CISSP Exam Requirements: Everything You Need to Qualify, Sit, and Get Certified

CISSP Requirements at a glance

• Experience required: 5 years of paid work across at least 2 of the 8 CISSP domains

• Waiver available: Reduce to 4 years with a qualifying degree or an approved certification
• Exam fee: $749
• No experience yet? You can still sit the exam and earn the Associate of ISC2 status, with 6 years to build the required experience
• After passing: 9 months to complete endorsement by an active ISC2 member in good standing
• Annual Maintenance Fee: $135 per year for full CISSP, $50 per year for Associates
• Security auditor
• CPE credits: 120 credits over every 3-year cycle to maintain your certification

You might know the CISSP exam is hard. What may catch you off guard is that qualifying for it is its own challenge. The CISSP exam requirements go well beyond showing up and passing a test. ISC2 requires verified professional experience across specific security domains, post-exam endorsement from a certified professional, ongoing CPE credits to maintain your status, and an annual fee to keep your certification active. 

Each of these has specific rules, and misunderstanding any one of them can delay your path to certification. This article covers every requirement from eligibility through to certification maintenance, so you have a complete picture before you commit.

Who Should Pursue the CISSP?

The CISSP is designed for experienced IT security practitioners, managers, and executives who are interested in proving their skills and knowledge across a wide array of cybersecurity practices and principles. It is not an entry-level credential, and ISC2 structures the requirements to reflect that.

Roles that commonly require or benefit from CISSP include:

• Chief Information Security Officer (CISO)
• Director of security
• Security manager
• Security architect
• Security consultant
• Information security analyst
• IT director
• Security auditor
• Security systems engineer
• Network architect

These roles are listed as examples, not as a strict gate. The certification is valuable for any security professional working at a strategic or management level, regardless of exact title.

CISSP Experience Requirement: The Five-Year Rule

To qualify for the CISSP certification, you need at least five years of cumulative paid work experience in two or more of the eight CISSP domains:

• Domain 1. Security and Risk Management
• Domain 2. Asset Security
• Domain 3. Security Architecture and Engineering
• Domain 4. Communication and Network Security
• Domain 5. Identity and Access Management (IAM)
• Domain 6. Security Assessment and Testing
• Domain 7. Security Operations
• Domain 8. Software Development Security

Your job title does not determine eligibility. ISC2 evaluates the nature of your work, not what you were called. A network administrator who implemented access controls, managed security configurations, and conducted risk assessments has qualifying experience even if "security" never appeared in their title. What matters is whether your actual responsibilities map to one or more of the eight domains.

For a full breakdown of how ISC2 evaluates different work histories, how part-time and internship experience is calculated, and what specific tasks count toward each domain, our dedicated CISSP experience requirements guide covers all of that in detail.

Before you dive into your application, the free 3 Mistakes to Avoid guide is worth reading. It covers the eligibility and preparation errors that may cost you time and money, and catching them early makes a significant difference.

The One-Year Waiver: Education and Approved Certifications

ISC2 allows you to reduce the five-year requirement to four years by holding a qualifying degree or an approved certification. Only one waiver applies regardless of how many degrees or certifications you hold.

A four-year college degree in any field satisfies the one-year waiver. The degree does not need to be in computer science or information security. ISC2's position is that completing a four-year program demonstrates the intellectual capability that partially substitutes for one year of professional experience.

Alternatively, holding any of the following ISC2-approved certifications also satisfies the one-year waiver:

• AWS Certified Security: Specialty
• Certified Cloud Security Professional (CCSP)
• Certified in Governance, Risk and Compliance (CGRC)
• Certified Information Security Manager (CISM)
• Certified Secure Software Lifecycle Professional (CSSLP)
• Cisco Certified Internetwork Expert (CCIE) Security
• Cisco Certified Network Associate (CCNA)
• Cisco Certified Network Professional Security (CCNP Security)
• CompTIA Advanced Security Practitioner (CASP+)
• CompTIA CySA+
• CompTIA Security+
• CompTIA SecurityX
• GIAC Global Industrial Cyber Security Professional (GICSP)
• GIAC Information Security Fundamentals (GISF)
• GIAC Information Security Professional (GISP)
• GIAC Security Leadership Certification (GSLC)
• HealthCare Information Security and Privacy Practitioner (HCISPP)
• Information Systems Security Architecture Professional (ISSAP)
• Information Systems Security Engineering Professional (ISSEP)
• Information Systems Security Management Professional (ISSMP)
• Microsoft Certified Cybersecurity Architect
• Systems Security Certified Practitioner (SSCP)
• Zscaler Digital Transformation Administrator (ZDTA)
• Zscaler Digital Transformation Engineer (ZDTE)
• Zscaler Digital Experience Administrator (ZDXA)

This list is maintained and updated by ISC2. Always verify the current approved list directly on the official ISC2 CISSP experience requirements page before applying, as credentials are added and removed periodically.

The CISSP Exam Itself

The CISSP uses Computerized Adaptive Testing (CAT), which means the exam adapts in real time based on how you are performing. The format runs between 125 and 175 questions over a maximum of three hours. The exam is delivered at Pearson VUE testing centers globally.

The exam fee is $749. This covers the cost of the exam itself, not study materials or training. Some employers offer reimbursement for certification costs, so it is worth checking with your organization before paying out of pocket.

The exam is available in multiple languages, including English, Chinese, Japanese, German, Korean, and Spanish. ISC2 updates language availability periodically, so confirm current options when you register.

Taking the CISSP Without the Required Experience

You can sit the CISSP exam even if you do not yet have five years of qualifying work experience. ISC2 does not require you to prove your experience before testing. The experience requirement is verified during the endorsement process after you pass.

If you pass the exam without meeting the full experience requirement, you become an Associate of ISC2 rather than a fully certified CISSP. As an Associate, you have six years from your exam date to accumulate the qualifying experience. Once you meet the requirement, you submit an endorsement application, have your experience verified, and your Associate status converts to full CISSP certification.

This pathway is genuinely useful for career changers, recent graduates, and professionals who are close to but not yet at the five-year threshold. Sitting the exam now while you build experience is far more efficient than waiting until you hit the threshold and then starting your study process from scratch.

What Happens After You Pass

Passing the exam is the milestone you may focus on, but it is not the finish line. There are three commitments you need to fulfill to earn and maintain your CISSP certification.

Endorsement

After passing the exam, you have nine months to complete the endorsement process. An active ISC2 member in good standing reviews your claimed work experience, confirms it maps to at least two of the eight CISSP domains, and vouches for your professional conduct. If you do not know an ISC2 member personally, ISC2 can act as your endorser directly, though this route typically takes longer to process.

Missing the nine-month window means your exam result is voided and you would need to retake the exam. Our CISSP endorsement process guide walks through every step in detail.

Annual Maintenance Fee

Once your endorsement is approved, you pay your first Annual Maintenance Fee to activate your certification. The AMF is $135 per year for full CISSP holders and $50 per year for Associates of ISC2. This fee supports ISC2's certification infrastructure and gives you access to member resources, professional development opportunities, and the ISC2 community.

ISC2 fees can change over time. Check the ISC2 AMF page for the most current figures before budgeting.

Continuing Professional Education Credits

The CISSP certification operates on a three-year cycle. To maintain your certification, you need to earn 120 Continuing Professional Education (CPE) credits across each cycle, which works out to 40 credits per year. Of those 120 credits, 90 must be Group A credits, and 30 must be Group B credits.

Group A CPEs are earned through activities that directly relate to the eight CISSP domains, such as attending security conferences, completing relevant training courses, publishing security articles, or participating in security-focused professional activities outside your normal job responsibilities.

Group B CPEs are earned through activities that develop general professional skills rather than domain-specific security knowledge, such as management training, public speaking courses, and other professional development activities.

Failing to meet the CPE requirement by the end of your certification cycle results in suspension and eventually revocation of your certification. Our CISSP CPE maintenance guide and CISSP renewal requirements guide cover how to track, earn, and report your credits efficiently.

Frequently Asked Questions

 You Know the Requirements. Now Let's Get You Certified.

Now that you have a clear picture of what the CISSP requires, the next step is building a preparation plan that gets you to exam day confidently. Whether you need the structure of a live training week or the flexibility to study around an existing role, Destination Certification has both covered. The CISSP Bootcamp covers everything across five intensive days with Rob Witcher, John Berti, Kelly Handerhan, and Nick Mitropoulos. The CISSP MasterClass adapts to your specific knowledge gaps and schedule with an exam pass guarantee behind it.

In case you want a good head start, we offer a free Most Common CISSP Questions guide, which is practical if you want a feel for what the exam actually tests before committing to a full study plan.

Start your CISSP journey with Destination Certification today!