The five-year requirement is part of the CISSP experience requirements that you should focus on first. What trips people up is the second question: Does what you actually did for those five years count? You may either underestimate how much of their work history qualifies or assume it all does without checking properly. Both mistakes cause problems, one during the endorsement process and one when aspirants realize too late that their experience does not map cleanly to the domains ISC2 requires.
This article is a practical evaluation tool for your specific background, covering what qualifies, what does not, and how to approach your application with confidence.
For a complete overview of all CISSP eligibility requirements, including exam format, fee, endorsement, AMF, and CPE credits, see our CISSP exam requirements guide. This article, however, focuses specifically on what counts as qualifying work experience and how ISC2 evaluates it.
How ISC2 Actually Evaluates Your Work Experience
ISC2 evaluates CISSP aspirants' work experience with a focus on the quality and relevance of security tasks performed rather than on the specific job titles held. This means that having "security" in your job title, while potentially beneficial, is not an absolute requirement for certification eligibility.
What ISC2 prioritizes is the demonstration of substantial "security work experience" under the eight domains of CISSP, emphasizing that the core of a candidate's professional activities and how these activities align with security practices is of paramount importance.
This distinction is crucial because, although security work is readily identifiable in roles explicitly designated for security, ISC2 recognizes that security responsibilities frequently transcend traditional boundaries and can be integral to various other positions.
Consider, for instance, the role of a system administrator within a small organization. In such a setting, you might find yourself not only managing the IT systems but also being responsible for safeguarding them. This kind of scenario is ideally suited for illustrating your eligibility for the CISSP. Highlighting your direct involvement with security policies, practices, and systems, regardless of whether these tasks fully consumed your working hours, can effectively showcase the extent of your hands-on experience.
In short, ISC2 wants to know about your direct involvement with security, no matter what percentage of your job it makes up. The key is connecting your work experience to the CISSP's eight domains. It is all about highlighting the parts of your job where you applied security principles, regardless of your official job title.
What Counts as Qualifying Experience: A Domain-by-Domain Guide
This is where most CISSP exam takers need the most help. Knowing you need experience across two or more domains is one thing. Knowing whether your specific daily tasks actually qualify is another. The following breakdown gives you concrete examples of what counts within each domain so you can map your own work history accurately.
Domain 1: Security and Risk Management
Domain 1: Security and Risk Management is the broadest domain and the one most security-adjacent professionals can point to. Qualifying work includes developing or enforcing security policies, conducting risk assessments, maintaining compliance programs, managing business continuity planning, evaluating legal and regulatory requirements affecting your organization, and participating in security awareness training programs.
IT managers who set acceptable use policies, compliance officers who maintain audit readiness, and GRC analysts who perform risk reviews all produce qualifying experience in this domain.
Domain 2: Asset Security
Qualifying work in Domain 2: Asset Security involves classifying organizational data, defining data handling and retention requirements, managing data disposal procedures, and applying security controls based on data sensitivity.
Professionals who have worked on data governance programs, implemented data classification schemes, managed records retention policies, or ensured proper data destruction procedures qualify here. This domain appears frequently in the work histories of IT auditors, data governance managers, and anyone involved in privacy or regulatory compliance programs.
Domain 3: Security Architecture and Engineering
Domain 3: Security Architecture and Engineering covers the design and implementation of secure systems. Qualifying work includes designing security architectures, evaluating security models and frameworks, implementing cryptographic controls, assessing system vulnerabilities, and applying secure design principles to infrastructure or applications.
Security architects, systems engineers who build with security requirements in mind, and professionals who evaluate technology against security frameworks like NIST or ISO 27001 qualify here. You do not need to have designed enterprise-scale systems from scratch. Evaluating existing architecture against security requirements and recommending improvements counts as well.
Domain 4: Communication and Network Security
Qualifying work consists of the design and management of secure network environments. This includes configuring and managing firewalls, implementing VPNs and secure remote access, managing network segmentation, monitoring network traffic for anomalies, and securing wireless networks.
Network administrators, network engineers, and infrastructure professionals who have managed security controls at the network level qualify here. Even if your title was "network engineer" with no security prefix, configuring ACLs, managing firewall rules, and implementing secure protocol maps directly to Domain 4: Communication and Network Security.
Domain 5: Identity and Access Management
Domain 5: Identity and Access Management explores how users and systems are authenticated and authorized. Qualifying work includes managing user accounts and access rights, implementing multi-factor authentication, administering directory services like Active Directory or LDAP, designing role-based access control schemes, and reviewing access permissions for compliance.
System administrators who manage user provisioning, IT professionals who handle access reviews, and anyone who has implemented or maintained IAM systems produces qualifying experience here.
Domain 6: Security Assessment and Testing
Qualifying work in Domain 6: Security Assessment and Testing involves evaluating the effectiveness of security controls. This includes conducting vulnerability assessments, performing or participating in penetration testing, running security audits, reviewing log data for security events, testing disaster recovery and incident response plans, and producing security metrics for management.
IT auditors, security analysts, and professionals who conduct regular assessments of their organization's security posture qualify here. You do not need to be a dedicated penetration tester. Running internal vulnerability scans and translating the results into remediation plans counts.
Domain 7: Security Operations
Domain 7: Security Operations is the day-to-day management of security operations. Qualifying work includes monitoring security alerts and events, investigating and responding to incidents, managing patch and change processes from a security perspective, handling digital forensics and investigations, and managing business continuity and disaster recovery operations.
Security operations center analysts, incident responders, and IT professionals who manage the operational security of systems and infrastructure qualify here. This is often the domain where professionals with IT operations backgrounds find the strongest alignment to their daily work.
Domain 8: Software Development Security
Domain 8: Software Development Security is applying security principles to the software development process. This includes integrating security into the software development lifecycle, performing code reviews for security vulnerabilities, testing applications for security weaknesses, managing secure APIs, and evaluating third-party software for security risks. Software developers who build with security requirements in mind, application security testers, and DevOps professionals who integrate security into deployment pipelines qualify here.
If you want a visual overview of how all eight domains connect and what topics each one covers, the free CISSP MindMaps from Destination Certification are worth reviewing as you map your work history. They show how the domains interrelate, which helps when your experience touches multiple areas.
How ISC2 Calculates Your Years of Experience
The five-year requirement is not as rigid in its structure as you might assume. ISC2 accommodates different working arrangements through a precise calculation methodology.
Full-Time Experience
ISC2 counts work experience monthly. To accrue one month of full-time work experience, you must have worked a minimum of 35 hours per week for four consecutive weeks. A standard 40-hour workweek meets this threshold comfortably. Full-time experience accrues at its face value: five years of full-time work in qualifying roles equals five years of experience toward the requirement.
Part-Time Experience
Part-time work also counts toward the requirement, but it is converted into a full-time equivalent using a specific formula. For your part-time experience to qualify, you must work between 20 and 34 hours per week. The conversion works as follows:
- 1,040 hours of part-time work equals 6 months of full-time equivalent experience
- 2,080 hours of part-time work equals 12 months of full-time equivalent experience
This means a candidate who has worked 25 hours per week for several years in a qualifying role can still build toward the five-year threshold. It takes longer, but the experience counts.
Internship Experience
Paid and unpaid internships for ISC2’s CISSP both qualify toward the experience requirement, provided the work is directly related to one or more of the eight CISSP domains. The calculation method for internships follows the same part-time and full-time framework, depending on your hours.
There is one additional documentation requirement: you must obtain a letter on official company or organization letterhead confirming your internship position. If your internship was at a school or university, the documentation can be provided on the registrar's stationery. This letter becomes part of your endorsement application documentation.
The One-Year Experience Waiver
ISC2 allows you to reduce the five-year requirement to four years by holding a qualifying degree or an approved certification from the ISC2-approved list. The waiver applies once, regardless of how many degrees or certifications you hold.
A four-year college degree in any field qualifies. The degree does not need to be in computer science or information security.
For the full current list of approved certifications that satisfy the one-year waiver, see our CISSP exam requirements guide. ISC2 updates that list periodically, so verifying against the current official list before applying is important.
Roles That Qualify Even Without a Security Title
One of the most common concerns candidates bring to us is that their job title does not look "secure enough" to qualify. The following role types regularly produce strong qualifying CISSP experience even when security is not in the title.
Network and Systems Administrators
Network and systems administrators frequently perform work that maps directly to Domains 4, 5, and 7. Managing firewall rules, configuring access controls, handling patch management, monitoring system logs, and responding to outages all qualify. If your daily responsibilities involved protecting systems from unauthorized access or ensuring the availability of critical infrastructure, you very likely have qualifying experience.
IT Managers and IT Directors
IT managers who set security policies, manage vendor relationships involving sensitive data, oversee access management for their teams, and maintain compliance with organizational security requirements qualify across multiple domains, most commonly Domains 1, 2, and 5. The governance and oversight aspects of IT management align strongly with Domain 1 in particular.
Software Developers and Engineers
Developers who build applications with security requirements in mind, conduct peer code reviews that include security checks, implement authentication and authorization systems, or work in environments where secure coding standards are enforced qualify primarily under Domain 8, and potentially Domain 3 depending on their architecture responsibilities.
Auditors and Compliance Professionals
Internal and external auditors who assess security controls, test access management systems, evaluate policy compliance, and report findings to management qualify strongly under Domains 1 and 6. Compliance professionals who maintain regulatory compliance programs, manage policy frameworks, and conduct security assessments produce qualifying experience across Domains 1 and 2.
Military and Government IT Roles
Military and government IT professionals often work in environments with particularly rigorous security requirements. Roles involving classified system management, security clearance administration, incident response, and compliance with frameworks like NIST RMF produce strong qualifying experience across multiple domains. The formal security culture in these environments tends to generate well-documented experience that maps cleanly to ISC2's requirements.
How to Document Your Experience for the Endorsement Process
Mapping your experience to the eight domains before you apply is one of the most practical things you can do to make the endorsement process straightforward. A structured approach helps.
Start by listing every role you have held where you performed security-relevant tasks. For each role, write down the specific tasks you performed and identify which CISSP domain or domains those tasks map to. You do not need to cover all eight domains, just two or more in total across your work history.
Be specific rather than general. "Managed network security" is weak. "Configured and maintained Cisco ASA firewall rules, implemented network segmentation across three VLANs, and monitored IDS alerts for a 500-user enterprise network" is strong and maps clearly to Domain 4.
Your endorser, who is an active ISC2 member in good standing, will vouch for the accuracy of your experience claims. They do not need to have worked alongside you directly, but they need to have enough familiarity with your background to confirm your claims are credible. If you do not know an ISC2 member, ISC2 can endorse you directly. For a full walkthrough of the endorsement process and timeline, see our CISSP endorsement guide.
What to Do If You Do Not Yet Have Enough Experience
Not having the full five years of qualifying experience is not a reason to delay sitting the exam. ISC2 does not require you to prove your experience before testing. The experience requirement is verified during endorsement after you pass.
Sitting the exam before you hit the five-year threshold earns you Associate of ISC2 status, which gives you six years from your exam date to accumulate the remaining qualifying experience. During that time, you carry a recognized ISC2 designation, have access to the ISC2 community and resources, and pay a reduced AMF of $50 per year.
There is also a strategic advantage to sitting early. Preparing for and passing the CISSP exam deepens your understanding of all eight domains, which in turn makes you more effective in the roles where you are building qualifying experience. Many Associates find that passing the exam changes how they approach their daily work, which accelerates the quality and relevance of the experience they accumulate.
If you are still a year or two away from qualifying, the most productive approach is to deliberately steer your current role toward security responsibilities. Ask to be included in risk assessments, access reviews, incident response activities, and security audits. Document what you do as you go. When the time comes to apply, you will have specific, verifiable examples rather than a general account of your job description.
Frequently Asked Questions
Routine help desk work does not typically qualify on its own. However, if your help desk role involved meaningful security responsibilities such as managing user access, enforcing security policies, responding to security incidents, or configuring secure systems, those specific tasks can qualify. The key is whether your work maps to one of the eight domains rather than whether your job title was help desk. Document the security-specific tasks you performed rather than describing the role in general terms.
ISC2's requirement is for paid work experience. Unpaid internships are the one exception to this, and they must be formally documented on organizational letterhead. General volunteer work in security, such as helping a nonprofit with their IT systems, does not typically qualify as paid professional experience for CISSP purposes. If you are building experience outside of paid roles, structured internships with proper documentation are the more reliable path.
This is common and entirely acceptable. ISC2 calculates cumulative experience across all qualifying roles. You add up the qualifying months from each position where you performed security-relevant work in the applicable domains. The experience does not need to be continuous, and it does not need to come from a single employer. Documenting each role clearly with specific security tasks mapped to the relevant domains is what makes a multi-employer history straightforward to endorse.
ISC2's primary verification mechanism is the endorsement process. Your endorser, an active ISC2 member, attests to the accuracy of your experience claims. ISC2 may also conduct random audits of endorsement applications, during which they may request additional documentation supporting your claimed experience. This is why being specific and accurate in your application matters. Vague or inflated claims create risk during an audit. ISC2 takes credential integrity seriously, and misrepresentation can result in the revocation of certification.
Yes. ISC2 is a global organization and accepts qualifying work experience from any country. The experience must meet the same standard regardless of where it was performed: paid work that maps to one or more of the eight CISSP domains. If your documentation is in a language other than English, you may need to provide certified translations during the endorsement process, depending on your endorser's requirements.
You Know What Qualifies. Now Build Your CISSP Knowledge.
With a clear picture of whether your background qualifies, the next step is making sure your exam preparation is as strong as your experience. At Destination Certification’s CISSP Bootcamp, we’ll cover all eight domains across five intensive days with live instruction from Rob Witcher, John Berti, Kelly Handerhan, and Nick Mitropoulos. With the addition of the CISSP MasterClass, you will adapt to your specific domain knowledge gaps with a fully flexible schedule and an exam pass guarantee.
Where do you start? The free Proven CISSP Exam Strategies guide is a practical starting point for understanding how the exam thinks before you commit to a full study plan.
Rob Witcher
Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.
