Let's face it: earning the Certified Information Systems Security Professional (CISSP) certification is a feat that many cybersecurity professionals aspire to, yet find daunting.
Often described as "a mile wide and an inch deep," the CISSP's complexity lies not just in the depth of knowledge required to pass the exam but also in the stringent experience requirements necessary to even sit for it. These prerequisites can sometimes feel like intimidating barriers to those eager to advance their careers.
In this guide, we'll take a closer look at what counts as qualifying experience for the CISSP, discussing full-time, part-time, and internship roles. We’ll also explore how some of these experience requirements can be waived, offering a clearer path for those aiming to earn this prestigious certification.
Whether you're currently working in cybersecurity or looking to make a career switch, this guide is designed to help you understand exactly what’s needed to move forward with the CISSP.
How ISC2 Evaluates Work Experience
ISC2 evaluates CISSP candidates' work experience with a keen focus on the quality and relevance of security tasks performed rather than on the specific job titles held. This means that having "security" in your job title, while potentially beneficial, is not an absolute requirement for certification eligibility.
What ISC2 prioritizes is the demonstration of substantial "security work experience" under the eight domains of CISSP, emphasizing that the core of a candidate's professional activities and how these activities align with security practices is of paramount importance.
This distinction is crucial because, although security work is readily identifiable in roles explicitly designated for security, ISC2 recognizes that security responsibilities frequently transcend traditional boundaries and can be integral to various other positions.
Consider, for instance, the role of a system administrator within a small organization. In such a setting, you might find yourself not only managing the IT systems but also being responsible for safeguarding them.
This kind of scenario is ideally suited for illustrating your eligibility for the CISSP. Highlighting your direct involvement with security policies, practices, and appliances—regardless of whether these tasks fully consumed your working hours—can effectively showcase the extent of your hands-on experience.
In a nutshell, ISC2 wants to know about your direct involvement with security, no matter the percentage of your job it made up. The trick is to connect your work experiences to the CISSP's eight domains. It's all about highlighting the parts of your job where you've applied security principles, no matter your official job title.
Full-Time Work Experience
When it comes to meeting the CISSP certification requirements, full-time work experience plays a crucial role. To qualify for the CISSP certification, ISC2 requires candidates to have a minimum of five years of cumulative, paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK).
Full-time work experience, as defined by ISC2, generally involves roles that engage individuals for at least 40 hours per week in tasks directly related to one or more of the CISSP CBK domains.
Part-Time Work Experience
Part-time work experience also plays a vital role in qualifying for the CISSP certification, accommodating those who may not work in traditional full-time roles. ISC2 acknowledges the value of part-time work, allowing candidates to count part-time hours towards the requisite five years of professional experience in the cybersecurity domain.
However, it's important to note that calculating part-time experience towards the CISSP certification requirements follows a specific ratio to ensure equivalency with full-time work standards, which we will discuss in the later sections.
For part-time work to qualify, the experience must involve at least 20 hours per week but fewer than 40 hours, focusing on tasks that align with one or more of the CISSP domains.
Internship Experience
Recognizing the significant impact of early-career opportunities in building foundational skills, ISC2 permits hours spent in internships, paid or unpaid, to contribute to the requisite five years of professional experience in the cybersecurity domain.
For an internship to be considered valid, the experience must be directly related to one or more of the eight CBK domains. Candidates must meticulously document their internship, detailing the roles and responsibilities undertaken and how these activities align with the CISSP domains. Importantly, candidates are required to obtain documentation on official company or organization letterhead confirming their position as an intern.
If the internship is conducted at a school, the documentation can be provided on the registrar’s stationery. This documentation is a critical component of the CISSP endorsement process, where the internship and work experience need to be verified, typically by an ISC2-certified professional.
How Does ISC2 Calculate Your Years of Professional Experience?
ISC2 employs a precise method for calculating the years of professional experience required for CISSP certification, accommodating both full-time and part-time roles with distinct criteria for each. This systematic approach ensures that candidates from varied working backgrounds can meet the experience requirements necessary to obtain the certification.
Here’s how your CISSP work experience is calculated:
- Full-time work experience: ISC2 counts work experience monthly. To accrue one month of full-time work experience, a candidate must have worked a minimum of 35 hours per week for four consecutive weeks.
- Part-time work experience: To convert part-time work into the equivalent full-time experience, ISC2 uses a conversion rate where 1040 hours of part-time work are equivalent to six months of full-time experience. Similarly, 2080 hours of part-time work translates to 12 months, or one year, of full-time experience.
- Internships: The calculation of internship hours follows the same criteria as for part-time and full-time work.
The CISSP Experience Waiver
ISC2 allows candidates to reduce the five-year work experience requirement for the CISSP certification by one year through relevant education and certifications. Candidates who have completed a four-year college degree or its equivalent in information security or a closely related field can benefit from this reduction.
Similarly, holding specific approved industry certifications, as identified by ISC2, also qualifies for this one-year reduction. Here are some of them:
- AWS Certified Security - Specialty
- Certified in Governance, Risk and Compliance (CGRC)
- Certified Cloud Security Professional (CCSP)
- Certified Computer Examiner (CCE)
- Certified Ethical Hacker v8 or higher
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified Internal Auditor (CIA)
- Certified Protection Professional (CPP) from ASIS
- See other approved certifications by ISC2.
Do note that this is an either-or situation; candidates can only deduct one year from the required work experience, regardless of the number of certifications they hold or if they also possess a relevant degree. This policy ensures a consistent standard for all candidates while acknowledging the value of formal education and certification in the field of information security.
Taking CISSP Without Experience
What if you're eager to earn your CISSP but haven't yet met the work experience requirements? The good news is that ISC2 still allows you to take the CISSP exam even without meeting the full work experience criteria.
However, there's an important distinction to understand: passing the exam under these conditions won't immediately grant you the CISSP certification. Instead, candidates who pass the CISSP exam without the requisite work experience are designated as Associates of ISC2.
As an Associate of ISC2, you're given a time frame of six years to gain the necessary work experience to officially earn your CISSP certification.
This pathway offers a valuable opportunity for those new to the field or transitioning from other career paths. It recognizes the effort and dedication it takes to pass the CISSP exam and provides a structured framework to advance your career in cybersecurity.
The best part? Becoming an Associate of ISC2 not only validates your knowledge but also connects you with the ISC2 community and resources, supporting your professional growth as you gain the experience needed to become a CISSP.
Frequently Asked Questions
Yes, managing IT security projects can count towards CISSP experience. As long as the work involves tasks related to one or more of the eight CISSP domains, it qualifies. Project management in IT security often encompasses areas like risk management, security architecture, and identity management, which are directly aligned with the CISSP CBK domains.
You can pass the CISSP exam without having the full five years of required work experience. However, passing the exam without the experience will earn you the title of Associate of ISC2 rather than full CISSP certification. You'll then have six years to gain the necessary experience to upgrade to full CISSP status.
The CISSP certification is valid for three years. To maintain the certification, holders must earn and submit a total of 120 Continuing Professional Education (CPE) credits within these three years and pay the annual maintenance fee. This process, known as recertification, ensures that CISSP professionals keep their skills and knowledge up to date.
Begin Your Path to CISSP Certification with Destination Certification
Understanding the CISSP work experience requirements is just the first step. Now, it's time to actively pursue your CISSP journey, and Destination Certification's CISSP MasterClass is the perfect starting point.
Our program is meticulously designed to cater to your unique needs and aspirations. We recognize that every aspiring cybersecurity professional brings a distinct set of skills and schedules to the table. That's why our MasterClass offers unparalleled flexibility, allowing you to tailor your learning experience to your personal and professional commitments.
Let Destination Certification be your partner in this journey, providing you with the tools, knowledge, and support to take control of your future in the ever-evolving field of cybersecurity. Start with us, and navigate your path to becoming a recognized cybersecurity expert with confidence.
Rob Witcher
Rob is the driving force behind the success of the Destination Certification CISSP program, leveraging over 15 years of security, privacy, and cloud assurance expertise. As a seasoned leader, he has guided numerous companies through high-profile security breaches and managed the development of multi-year security strategies. With a passion for education, Rob has delivered hundreds of globally acclaimed CCSP, CISSP, and ISACA classes, combining entertaining delivery with profound insights for exam success. You can reach out to Rob on LinkedIn.