CISSP logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / CISSP Endorsement Process: Steps After Passing

CISSP Endorsement Process: Steps After Passing the Exam

Updated 9 min read CISSP Exam Prep
Table of Contents
TL;DR
  • Passing the CISSP exam at Pearson VUE does not grant you the certification-endorsement through ISC2 is a required separate step.
  • You must submit your endorsement application within nine months of your exam pass notification or restart the process.
  • CISSP requires five years of cumulative paid work experience across at least two of the eight official domains.
  • A current CISSP in good standing must endorse your application; ISC2 itself can act as endorser if you cannot find one.

What the CISSP Endorsement Process Actually Means

Seeing a passing result at the Pearson VUE testing center is a milestone-but it is not the finish line. ISC2, the governing body for the CISSP credential, separates exam performance from professional certification deliberately. Passing the exam proves you have the technical knowledge across the eight CISSP domains. The endorsement process proves you have actually applied that knowledge in real security roles.

This distinction matters because the CISSP is designed to validate working security practitioners, not just test-takers. ISC2's endorsement workflow verifies that your professional background aligns with what the exam measured. Only after ISC2 formally approves your application and you pay the required fees does the certification become active and your name appear in the ISC2 verified member directory.

Why Endorsement Exists: ISC2 built the endorsement requirement to protect the credential's market value. Employers searching the ISC2 directory can trust that every listed CISSP has had their professional experience independently verified-not just their exam score.

Step-by-Step: The Endorsement Workflow

The process unfolds in a defined sequence. Understanding each stage prevents delays that could push you past the nine-month submission window.

  1. Receive your exam results. After completing the computer adaptive test-which presents between 100 and 150 items over a maximum of three hours-Pearson VUE notifies you of a pass or fail outcome. A passing score requires reaching 700 on a 1,000-point scale.
  2. Create or log into your ISC2 candidate account. Your Pearson VUE exam record links to your ISC2 profile. Verify that your personal information matches exactly between both systems before proceeding.
  3. Complete the online endorsement application. ISC2 provides a structured form where you document your work history against specific CISSP domains, provide employer contact information, and identify your endorser.
  4. Secure your endorser's signature. Your endorser-a current CISSP in good standing-reviews your experience claims and attestations, then signs the application confirming they believe your statements are accurate.
  5. Submit and pay. The exam fee of $749 USD covers testing only. Endorsement itself does not carry a separate application fee at time of writing, but the Annual Maintenance Fee (AMF) becomes due once ISC2 approves your application.
  6. Await ISC2 review. ISC2 manually reviews submitted applications. Processing time varies; plan for several weeks, especially during high-volume periods.
  7. Respond to any audit request. ISC2 audits a percentage of applications, requesting supporting documentation such as employment records or letters from supervisors.
  8. Receive certification confirmation. Once approved, ISC2 sends official notification and your certification becomes active in the member directory.

Meeting the Experience Requirements

The experience requirement is where many candidates encounter confusion. ISC2 requires five years of cumulative, paid, full-time work experience in information security. That experience must span at least two of the eight CISSP domains. Part-time or volunteer work may count on a prorated basis, but unpaid internships generally do not qualify as paid experience.

The Eight CISSP Domains (Exam Outline Effective April 15, 2024)

Your experience documentation must align to specific domains. Here is how ISC2 weights them on the exam-useful context for framing your professional narrative:

  • Domain 1: Security and Risk Management - 16% (largest domain; governance, compliance, risk frameworks)
  • Domain 2: Asset Security - 10% (data classification, ownership, privacy)
  • Domain 3: Security Architecture and Engineering - 13% (cryptography, secure design, hardware security)
  • Domain 4: Communication and Network Security - 13% (network protocols, segmentation, secure channels)
  • Domain 5: Identity and Access Management - 13% (authentication, authorization, federation)
  • Domain 6: Security Assessment and Testing - 12% (vulnerability assessment, pen testing, audit)
  • Domain 7: Security Operations - 13% (incident response, forensics, BCP/DR)
  • Domain 8: Software Development Security - 10% (SDLC security, code review, DevSecOps)

When documenting experience, be specific. Instead of writing "managed security tools," describe the domain-relevant activity: "Designed and implemented network segmentation policies to enforce least-privilege access between internal subnets" maps directly to Domain 4 (Communication and Network Security). Generic job descriptions rarely satisfy ISC2 reviewers.

The One-Year Experience Waiver

ISC2 allows one year of the five-year requirement to be waived if you hold a qualifying four-year college degree or an approved credential from the ISC2 list. This reduces the minimum to four years of verifiable professional experience. Check the current ISC2 website for the authoritative list of qualifying credentials, as it is updated periodically.

Finding and Working With an Endorser

Your endorser must be an active CISSP in good standing-meaning their own certification is current, their CPEs are tracked, and their Annual Maintenance Fee is paid. They do not need to be your direct supervisor, a colleague in your organization, or even someone who has worked with you directly. They are attesting that they believe your experience claims are truthful based on their review of your documentation.

No Endorser Available? ISC2 itself will serve as your endorser if you genuinely cannot locate a CISSP willing to endorse you. In this case, ISC2 will conduct a more thorough review of your application, which typically extends processing time. This option exists to prevent the endorser requirement from becoming an insurmountable barrier.

Practical advice for locating an endorser: check your professional network on LinkedIn by filtering first-degree connections with CISSP in their credentials. ISC2 chapter meetings-available in most major metropolitan areas-are another productive venue. Security conferences such as RSA or local BSides events regularly attract CISSPs who are familiar with the endorsement process and willing to help qualified candidates.

When approaching a potential endorser, provide them with a clear summary of your experience mapped to the relevant CISSP domains. Make their review easy by organizing your documentation before making the request. A well-prepared candidate is far more likely to receive timely endorsement than one who sends a vague ask with no supporting material.

The ISC2 Audit: What to Expect

ISC2 audits a subset of endorsement applications. If selected, you will receive a notice requesting additional documentation to substantiate your experience claims. Being selected for audit is not a judgment of dishonesty-it is a standard quality control measure that protects the credential's reputation.

Document Type What It Demonstrates Format ISC2 Typically Accepts
Employment verification letters Dates of employment, job title, security responsibilities Signed letter on company letterhead
Performance reviews Security-specific duties performed during employment period Scanned copies of official HR documents
Project documentation Specific security initiatives tied to CISSP domains Sanitized project summaries or statements of work
Tax records / pay stubs Proof that employment was paid and during the claimed period Redacted financial documents showing employer name and dates
Professional references Corroboration of role and responsibilities by a third party Contact information for verifiable professionals

Prepare this documentation before submitting your application-not after you receive an audit notice. Scrambling to locate records from employers three jobs ago adds unnecessary stress and delays your certification.

The Associate of ISC2 Route

Candidates who pass the CISSP exam but do not yet have the required five years of professional experience can elect to become an Associate of ISC2. This designation acknowledges that you have demonstrated the technical knowledge required for CISSP and gives you up to six years to accumulate and document the qualifying experience.

Associates pay a reduced Annual Maintenance Fee and are expected to earn CPE credits during their associate period. Once you have the required experience, you submit a standard endorsement application to convert your status to full CISSP certification. This route is particularly valuable for professionals who are early in their careers or are transitioning into security from adjacent fields such as network engineering, software development, or IT audit.

Key Takeaway

If you pass the exam before accumulating five years of experience, do not delay sitting the exam. The Associate of ISC2 designation lets you lock in your exam pass while you build the experience record needed for full certification-rather than risk needing to resit the exam later.

Annual Maintenance Fees and What Comes Next

Passing the exam and completing endorsement are the entry points. Maintaining the certification requires ongoing commitment. The CISSP certification is valid for three years, and staying active requires earning 120 Continuing Professional Education (CPE) credits across that three-year cycle. You also owe an Annual Maintenance Fee each year of the cycle.

CPE credits are not a formality-ISC2 expects credits that genuinely advance your security knowledge or contribute to the profession. Reading security publications, attending conferences, teaching security topics, completing formal training, and contributing to ISC2 itself all qualify. For a detailed breakdown of what counts and how to document it, see our article on CISSP CPE Requirements: How to Earn and Track Credits 2026.

CPEs must be distributed across all three years of the cycle-you cannot batch all 120 in the final year. ISC2's online CPE portal (CPE Submitter) is where you log credits as you earn them. Maintaining a running log rather than reconstructing your activity at renewal time saves significant effort.

How the Eight Domains Map to Your Experience Claims

The most strategic way to complete your endorsement application is to treat each domain as a category heading for your professional narrative. Review your career history and identify specific roles, projects, or responsibilities that align with domain content. You do not need experience in all eight domains-just at least two-but covering more domains strengthens your application and demonstrates the breadth ISC2 intends the credential to represent.

Consider how common security roles naturally align with multiple domains simultaneously. A security analyst role often touches Domain 6 (Security Assessment and Testing) through vulnerability scanning and Domain 7 (Security Operations) through incident response. A network security engineer role maps to Domain 4 (Communication and Network Security) and frequently Domain 3 (Security Architecture and Engineering) when designing secure network architectures. A GRC analyst role aligns heavily with Domain 1 (Security and Risk Management)-the largest domain at 16% of the exam-and often Domain 2 (Asset Security) through data classification work.

When you prepare for the exam itself, practicing with realistic questions that reflect the exam's CAT format builds the same conceptual clarity you need to articulate your experience in domain terms. Our CISSP practice tests simulate the 100-to-150-item adaptive format so you understand not just the content but how ISC2 tests it-which directly informs how you frame your professional experience in the endorsement application.

Common Endorsement Mistakes and How to Avoid Them

Candidates who understand the exam thoroughly sometimes underestimate the administrative precision the endorsement process requires. These are the errors that most commonly delay or complicate approvals.

  • Waiting too long to start the application. The nine-month window sounds generous until you factor in finding an endorser, gathering employment documentation, and coordinating with former employers who may take weeks to respond.
  • Vague experience descriptions. ISC2 reviewers are looking for domain-specific language. Describing your work in generic IT terms-rather than tying it to specific security functions within CISSP domains-gives reviewers nothing concrete to verify.
  • Misidentifying qualified endorsers. Your endorser must hold an active CISSP. An expired or suspended CISSP cannot endorse your application. Verify your endorser's status in the ISC2 member directory before submitting.
  • Name and identity mismatches. If your legal name differs between your government ID, your Pearson VUE registration, and your ISC2 account, the application can be flagged for manual review. Resolve discrepancies before submitting.
  • Forgetting the AMF after approval. Some candidates complete endorsement and then delay paying the Annual Maintenance Fee, inadvertently allowing their certification to lapse before it has truly begun.
Parallel Preparation: While you are studying for the exam using CISSP practice tests, simultaneously organize your professional experience documentation by domain. By exam day, your endorsement application should be largely ready to submit-eliminating the scramble that catches many candidates off guard.

Candidates who want to explore every aspect of CISSP requirements in one place can also review our comprehensive guide on the CISSP Endorsement Process: Steps After Passing the Exam alongside their exam preparation to ensure no step is overlooked.

Frequently Asked Questions

How long do I have to submit my endorsement application after passing the CISSP exam?

ISC2 requires you to submit your completed endorsement application within nine months of your exam pass notification. Missing this window means your exam result expires and you must retake the exam. Start gathering documentation immediately after receiving your results.

Can my endorser be someone I have never worked with directly?

Yes. Your endorser does not need to be a current or former colleague. They must be an active CISSP in good standing who is willing to review your experience documentation and attest that your claims appear truthful. Many candidates are endorsed by CISSPs they meet through professional associations or ISC2 chapter events.

What happens if I pass the exam but only have three years of relevant experience?

You can elect to become an Associate of ISC2. This status acknowledges your exam achievement while giving you up to six years to accumulate the remaining experience. Once you reach the five-year threshold (or four years with an approved waiver), you submit an endorsement application to convert to full CISSP status.

Does the CISSP exam fee cover the endorsement process?

The $749 USD exam fee paid through Pearson VUE covers only the examination itself. There is no separate endorsement application fee, but the Annual Maintenance Fee becomes due once ISC2 approves your application. Budget for the AMF in advance to avoid an unintentional lapse.

How many CPE credits do I need to maintain CISSP certification after endorsement?

You must earn 120 CPE credits across the three-year certification cycle, with credits distributed across all three years rather than concentrated at the end. For detailed guidance on qualifying activities and how to log credits with ISC2, see our full breakdown in CISSP CPE Requirements: How to Earn and Track Credits 2026.

Continue reading:

Ready to pass your CISSP exam?

Put this into practice with free CISSP questions across every exam domain.