Cybersecurity
Within your five years of IT experience, at least three of those years must be in cybersecurity specifically. This means work where your primary responsibilities involved protecting systems, data, or infrastructure from security threats. General IT work that touches on security peripherally does not satisfy this layer on its own. The three cybersecurity years must be drawn from within your five IT years, not on top of them.
Layer 3: One Year in a CCSP Domain
Within your three years of cybersecurity experience, at least one year must be in one or more of the six CCSP domains. This is the most specific layer and the one where candidates most often fall short. General cybersecurity work qualifies for Layer 2, but ISC2 also needs to see at least one year where your work was specifically cloud security in nature. That one domain year must be drawn from within your three cybersecurity years, not added on top.
To put it plainly: if you have three years in cybersecurity but all of it was on-premises infrastructure with no cloud security responsibilities, you satisfy Layer 2 but not Layer 3. You would need to build the cloud-specific year before you can qualify for full certification.
What Counts as Qualifying Experience: A Domain-by-Domain Guide
This is where most people need the most clarity. Knowing the structure of the requirement is one thing. Knowing whether your specific daily tasks actually qualify for the domain layer is another. The following breakdown gives you concrete examples of what counts within each of the six CCSP domains so you can map your own work history accurately.
Domain 1: Cloud Concepts, Architecture and Design
Qualifying work in this domain involves designing or evaluating secure cloud architectures and applying cloud security concepts at a strategic level. If you have designed cloud security reference architectures, evaluated cloud service provider capabilities against security requirements, applied the shared responsibility model to decisions about control placement, or assessed cloud deployment models for security trade-offs, your work maps here.
You do not need to have built an enterprise cloud platform from scratch. Evaluating an existing architecture against security frameworks and recommending improvements counts just as much as building one from the ground up.
Domain 2: Cloud Data Security
Qualifying work in this domain involves protecting data across its lifecycle in cloud environments. If you have implemented data classification schemes for cloud-hosted data, managed encryption key lifecycles, defined data retention and destruction policies for cloud storage, applied data loss prevention controls in cloud platforms, or designed access controls for sensitive cloud data, your work maps here. Data governance professionals, cloud storage administrators with security responsibilities, and privacy officers who manage cloud data handling all regularly produce qualifying experience in this domain.
Domain 3: Cloud Platform and Infrastructure Security
Qualifying work in this domain involves securing the underlying cloud infrastructure, including compute, network, and storage components. If you have hardened virtual machines and containers, managed cloud network segmentation and security groups, secured cloud management planes and administrative interfaces, assessed vulnerabilities in cloud infrastructure components, or managed identity and access controls for cloud platform services, your work maps here.
Cloud infrastructure engineers, platform security engineers, and DevSecOps professionals with infrastructure responsibilities frequently qualify in this domain.
Domain 4: Cloud Application Security
Qualifying work in this domain involves integrating security into the cloud application development and deployment lifecycle. If you have performed security reviews of cloud-native applications, integrated security testing into CI/CD pipelines, assessed APIs for security vulnerabilities, implemented secure authentication and authorization in cloud applications, or managed software composition analysis for cloud-deployed code, your work maps here.
Application security engineers, DevSecOps professionals with a development focus, and security architects who review application designs all produce qualifying experience in this domain.
Domain 5: Cloud Security Operations
Qualifying work in this domain involves the day-to-day operational security of cloud environments. If you have monitored cloud environments for security events and anomalies, responded to security incidents in cloud platforms, managed cloud security posture management tools, performed forensic investigations of cloud resources, maintained business continuity and disaster recovery capabilities for cloud workloads, or managed vulnerability assessment programs for cloud infrastructure, your work maps here.
Cloud security analysts, SOC professionals with cloud environment responsibilities, and incident responders who handle cloud-based threats all produce strong qualifying experience in this domain.
Domain 6: Legal, Risk and Compliance
Qualifying work in this domain involves managing the legal, regulatory, and risk dimensions of cloud security. If you have assessed cloud vendor contracts for security and compliance obligations, managed compliance programs for cloud environments against frameworks like ISO 27001, SOC 2, or PCI DSS, performed cloud risk assessments, handled data sovereignty and cross-border data transfer requirements, or advised on the legal implications of cloud service agreements, your work maps here. Compliance managers, GRC professionals with cloud vendor oversight, legal counsel with technology responsibilities, and risk analysts who assess cloud environments all qualify here.
If you want a visual overview of how all six domains connect and what each one covers in depth, the free CCSP MindMaps from Destination Certification show the domain relationships clearly, which helps when your experience touches multiple areas and you are trying to identify where your strongest mapping sits.
How ISC2 Calculates Your Years of Experience
The experience requirement for CCSP is applicable for different working arrangements through a precise calculation methodology. The same rules that apply to each layer apply regardless of whether your work was full-time, part-time, or through an internship.
Full-Time Experience
ISC2 counts work experience monthly. To accrue one month of full-time work experience, you must have worked a minimum of 35 hours per week for four consecutive weeks. A standard 40-hour workweek satisfies this threshold. Full-time experience accrues at face value across all three layers: five years of full-time qualifying work is five years toward your requirement.
Part-Time Experience
Part-time work counts toward the requirement but converts to a full-time equivalent using a specific formula. For your part-time experience to qualify, you must work between 20 and 34 hours per week. The conversion works as follows:
- 1,040 hours of part-time work equals 6 months of full-time equivalent experience
- 2,080 hours of part-time work equals 12 months of full-time equivalent experience
This means if you have spent several years working 25 hours per week in a qualifying role, that experience counts toward the requirement. It takes longer to accumulate, but it counts fully once converted.
Internship Experience
Both paid and unpaid internships qualify toward the experience requirement, provided the work maps to the CCSP domains at the appropriate layer. The calculation method follows the same full-time and part-time framework, depending on your hours.
There is one additional documentation requirement: you need a letter on official company or organization letterhead confirming your internship position, your responsibilities, and the duration of the placement. For academic internships, documentation from the registrar's office satisfies this requirement. Keep this documentation because it becomes part of your endorsement application.
The CCSP Experience Waivers
ISC2 offers three ways to reduce or eliminate the experience requirement, and each one works differently:
- Qualifying degree: A four-year college degree in computer science, information technology, or a related field reduces the five-year IT experience requirement to four years
- CSA CCSK certificate: The Certificate of Cloud Security Knowledge substitutes for one year of experience in one or more of the six CCSP domains
- Active CISSP credential: Waives the entire CCSP experience requirement, so you only need to pass the exam
The degree and CCSK waivers cannot be combined to substitute for two years. The maximum substitution through either of those routes is one year total, and the same rule applies if you hold both a qualifying degree and the CCSK at the same time.
Only the CISSP waives the requirement in full. For a complete breakdown of all CCSP eligibility requirements, see our CCSP prerequisites guide.
Roles That Qualify Even Without a Cloud Security Title
One of the most common concerns we hear is whether a background that does not include an explicit cloud security title is strong enough to qualify. The following role types regularly produce strong CCSP qualifying experience even when the title does not say "cloud" or "security."
Cloud Infrastructure and Platform Engineers
Your work configuring and managing cloud infrastructure components, securing virtual networks, hardening compute resources, managing identity and access controls for cloud platforms, and assessing the security posture of cloud environments maps directly to Domains 3 and 5. If your daily responsibilities involved making cloud infrastructure secure rather than simply operational, you have qualifying experience regardless of your title.
DevOps and DevSecOps Professionals
Your work integrating security into deployment pipelines, performing security testing of cloud applications, managing container and serverless security, and reviewing infrastructure-as-code for security misconfigurations maps to Domains 4 and 3. The shift toward DevSecOps has created a large population of professionals whose work is deeply relevant to the CCSP, even when their titles emphasize development or operations over security.
Security Architects Working in Hybrid Environments
Your work designing security controls for environments that span on-premises and cloud infrastructure, evaluating cloud service provider capabilities, and defining shared responsibility boundaries maps to Domain 1. Even if your architecture work was not exclusively cloud-focused, the portions of your work that involved cloud security decision-making qualify.
Compliance and Risk Managers with Cloud Vendor Oversight
Your work assessing cloud vendor contracts, managing compliance programs that include cloud-hosted systems, performing cloud risk assessments, and handling data sovereignty requirements maps to Domain 6. If your compliance or risk management responsibilities extended to cloud environments in any meaningful way, that work qualifies at the domain layer.
Network and Systems Administrators Managing Cloud Resources
Your work managing cloud-based network infrastructure, securing cloud storage and compute resources, monitoring cloud environments for security events, and administering identity systems in cloud platforms maps to Domains 3 and 5. The transition from on-premises to cloud administration has meant that many network and systems professionals have been building qualifying CCSP experience for years without realizing it.
How to Document Your Experience for the Endorsement Process
Mapping your experience to the three layers and six domains before you apply is one of the most practical things you can do to make the endorsement process straightforward.
Start by listing every role where you performed cloud security-relevant tasks. For each role, write down the specific tasks you performed and identify which CCSP domain or domains those tasks map to, and which of the three layers they satisfy. Be specific rather than general. "Managed cloud security" is too vague. "Configured AWS Security Groups and VPC flow logs, assessed IAM policies for least privilege compliance, and responded to GuardDuty findings for a 300-instance cloud environment" maps clearly to Domain 3 and Domain 5 and gives your endorser something concrete to vouch for.
Your endorser is an active ISC2 member in good standing who will attest to the accuracy of your claimed experience. They do not need to have worked alongside you directly, but they need enough familiarity with your background to confirm your claims are credible. If you do not know an ISC2 member personally, ISC2 can endorse you directly, though this route typically takes longer to process.
What to Do If You Do Not Yet Have Enough Experience
Not having the full three-layer experience is not a reason to wait before sitting the exam. ISC2 does not require you to prove your experience before you register and test. The experience requirement is verified during the endorsement process after you pass.
Sitting the exam before you satisfy all three layers earns you Associate of ISC2 status, which gives you six years from your exam date to accumulate the remaining qualifying experience. During that time you carry a recognized ISC2 designation, pay a reduced AMF of $50 per year, and have access to the ISC2 community and member resources.
If you are specifically short on the domain-specific cloud year, the most direct approach is to deliberately steer your current role toward cloud security responsibilities. Ask to be included in cloud security assessments, cloud vendor reviews, cloud architecture discussions, or cloud incident response activities. Document what you do as you go.
When the time comes to apply, you will have specific and verifiable examples of domain-level cloud security work rather than a general account of your job description. Our CCSP prerequisites guide covers the Associate pathway in full detail.
Frequently Asked Questions
General cloud administration work counts toward the IT layer of the requirement but may not satisfy the domain layer on its own. If your cloud administration responsibilities included security-specific tasks such as configuring access controls, managing encryption, responding to security alerts, or assessing cloud configurations against security baselines, those tasks qualify at the domain level. Routine cloud administration without a security dimension satisfies Layer 1 but not Layer 3. The distinction is whether your work involved actively securing cloud resources or simply managing them operationally.
If you hold an active CISSP, it waives the entire CCSP experience requirement and you do not need to separately document your work history against the three layers. If you do not hold a CISSP but have the kind of broad security experience that led you to earn one, that experience can still count toward the CCSP requirement provided it maps to the relevant domains and layers. The CISSP credential itself is the waiver mechanism, not the experience behind it.
You satisfy Layer 1 and possibly Layer 2 depending on how much of your IT experience involved cybersecurity, but you do not yet satisfy Layer 3. Your options are to build the domain-specific year through your current role, use the CCSK certificate to substitute for one year of domain experience if you earn it, or sit the exam now, earn Associate of ISC2 status, and use your six-year window to accumulate the remaining domain experience before applying for full certification.
ISC2's primary verification mechanism is the endorsement process. Your endorser attests to the accuracy of your experience claims and confirms that your background aligns with the CCSP requirements. ISC2 may also conduct random audits of endorsement applications, during which they can request additional documentation supporting your claimed experience. This is why being specific and accurate in describing your responsibilities matters. Vague or inflated claims create risk during an audit. ISC2 takes credential integrity seriously, and misrepresentation can result in revocation.
Yes. The five-year IT layer is intentionally broad. Work in software development, network administration, systems engineering, database administration, project management within IT environments, and other IT-adjacent roles can all count toward Layer 1, even if the work did not involve security directly. The security-specific threshold only applies at Layer 2 and above. This means if you spent several years in general IT roles before moving into cybersecurity, you can count those earlier years toward the five-year total.
You Have the Experience. Take It Further with a CCSP Certification
Now that you have a clear picture of how your background maps to what ISC2 requires, the next step is making sure your exam preparation matches the standard the certification demands, because knowing your experience qualifies is only half the equation.
The CCSP Bootcamp covers all six domains across five intensive days with live instruction from Rob Witcher and John Berti, who co-developed the official ISC2 CCSP certification materials, giving you direct access to the people who built the certification while you prepare for it.
If a self-paced approach fits your schedule better, the CCSP MasterClass adapts to your specific knowledge gaps across all six domains, adjusts to your timeline, and comes with an exam pass guarantee so you can prepare with confidence rather than uncertainty.
Before you commit to a full study plan, the free 5 Mistakes to Avoid CCSP guide is worth reading first, since the errors it covers are exactly the ones that catch well-qualified candidates off guard on exam day.
Rob Witcher
Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.
