CISSP® - Professional Experience Requirement 

Do you have the proper experience for your CISSP credential? 

You must have a minimum of five years of direct full-time security work experience in two or more of these 8 domains of the (ISC)² CISSP CBK:

  • Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
  • Asset Security (Protecting Security of Assets)
  • Security Engineering (Engineering and Management of Security)
  • Communication and Network Security (Designing and Protecting Network Security)
  • Identity and Access Management (Controlling Access and Managing Identity)
  • Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  • Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
  • Software Development Security (Understanding, Applying, and Enforcing Software Security)

Note: Effective April 15, 2015, the CISSP exam will be based on a new exam blueprint. Please refer to the Exam Outline and FAQs for details.

Note that if certain circumstances apply and with appropriate documentation, candidates are eligible to waive one year of professional experience:

  • One year waiver of the professional experience requirement based on a candidate’s education
    Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree, or regional equivalent OR an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE).


  • One-year waiver of the professional experience requirement for holding an additional credential on the (ISC)² approved list
    Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator or instructor, that requires Information Security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual fulltime Information Security work (not just Information Security responsibilities for a five year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.