- What Experience Actually Counts Toward CISSP
- The Five-Year, Two-Domain Requirement Explained
- Which CISSP Domains Can Your Work Experience Cover
- The One-Year Experience Waiver: Who Qualifies
- The Associate of ISC2 Route for New Professionals
- The Endorsement Process: Step by Step
- Registration, Fees, and Exam Logistics
- Maintaining Your CISSP After You Earn It
- Aligning Your Study to the Domains That Match Your Background
- Frequently Asked Questions
- CISSP requires five years of cumulative, paid work experience in at least two of the eight official domains.
- A one-year waiver reduces the requirement to four years if you hold a qualifying degree or approved credential.
- Candidates without the experience can sit the exam and earn Associate of ISC2 status, then complete experience within six years.
- The endorsement step-verified by an ISC2-certified professional-is mandatory before ISC2 officially awards the certification.
What Experience Actually Counts Toward CISSP
One of the most common points of confusion among CISSP candidates is understanding exactly what qualifies as acceptable work experience. ISC2 is specific: the experience must be paid, full-time work (or part-time equivalent) that is directly related to one or more of the eight CISSP domains. Unpaid internships, volunteer roles, and academic coursework do not count on their own, though a formal internship with compensation may qualify depending on the nature of the work performed.
The experience also must be cumulative, not necessarily consecutive. If you worked in network security for two years, left the field, and returned three years later in a security operations role, those five years can still be combined-provided the work genuinely aligns with recognized CISSP domain content. ISC2 evaluates experience at the domain level, not by job title, which means a developer who managed application security controls may legitimately claim experience under Software Development Security even if their official title was "software engineer."
The Five-Year, Two-Domain Requirement Explained
The core prerequisite is straightforward in principle: you need five years of cumulative paid work experience in at least two of the eight CISSP domains. This is not a formality. ISC2 designed the requirement to ensure that CISSP holders bring broad-based security judgment, not narrow technical expertise in a single area.
The two-domain minimum is a floor, not a ceiling. In practice, most candidates who have spent five years in security touch four, five, or even six domains organically through job rotation, project work, or cross-functional responsibilities. A security analyst who responds to incidents (Security Operations), manages access control reviews (Identity and Access Management), and advises on vulnerability remediation (Security Assessment and Testing) may simultaneously satisfy three domains with the same work history.
What matters is that you can truthfully document the connection between your job duties and the domain content. When you complete the online endorsement application, you will describe your work experience in relation to specific domains-and an ISC2-certified endorser will attest to its accuracy. Vague descriptions like "worked in IT security" are insufficient; you need to articulate specific responsibilities that map to domain knowledge areas.
Which CISSP Domains Can Your Work Experience Cover
Understanding the eight domains is essential before you assess your own eligibility. The current exam outline, effective April 15, 2024, defines the following domains:
The Eight CISSP Domains (2024 Exam Outline)
ISC2 weights each domain differently on the exam. Your experience can span any combination of at least two.
- Domain 1 - Security and Risk Management (16%): Governance frameworks, risk analysis, legal and regulatory compliance, ethics, and security policy. Professionals in GRC, compliance, or security management roles typically qualify here.
- Domain 2 - Asset Security (10%): Data classification, ownership, privacy protection, retention, and secure handling. Data governance and privacy officer roles map directly to this domain.
- Domain 3 - Security Architecture and Engineering (13%): Secure design principles, cryptography, security models, and hardware/software vulnerabilities. Systems architects and security engineers find this domain most familiar.
- Domain 4 - Communication and Network Security (13%): Network protocols, segmentation, transmission security, and wireless security. Network engineers and infrastructure specialists commonly qualify here.
- Domain 5 - Identity and Access Management (13%): Authentication mechanisms, identity federation, privileged access, and access provisioning. IAM engineers and directory services administrators draw on this domain.
- Domain 6 - Security Assessment and Testing (12%): Audit strategies, vulnerability assessments, penetration testing oversight, and log review. Security analysts and auditors typically cover this domain.
- Domain 7 - Security Operations (13%): Incident response, disaster recovery, forensics, and physical security. SOC analysts, incident responders, and operations security staff qualify readily.
- Domain 8 - Software Development Security (10%): Secure SDLC, code review, application security controls, and DevSecOps. Developers who have integrated security practices into build pipelines qualify here. See our CISSP Domain 8: Software Development Security Study Guide 2026 for a detailed breakdown of what this domain covers on the exam.
When mapping your background, be honest about depth. Reviewing a security policy once a year probably does not constitute sustained experience in Security and Risk Management. But owning your organization's risk register, conducting annual risk assessments, and advising leadership on risk treatment decisions almost certainly does.
The One-Year Experience Waiver: Who Qualifies
ISC2 grants a one-year experience waiver that reduces the requirement from five years to four. This waiver applies if you hold one of the following:
- A four-year college degree (or regional equivalent) in any discipline
- A master's degree in information security or a related field
- A credential from ISC2's approved list of certifications, which includes credentials such as CISA, CISM, CEH, and Security+, among others
The waiver applies only to one year-you cannot stack multiple qualifications to waive additional years. If you have both a degree and an approved certification, you still only reduce the requirement by one year, bringing it to four years total across at least two domains.
The Associate of ISC2 Route for New Professionals
If you lack the required experience but want to pursue CISSP now, ISC2 offers a legitimate pathway: sit the full CISSP exam, pass it, and earn Associate of ISC2 status. You then have six years to complete and document the required work experience. Once you do, you submit your endorsement application and formally transition to full CISSP status.
This route is particularly valuable for recent graduates, career changers, or professionals early in a security role who have strong academic or self-study backgrounds. The Associate designation signals to employers that you have cleared the same rigorous knowledge hurdle as a full CISSP-you simply need to accumulate the field experience to complement it.
Note that Associate of ISC2 status does carry annual maintenance fees and requires adherence to ISC2's Code of Ethics, even before you transition to full certification. You should plan your career progression with the six-year deadline in mind. For more on what the experience journey looks like from start to finish, revisit our dedicated article on CISSP Experience Requirements: How to Qualify and Apply.
The Endorsement Process: Step by Step
Passing the CISSP exam is not the final step-endorsement is. After receiving your exam pass notification, you have nine months to complete the endorsement application. Here is how the process works:
- Submit your online endorsement application through the ISC2 member portal. You will describe your work experience in detail, organized by domain, specifying dates, employers, and the nature of your security responsibilities.
- Identify an endorser. Your endorser must be an active ISC2-certified professional in good standing-a current CISSP, CCSP, CSSLP, or other ISC2 credential holder who can verify your professional experience. This person is attesting that your stated experience is accurate.
- Your endorser signs off electronically. They review your application and submit their endorsement through the ISC2 portal.
- ISC2 reviews the application. ISC2 may accept it immediately or conduct additional review. In some cases, ISC2 itself will act as endorser if you cannot locate one-though this triggers a more thorough ISC2-conducted audit of your experience.
- Certification is awarded once ISC2 approves the endorsement and you pay any applicable fees. Your certification is valid for three years from the date of award.
Key Takeaway
Do not wait until after passing the exam to identify your endorser. Reach out to colleagues, managers, or professional contacts who hold active ISC2 certifications before exam day. Having an endorser lined up removes a potential bottleneck from an already time-sensitive process.
Registration, Fees, and Exam Logistics
Once you are confident your experience qualifies-or you have decided to pursue the Associate of ISC2 route-registering for the exam is straightforward. CISSP is delivered exclusively through Pearson VUE, which administers the exam at testing centers globally as well as through online proctoring.
| Detail | Specifics |
|---|---|
| Exam Fee | $749 USD |
| Testing Provider | Pearson VUE (test center or online proctored) |
| Exam Format | Computer Adaptive Test (CAT) for English-language exams |
| Number of Items | 100-150 items (multiple choice and advanced innovative items) |
| Time Limit | 3 hours |
| Passing Score | 700 out of 1,000 |
| Exam Outline Version | Effective April 15, 2024 (current for 2026) |
| Governing Body | ISC2 |
The CAT format means the exam adapts to your performance in real time. The number of questions you receive-between 100 and 150-depends on how the algorithm determines statistical confidence in your ability level. Some candidates finish closer to 100 items; others answer all 150. Neither outcome predicts pass or fail on its own.
ISC2 enforces strict exam security policies. You will be required to agree to ISC2's Code of Ethics before the exam is administered, and any breach of exam security rules can result in disqualification. Candidates taking the online proctored route should review Pearson VUE's technical and environmental requirements well in advance.
Before test day, using a structured CISSP practice test platform that mirrors the adaptive format and domain weighting is one of the most effective ways to calibrate your readiness across all eight domains.
Maintaining Your CISSP After You Earn It
CISSP certification is valid for three years. To maintain it, you must accumulate 120 Continuing Professional Education (CPE) credits over the three-year cycle and pay the annual maintenance fee (AMF) each year. ISC2 requires at least 40 CPEs per year to stay on track, though the cycle total of 120 is the binding requirement.
CPEs can be earned through a wide range of activities: attending security conferences, completing training courses, publishing security research, contributing to ISC2 chapter activities, or passing additional certifications. ISC2 distinguishes between Group A CPEs (directly related to the CISSP domains) and Group B CPEs (general professional development). The majority of your CPEs must fall into Group A.
Failure to meet CPE requirements or pay the AMF results in suspension and, ultimately, revocation of the certification. Planning your CPE activities throughout the three-year cycle is far more manageable than trying to accumulate all 120 credits in the final months before renewal.
Aligning Your Study to the Domains That Match Your Background
Because CISSP experience requirements demand genuine depth in at least two domains, your study plan should reflect an honest self-assessment of which domains you know well and which represent genuine gaps. This is not about covering your weaknesses last-it is about allocating proportionally more study time to unfamiliar territory while building confidence in areas you already practice professionally.
Anchor Domains: Security and Risk Management + Asset Security
- Domain 1 carries the highest exam weight at 16%-prioritize risk frameworks, governance models, and legal/regulatory concepts regardless of your background.
- Review data classification schemes and privacy principles in Domain 2 (10%)-often underestimated by technical candidates.
Architecture, Network, and IAM: The 13% Domains
- Domains 3, 4, and 5 each carry 13%-together they represent more than a third of the exam. Candidates with network or systems backgrounds often find Domain 4 familiar but underestimate the depth required in Domain 3's cryptography and security models.
- For Domain 5, focus on federation protocols, zero-trust concepts, and privileged access management-common exam topics.
Assessment, Operations, and Software Development Security
- Domain 6 (12%) rewards candidates who understand audit sampling, penetration test scoping, and log review methodologies-not just technical vulnerability scanning.
- Domain 7 (13%) is broad; focus on incident response lifecycle, forensic evidence handling, and BCP/DR concepts.
- Domain 8 (10%) is frequently overlooked. Use our CISSP Domain 8: Software Development Security Study Guide 2026 to cover the secure SDLC, database security, and DevSecOps controls tested on the current exam.
Throughout your preparation, regularly test yourself under realistic exam conditions. The CAT format penalizes inconsistent knowledge-it will probe areas where your answers show uncertainty. Practicing with adaptive questions at our CISSP exam prep platform helps you identify those areas before they cost you on exam day.
Frequently Asked Questions
Yes. ISC2 allows part-time experience to count, but it is calculated on a pro-rated basis against a full-time equivalent. You will need to accumulate enough part-time hours to equal the equivalent of five years of full-time paid security work across at least two domains.
Yes, self-employment and contract work qualifies as long as it is paid and involves direct security work in recognized CISSP domains. You will need to document your engagements clearly in the endorsement application, including the nature of the work and the domains it covered.
If you genuinely cannot identify a qualified endorser in your professional network, ISC2 will act as your endorser directly. This triggers a more thorough review of your experience documentation by ISC2 staff, so your application must be detailed and well-supported. Building your professional network through ISC2 chapters before you need an endorser is strongly recommended.
The Computer Adaptive Test (CAT) format applies specifically to the English-language exam: 100-150 items, 3-hour time limit, 700 out of 1,000 passing score. Non-English exams use a linear format with a different item count and time limit. If English is not your primary language but you are comfortable enough to take the English exam, the CAT format may offer an advantage in testing time efficiency.
ISC2 does not publish a guaranteed processing timeline, and processing times can vary depending on application volume. Standard applications with a qualified endorser are typically resolved faster than those routed to ISC2 for direct endorsement. Submitting a complete, well-documented application promptly after receiving your exam pass notification minimizes delays. You have nine months from the pass date to complete the process.
Ready to Start Practicing?
Whether you are mapping your experience to CISSP domains or preparing to sit the exam, hands-on practice with adaptive questions across all eight domains is the fastest way to identify and close your knowledge gaps. Start free today.
Start Free Practice Test