CISSP Exam Requirements & Prerequisites: Eligibility and Work Experience

Are you ready to take your cybersecurity career to the next level with CISSP certification? You're not alone. Thousands of security professionals recognize that CISSP isn't just another certification—it's a career milestone that validates your expertise and opens doors to advanced positions and higher salaries.

What many candidates don't realize is that CISSP certification requires more than just passing an exam. Without the right experience, you'll only qualify as an Associate, not a fully certified professional—a distinction that significantly impacts your job prospects.CISSP certification demands a specific combination of professional experience across eight security domains, post-exam endorsement, and ongoing education commitments.

In this guide, we'll break down exactly what you need—from the required security experience to which types of work qualify (even without 'security' in your job title), and what happens after you pass the exam.

You'll finish with a clear roadmap to CISSP certification without the common pitfalls that trip up many security professionals.

Why should you take the CISSP examination?

The Certified Information Systems Security Professional (CISSP) certification is a globally recognized cybersecurity certification granted to qualified professionals by the International Information System Security Certification Consortium ISC2. This certification verifies an IT professional's ability to design, implement, and manage a cybersecurity program effectively.

Often considered a must-have for career advancement in cybersecurity, the CISSP certification offers various benefits. These include higher salaries, increased job opportunities, enhanced reputation within the industry, and a more in-depth understanding of cybersecurity principles.

Beyond these advantages, you'll also gain membership in one of the largest associations of cybersecurity professionals in the world today, along with the benefits that come with it. 

Who should pursue the CISSP certification?

The CISSP is designed for experienced IT security practitioners, managers, and executives who are interested in proving their skills and knowledge across a wide array of cybersecurity practices and principles.

Some of the roles that often require the CISSP certification include:

• Chief Information Security Officer (CISO)
• Director of security
• Information security analyst
• Security manager
• IT director
• Security consultant
• Security Architect
• Security auditor
• Security systems engineer
• Network architect

Do note that while the CISSP certification can help you land one of these roles, it's not always a strict requirement. Nevertheless, the certification certainly enhances the credibility and career prospects of professionals in these roles. 

CISSP exam requirements

To qualify for the CISSP examination, you must have at least five years of cumulative paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge (CBK):

• Domain 1. Security and Risk Management
• Domain 2. Asset Security
• Domain 3. Security Architecture and Engineering
• Domain 4. Communication and Network Security
• Domain 5. Identity and Access Management (IAM)
• Domain 6. Security Assessment and Testing
• Domain 7. Security Operations
• Domain 8. Software Development Security

This includes both full-time and part-time work experience, as well as paid and unpaid internships.

You can also substitute a maximum of one year of the work experience requirement if you have relevant education or hold one of the approved ISC2 certifications. This means that you would only need a total of 4 years of work experience to qualify for the CISSP examination.

What Counts as CISSP Experience?

As previously mentioned, having relevant experience in the field of cybersecurity is a critical requirement for earning a CISSP certification. This professional requirement ensures that CISSPs possess not only theoretical knowledge but also practical expertise in the different domains of information security.

So, what types of experiences qualify you to take the CISSP examination? Let's delve into the specifics.

Your Job Title Doesn't Matter (Your Responsibilities Do)

While roles with "security" in their titles naturally align with ISC2 requirements, they're not the only path to certification. We've seen countless network administrators, IT managers, and system engineers qualify for CISSP despite having no security-specific title.

What matters is whether you've been securing information systems. If you've implemented secure network protocols, managed access controls, or conducted risk assessments, these tasks count toward your five years of experience—even if "security" was only 30% of your job description.

When preparing your CISSP application, focus on mapping your responsibilities to the eight domains. We recommend creating a spreadsheet where you list your specific tasks and align them with domains like Security and Risk Management or Identity and Access Management. This approach not only helps you determine if you qualify but also prepares you for the endorsement process where you'll need to explain your experience.

Remember, if some of your responsibilities fall under two or more domains, this counts as relevant experience even if your business card says "IT Support Specialist" or "Network Engineer." What you actually did matters more than what you were called.

Full-time and Part-time work experience

One of the fundamental CISSP examination requirements is having a minimum of five years of relevant work experience in two or more of the eight domains of CISSP CBK. Often, this experience comes from roles that explicitly have “security” in their titles, such as security architect, network security engineer, and security analyst, to name a few.

While working in these roles will naturally align with the ISC2 requirement of security work experience, it's not the only type of experience that can qualify you. It’s important to note that ISC2focuses on the nature of your work, not your job title. Thus, any work involving securing information systems can qualify as security work experience.

For instance, roles like network administrator or IT manager may not have "security" in their job titles, but they involve securing an organization's information systems. These roles include tasks like implementing secure network protocols, managing access controls, and conducting risk assessments, all of which can still count as valid work experience for the CISSP.

When preparing your resume for the CISSP certification, take a good look at the eight domains and their subdomains. If your work experience includes tasks that align with these domains, ensure to highlight them in your resume.

If some of your responsibilities fall under two or more of the eight domains, this counts as relevant experience toward the CISSP certification, even if your job title isn’t explicitly security-focused.

How does ISC2 calculate your years of professional experience?
Both full-time and part-time roles count towards work experience, but they are calculated differently.

• Full-time work experience: Your work experience is accrued monthly. You need to have worked at least 35 hours for four weeks to earn one month of work experience.
• Part-time work experience: Your part-time experience should range from 20 hours to 34 hours per week. A total of 1040 hours of part-time work translates into six months of full-time experience, and 2080 hours of part-time work equates to 12 months of full-time experience.

Internship experience

Paid and unpaid internships can also have merit in your CISSP journey. As long as your tasks are connected to one of the domains, they can qualify as relevant work experience. Your internship experience is calculated in the same manner as your full-time or part-time work experience.

One important note: your internship experience must be accompanied by documentation on the company’s or organization’s letterhead confirming your position as an intern. If you’re interning at a school, the letter can be issued on the registrar’s stationery. 

Relevant education or certifications held

You may also satisfy one year of the required experience by having relevant education or certifications. This means that you would only need 4 years of work experience to qualify for the CISSP examination.

For education to be considered relevant, you need to have a four-year college degree (or regional equivalent), or an advanced degree in information security from the U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE).

If you don't hold a relevant degree, there's no need to worry. Certain security certifications can also be used to fulfill one year of the required experience. These include:

• Cisco Certified Network Associate Security (CCNA Security)
• CompTIA Security+
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Microsoft Security Operations Analyst
• Microsoft Certified Cybersecurity Architect

You can check out the full list here.

Remember, you can only use either a relevant education or a certification to offset one year of experience. This means that even if you have both a relevant degree and a certification, you will still need to accumulate four years of work experience.

How to take the CISSP examination with no experience?

While the ISC2 typically requires candidates to have at least five years of relevant work experience, you can still take the CISSP exam even if you don’t have professional experience in the field. However, you won’t earn the CISSP certification right away. Instead, you’ll become an ISC2 Associate.

As an ISC2 Associate, you will be given six years to accumulate the required work experience to become a CISSP. During this period, you can access the resources and professional community that ISC2 offers to its associates and certified members.

This pathway also allows you to offset one of the five-year requirements by obtaining a relevant degree or certification.

Is CISSP for beginners?

No, the CISSP certification isn’t for beginners. It is aimed at experienced cybersecurity professionals who have at least 5 years of experience in the industry. However, beginners can still take the CISSP examination. But instead of getting CISSP certified, they will become ISC2 Associate.

Additional CISSP requirements

Acquiring the CISSP certification isn’t only about fulfilling the necessary work experience and passing the exam, but it’s also a commitment to ongoing professional development and ethics in the field of cybersecurity.

There are three things that you’ll need to fulfill after you passed the exam:

Endorsement process

After passing the CISSP exam, you must be endorsed by an active ISC2 member before you can officially be certified. This endorsement validates your necessary experience and attests to your ethical and professional conduct.

Annual Maintenance Fee

Once you're officially certified, you'll need to pay your first Annual Maintenance Fee (AMF). This fee is used to support the ISC2 costs of maintaining all the certifications they issue and related support systems. As of the time of this writing, the AMF for CISSP is USD$135. For Associates of ISC2, the AMF is USD$50.

Note that these fees can change over time, so it’s best to check ISC2’s official website for updated prices.

Continuing Professional Education (CPE) credits

The CISSP certification is only valid for three years. This means that you’ll need to recertify every three years, which can be accomplished by earning Continuing Professional Education (CPE) credits. You need to earn 40 CPE credits each year, and a total of 120 CPE credits over a three-year certification cycle. If you don’t earn these credits, you’ll have to take the exam again.

How do I earn CISSP CPE credits? 

CPE credits are classified into two categories: Group A and Group B. You are required to earn 90 Group A CPEs and 30 Group B CPEs to get recertified.

Group A CPEs can be acquired by performing activities in the eight domains of CBK through projects or assignments outside your job responsibilities or description. This includes attending educational courses, seminars, and workshops related to information security, contributing to security publications, and participating in professional activities related to the field. 

Group B CPEs are awarded for activities that don’t fall under the eight domains and are considered to help enhance general professional skills and knowledge of CISSPs, This can include public speaking or management classes.

FAQ's

What’s Next?

Now that you have a solid understanding of the CISSP exam requirements and how to meet them, you’re ready to move on to the next stage of your journey: exam preparation. A well-rounded and comprehensive study plan is key to passing the CISSP examination and Destination Certification is the perfect guide.

Our CISSP MasterClass can equip you with the knowledge you need to pass the rigorous CISSP exam. This isn't your typical online study training. It adapts to your current level of knowledge, focusing on any knowledge gaps you may have. On top of that, our MasterClass is flexible and adjusts to your schedule, which allows you to progress at your own pace.

So, if you’re ready to take the leap, Destination Certification is here to support you. Best of luck as you prepare for your journey to become CISSP certified!