If you were counting on your CEH, CISA, CRISC, or OSCP to waive a year of experience on your CISSP application, that option is gone. ISC2 officially reduced the CISSP experience waiver list effective April 1, 2026, and the cut was significant. The list went from over 50 qualifying credentials down to roughly 25. If you submitted your CISSP certification application on or after April 1, 2026, using a credential that's no longer on the list, it won't count toward your experience requirement.
This isn't a rumor or a draft proposal. The policy is live. And if you've been planning your CISSP path around one of the removed certifications, you need to know exactly where you stand and what your options are right now.
This article covers what the waiver actually is, which credentials got cut, which ones still qualify, and what you can do if the change affects your timeline.
What the CISSP Experience Waiver Actually Is
To earn your CISSP certificate, you need a minimum of five years of cumulative, full-time work experience across two or more of the eight CISSP domains. That's the baseline. But ISC2 has long offered a way to reduce that requirement by one year if you hold a qualifying credential from their approved list.
That one-year waiver doesn't eliminate the experience requirement. It means you can qualify with four years of verified work experience instead of five, provided your other credentials and documentation meet ISC2's standards. It's worth noting that if you hold a relevant post-secondary degree in computer science, information technology, or a related field, that can also substitute for one year of experience. However, you cannot stack a degree and a qualifying credential to waive two years. You get one or the other, not both.
The waiver has been a useful on-ramp for professionals who came into security through specific technical or audit paths. That's exactly why the April 2026 changes matter as much as they do.
Which Certifications Were Removed from the CISSP Waiver List
ISC2 provided advance notice of this change before it took effect, and they were clear about the cutoff: anyone submitting a CISSP certification application on April 1, 2026, or later must meet the new requirements. The old list no longer applies to new applications.
The credentials that were removed include some of the most widely held certifications in the industry. The Certified Ethical Hacker (CEH), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), and Offensive Security Certified Professional and Expert (OSCP/E) are all gone from the list.
So are the Certified Internal Auditor (CIA), Certified Protection Professional (CPP), Certified Computer Examiner (CCE), Certified Wireless Security Professional (CWSP), CSA Certificate of Cloud Security Knowledge (CCSK), and a range of EC-Council, GIAC, INE, Juniper, Cisco CyberOps, and Zscaler credentials that previously qualified.
If you held any of those certifications and were planning to use them as your experience waiver, that path is no longer available for applications submitted from April 1, 2026, onward. The full updated requirements are available directly on the ISC2 CISSP experience requirements page.
Looking for some exam prep guidance and mentoring?
Learn about our personal mentoring
Which Certifications Still Qualify for the CISSP Waiver
The updated list is shorter, but it still covers credentials that many security professionals already hold or are actively pursuing. Here's what still qualifies as of April 1, 2026:
The ISC2 family of certifications remains well represented. The CCSP, SSCP, CGRC, CSSLP, ISSAP, ISSEP, and ISSMP all still qualify. If you're already on the ISC2 path, your existing credentials likely still count.
Outside of ISC2, the remaining qualifiers include:
CompTIA Security+, CompTIA CySA+, CompTIA CASP+ (now CompTIA SecurityX), CISM, CCNA, CCNP Security, CCIE Security, AWS Certified Security Specialty, Microsoft Certified Cybersecurity Architect, HCISPP, GICSP, GISF, GISP, GSLC, and the Zscaler ZDTA, ZDTE, and ZDXA credentials.
What's notable about the credentials that survived the cut is that they tend to align more directly with the governance, architecture, and security management focus that CISSP itself emphasizes. Highly technical or audit-specific certifications were disproportionately removed.
If you're reassessing your CISSP path and want to get a clear picture of the eight domains your experience and preparation need to cover, our free CISSP MindMaps break down every domain visually so you can see exactly where you stand.
What This Means If You Were Planning to Use a Removed Cert
If your certification was on the old list but not the new one, your first question is probably whether you're actually affected. The answer depends entirely on when you submitted your application. If you submitted before April 1, 2026, ISC2's position is that the previous list applies to you. If you haven't submitted yet, the new list governs your application.
If you are affected, you have a few real options. The first is straightforward: if you have four or more years of qualifying experience across two or more CISSP domains, you may already meet the requirement without the waiver. Review your work history carefully against the eight domains before assuming you're short.
The second option is the degree pathway. If you hold a bachelor's or master's degree in computer science, information technology, or a related field, that can substitute for one year of experience, just as the waiver did. Again, you can't combine it with a credential waiver, but if you were relying on a credential that's now removed, a qualifying degree may be your equivalent substitute.
The third option is the Associate of ISC2 route. If you don't yet have the required experience, you can still sit for and pass the CISSP exam. ISC2 will designate you as an Associate of ISC2, and you'll then have six years to accumulate the five years of required work experience. This path is worth considering if you're earlier in your career or if your experience timeline is simply delayed by the waiver removal.
None of these options is a setback if you approach them clearly. What matters now is knowing which path fits your actual situation.
Why CISSP Is Still Worth Pursuing (Maybe More Than Ever)
A shorter waiver list means fewer people can take a shortcut to the application threshold. That's not a reason to step back from CISSP. If anything, it's a reason to move forward with more confidence that the credential you're earning carries real weight.
CISSP has always been selective. It requires demonstrated experience, not just exam performance. The April 2026 changes reinforce that the certification is designed for professionals who have genuinely worked across the security domains, not just collected credentials. When employers see CISSP on your profile, the tightened requirements only strengthen what it signals about you.
The demand for CISSP-certified professionals hasn't changed. Security leadership roles increasingly list it as a requirement, and the certification remains one of the most recognized in the industry globally. If you've been sitting on the fence about pursuing it, the time to move is now, not later.
Certification in 1 Week
Study everything you need to know for the CISSP exam in a 1-week bootcamp!
Frequently Asked Questions
No. ISC2 is clear that you can use either a qualifying post-secondary degree or a credential from the approved list to substitute for one year of experience, but not both. You get one waiver, not two.
Yes, absolutely. You can qualify through verified work experience alone if you have four or more years across two or more CISSP domains, use a qualifying degree as your one-year substitute, or pass the CISSP exam and become an Associate of ISC2 while you build the remaining experience over up to six years.
Yes. The SSCP remains on the updated waiver list, which makes it one of the cleaner on-ramps to CISSP for professionals who are still building their experience. It also covers foundational security concepts that align well with the CISSP exam itself.
The Associate of ISC2 route is likely your best move. Pass the CISSP exam now while you continue building experience, and you'll have up to six years to satisfy the five-year requirement. In the meantime, your preparation keeps your knowledge sharp and your timeline moving.
Now Is the Time to Get Your CISSP Certificate
The waiver list is shorter now, and that actually works in your favor if you're already qualified. Fewer people will breeze through the experience threshold on the strength of a credential alone, which means your CISSP carries more weight when you earn it the right way.
If you know you qualify and you've been putting off the exam, there's no good reason to wait. Destination Certification’s CISSP MasterClass gives you everything you need to pass on your first attempt. It adapts to your knowledge gaps across all eight domains, adjusts your study calendar to fit your schedule, and includes expert video instruction from Rob Witcher and John Berti, who worked directly with ISC2 on certification development.
Before you dive in, grab our free Proven CISSP Exam Strategies guide. It walks you through the exact approach you need to think through exam questions the way ISC2 expects, and it costs you nothing to get started.
Don’t wait for the next batch. Start your CISSP journey with us today.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
John is a major force behind the Destination Certification CISSP program's success, with over 25 years of global cybersecurity experience. He simplifies complex topics, and he utilizes innovative teaching methods that contribute to the program's industry-high exam success rates. As a leading Information Security professional in Canada, John co-authored a bestselling CISSP exam preparation guide and helped develop official CISSP curriculum materials. You can reach out to John on LinkedIn.
The easiest way to get your CISSP Certification
Learn about our CISSP MasterClass
