CISSP® - Professional Experience Requirement
Do you have the proper experience for your CISSP credential?
You must have a minimum of five years of direct full-time security work experience in two or more of these 10 domains of the (ISC)² CISSP CBK®:
- Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
- Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
- Information Security Governance and Risk Management – the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
- Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
- Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
- Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
- Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
- Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
- Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
- Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information.
Note that if certain circumstances apply and with appropriate documentation, candidates are eligible to waive one year of professional experience:
- One year waiver of the professional experience requirement based on a candidate’s education
Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Advanced Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent.
- One-year waiver of the professional experience requirement for holding an additional credential on the (ISC)² approved list
Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires Information Security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual fulltime Information Security work (not just Information Security responsibilities for a five year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.