Quick Answer: CISSP requires a minimum of five years of cumulative, full-time experience in two or more of the eight CISSP domains. A bachelor’s or master’s degree in computer science, IT, or a related field satisfies one year of the requirement, as does holding an approved credential from the ISC2 approved list. However, that approved credential list changed dramatically on April 1, 2026, cutting from roughly 50 certifications down to 25 and removing major credentials including CEH, CISA, CRISC, and OSCP. If your certification roadmap depends on a waiver, this guide tells you exactly where you stand. And once you confirm you qualify, CertEmpire’s CISSP exam questions are built to get you through the hardest certification in cybersecurity on your first attempt.
Why CISSP Requirements Matter More Than Ever in 2026
ISC2 reports over 170,000 active CISSP holders, with a median salary of $168,900 according to the ISC2 Cybersecurity Workforce Study. According to Glassdoor, the median total salary for all CISSP holders in the US is $164,000. ZipRecruiter puts the average annual pay for a CISSP professional in the United States at $119,521, with top earners reaching $176,500 annually.
Those numbers explain why the CISSP is the most pursued senior cybersecurity credential in the world. They also explain why ISC2 guards its requirements carefully. The barrier to entry is high by design. Understanding every requirement, every waiver option, and every shortcut that still exists is the difference between qualifying this year and waiting another two years.
The Core CISSP Experience Requirement
To qualify for the CISSP examination, you must have at least five years of cumulative paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge. This includes both full-time and part-time work experience, as well as paid and unpaid internships.
That is the foundation. Every other requirement, waiver, and pathway builds on this baseline. Before anything else, you need to count your years honestly.
What Counts as Qualifying Experience
ISC2 evaluates CISSP candidates’ work experience with a keen focus on the quality and relevance of security tasks performed rather than on the specific job titles held. Having “security” in your job title, while potentially beneficial, is not an absolute requirement. What ISC2 prioritizes is the demonstration of substantial security work experience under the eight domains of the CISSP exam outline.
This distinction matters enormously for candidates who have spent years in IT roles without an explicit security title. A network administrator who managed firewalls and access controls qualifies. An IT manager who designed and enforced security policies qualifies. A system administrator at a small organization who handled all security responsibilities qualifies. The question ISC2 is asking is not what your title was but what your daily work involved.
ISC2 wants to know about your direct involvement with security, no matter the percentage of your job it made up. The trick is to connect your work experiences to the CISSP’s eight domains. It’s all about highlighting the parts of your job where you’ve applied security principles, no matter your official job title.
Full-Time Work Experience
Full-time work experience, as defined by ISC2, generally involves roles that engage individuals for at least 40 hours per week in tasks directly related to one or more of the CISSP domains. Full-time experience accrues straightforwardly. One year of qualifying full-time work equals one year toward your five-year requirement.
Part-Time Work Experience
Part-time experience can’t be less than 20 hours per week. It also can’t be more than 34 hours per week, otherwise you would be considered full-time. ISC2 will translate the total hours you worked part-time into full-time work based on the 40-hour work week and the 2,080-hour work year. For instance, 1,040 hours of part-time work equals six months of full-time work.
If you have been working 25 hours per week in a qualifying security role for three years, those hours count toward your total. You do the math by taking your total part-time hours and dividing by 2,080 to convert them into full-time equivalent years.
Internships
ISC2 permits hours spent in internships, paid or unpaid, to contribute to the requisite five years of professional experience in the cybersecurity domain. For an internship to be considered valid, the experience must be directly related to one or more of the eight CBK domains. Candidates must meticulously document their internship, detailing the roles and responsibilities undertaken and how these activities align with the CISSP domains. Candidates are required to obtain documentation on official company or organization letterhead confirming their position as an intern.
Internship documentation is the most commonly overlooked part of CISSP applications. If you completed a security internship years ago, contact the organization now and get that letterhead documentation before you need it. Companies fold, HR departments lose records, and contacts change roles. Do not wait until application time to start gathering this.
The 8 CISSP Domains: Where Your Experience Must Fall
Your five years of experience must cover two or more of these eight domains of the CISSP Common Body of Knowledge.
Domain 1: Security and Risk Management covers security governance, compliance, risk frameworks, legal and regulatory requirements, ethics, and business continuity planning. This is the heaviest domain on the exam at 16% weighting. Experience in policy development, risk assessment, compliance programs, and security awareness training all qualify.
Domain 2: Asset Security covers information and asset classification, ownership, privacy protection, data retention, and secure disposal. Security professionals who have managed data classification programs, implemented data loss prevention tools, or developed information handling policies qualify here.
Domain 3: Security Architecture and Engineering covers security design principles, cryptography, physical security, and secure system components. Engineers who have designed network architectures with security controls, implemented encryption solutions, or evaluated security models qualify here.
Domain 4: Communication and Network Security covers network architecture, secure protocols, and network attack defense. Network administrators and engineers who managed firewalls, VPNs, intrusion detection systems, and network segmentation qualify here. This is one of the most accessible domains for IT professionals transitioning into security.
Domain 5: Identity and Access Management covers physical and logical access controls, identification and authentication, authorization mechanisms, and identity services. System administrators who managed Active Directory, implemented multi-factor authentication, or designed access control policies qualify here.
Domain 6: Security Assessment and Testing covers security assessment strategies, security control testing, and test output reporting. Analysts who conducted vulnerability assessments, penetration tests, security audits, or implemented security monitoring qualify here.
Domain 7: Security Operations covers investigations, incident management, disaster recovery, logging, and physical security controls. Security operations center analysts, incident responders, and IT staff who handled security events qualify here.
Domain 8: Software Development Security covers security in the software development lifecycle, security controls in development environments, and software security effectiveness assessment. Developers who implemented secure coding practices, conducted code reviews, or integrated security into DevOps pipelines qualify here.
You need qualifying experience in at least two of these eight domains. Most experienced IT professionals will find their work maps naturally to three or four domains. When preparing your application, document each role separately and map your responsibilities explicitly to the domain descriptions above.
The One-Year Experience Waiver: What Changed in April 2026
This is the most important section of this guide for anyone planning their CISSP timeline in 2026.
Effective April 1, 2026, the list of credentials that satisfy a waiver for one year of the required work experience for CISSP will be reduced. The new list is applicable to anyone who submits their CISSP certification application on April 1, 2026 and beyond.
ISC2 is cutting its CISSP experience waiver list from roughly 50 certifications down to 25. The removals hit hard. EC-Council’s Certified Ethical Hacker (CEH) is gone. ISACA’s CISA and CRISC are both cut. Offensive Security’s OSCP, a certification many penetration testers consider essential, is also removed.
The change applies to anyone who submits their CISSP certification application on or after April 1, 2026. Candidates who applied before that date could still use the previous expanded list. Since the April 1 date has now passed, the new reduced list is in full effect.
What the New Reduced List Keeps
The new approved credential list includes the three now-standalone ISC2 credentials: Information Systems Security Architecture Professional (ISSAP), Information Systems Security Engineering Professional (ISSEP), and Information Systems Security Management Professional (ISSMP), along with newer additions including Zscaler Digital Transformation Administrator (ZDTA), Zscaler Digital Transformation Engineer (ZDTE), and Zscaler Digital Experience Administrator (ZDXA).
The surviving credentials on the approved list are heavily weighted toward ISC2’s own certification portfolio. Some community members view this skeptically, seeing it as an attempt to funnel candidates toward ISC2’s own certifications. The complete retention of ISC2 credentials while cutting competitors’ certifications supports this interpretation. However, ISC2 also retained the full CompTIA track and CISM from ISACA, suggesting the decision was not purely competitive.
Key credentials that remain on the approved list include CompTIA Security+, CompTIA CySA+, CompTIA CASP+, ISC2 SSCP, ISC2 CCSP, ISACA CISM, and ISC2’s concentration credentials ISSAP, ISSEP, and ISSMP.
What the New List Removed
The removed credentials include CEH, CISA, CRISC, OSCP, and the majority of GIAC certifications including GCIH, GCFA, and GSEC.
The traditional get-CEH-then-CISSP progression just got disrupted. Security professionals who invested in CEH or Offensive Security certifications expecting to use them toward CISSP have lost that option.
The Degree Waiver Remains Unchanged
The four-year college degree waiver continues without modification. Candidates with bachelor’s or master’s degrees in computer science, information technology, or related fields can still reduce the experience requirement by one year.
If you hold a qualifying degree and four years of experience, you can apply for the full CISSP today regardless of the credential list changes. The degree waiver was not part of the April 2026 update.
You Cannot Stack Both Waivers
You cannot use both a degree and a credential to waive two years from the experience requirement. The maximum waiver available is one year, regardless of how many qualifying degrees or credentials you hold. If you have a bachelor’s degree in computer science and you hold CompTIA Security+, you can only claim one year off the requirement, not two.
The Associate of ISC2 Pathway: Take the Exam Before You Qualify
This is the most underused route to CISSP and the right choice for anyone who wants to pass the exam now while continuing to accumulate experience.
If you don’t have the required experience, you can still take the first step toward CISSP certification. By passing the CISSP examination, you can become an Associate of ISC2. This gives you six years to earn the necessary five years of experience while holding the associate status.
The Associate pathway works like this. You register for and take the CISSP exam. If you pass, you receive Associate of ISC2 status immediately. You then have six years from that date to accumulate the remaining experience and convert to full CISSP membership.
A candidate who does not have the required experience becomes stuck in a CISSP purgatory as CISSP Associate for up to six years until they get the minimum work experience.
The practical advantage of this path is significant. For a candidate with three years of qualifying experience, passing the exam and becoming an Associate immediately puts the certification on their resume while they continue building the remaining two years. Many employers treat the Associate designation as meaningful, particularly for roles that list CISSP as preferred rather than required.
The DoD 8570 framework that much of the US Government uses specifies a CISSP(A), not a CISSP. An Associate can upgrade to the full CISSP as soon as they reach the experience requirements.
The CISSP Exam Itself: What You Are Actually Preparing For
Understanding the requirements is step one. Understanding what the exam involves is step two, and this is where many candidates underestimate the challenge.
Format and Structure
ISC2 uses the Computerized Adaptive Testing format for the CISSP exam worldwide. Each candidate taking the CAT exam will start with an item that is well below the passing standard. Following a candidate’s response to an item, the scoring algorithm re-estimates the candidate’s ability based on the difficulty of all items presented and answers provided. With each additional item answered, the estimate of the candidate’s ability becomes more precise.
Candidates will be presented with a minimum of 100 items on the CISSP exam. The maximum item count is 150 items. Each exam contains 25 pretest, or unscored, items as part of the minimum length examination. The maximum administration time for CISSP is three hours.
The 25 unscored pretest items are indistinguishable from scored items. You cannot tell which questions count and which do not. Answer every question as if it contributes to your score.
Passing Score and Scoring Logic
For the computerized adaptive testing version of the CISSP exam, you need to score at least 700 out of 1000 points to pass. The adaptive test measures your ability to demonstrate competency across all domains rather than just scoring points in bulk. You could answer 100 questions, but if your answers suggest inconsistencies in key areas, you may not pass even if you have got a lot of questions right.
Three rules govern the exam conclusion. The Confidence Interval Rule ends the exam early once the algorithm is 95% confident your ability is above or below the passing standard, after the minimum question count is reached. The Maximum-Length Exam Rule applies if you reach 150 questions without a clear determination, assessing your final 75 operational answers. The Run-Out-of-Time Rule applies if you exhaust the three-hour maximum without the Confidence Interval Rule triggering.
Cost
The exam fee in the Americas and APAC is US $749. Additionally, ISC2 membership requires an annual fee of $125 once you achieve full certification status.
Retake Policy
After your first exam attempt, you may retest after 30 test-free days. After your second exam attempt, you may retest after 60 test-free days. After your third attempt and all subsequent retakes, you may retest after 90 test-free days. You may attempt an ISC2 exam up to 4 times within a 12-month period.
Pass Rate
Reports suggest that the pass rate for first-time test takers is around 50%, which means half of the people who take the CISSP end up retaking it. Well-prepared candidates who complete 500 or more practice questions and score 80% or higher consistently before scheduling the exam have an estimated first-time pass rate around 70%.
The gap between an unprepared candidate and a well-prepared one is enormous. This is not an exam you can wing with general IT knowledge. Deliberate, domain-specific preparation using scenario-based practice questions is the deciding factor.
The 8 CISSP Domain Weights: Where to Focus Your Study Time
The CISSP exam does not weight all domains equally. Understanding where the exam allocates questions tells you where to spend your preparation time.
Domain 1, Security and Risk Management, carries the highest weight at 16%. This is the biggest single domain on the exam and the one that trips up the most candidates because it requires managerial and governance-level thinking rather than technical execution.
Domain 7, Security Operations, is the second heaviest at 13%. Incident response, forensics, disaster recovery, and business continuity fall here.
Domain 3, Security Architecture and Engineering, and Domain 4, Communication and Network Security, each carry approximately 13% weight.
Domain 5, Identity and Access Management, carries 13% weight.
Domain 6, Security Assessment and Testing, carries 12% weight.
Domain 8, Software Development Security, carries 10% weight.
Domain 2, Asset Security, is the lightest at 10%.
The most common mistake candidates make is studying all eight domains equally. Study Domain 1 and Domain 7 hardest first. They are the heaviest weighted and they require the most conceptual shift for candidates coming from technical backgrounds.
The Mindset Shift That Separates Passes From Failures
The CISSP is not a technical exam. It is a management exam. What makes earning the CISSP difficult is the experience requirement combined with the mindset required for the exam itself.
Every CISSP question asks you to think like a senior security manager, not a hands-on technician. When a question presents a security incident, the correct answer is almost never the technical fix. It is the governance action, the risk-based decision, or the process response. When two answers both involve technical controls, the correct one is always the one that addresses the root cause and involves appropriate management oversight.
The most reliable way to train this mindset is through scenario-based practice questions that force you to reason through the managerial implications of each situation rather than memorize the technical answer. CertEmpire’s CISSP practice exam library is built around exactly this approach, with scenario-based questions across all eight domains and full explanations that train the right way to think through each decision, not just memorize the correct letter.
The Endorsement Process: What Happens After You Pass
Passing the exam is not the final step. Candidates who pass the CISSP examination must complete the endorsement process before receiving full certification.
You need to be endorsed and approved for the full CISSP certification. You need to have an ISC2-certified professional endorse your work experience and standing within the cybersecurity industry. The endorsement process must be completed within nine months of passing the exam.
The endorser is an active ISC2-certified professional who verifies that your claimed work experience is accurate. They are not vouching for your technical ability, which the exam already tested. They are confirming that your experience documentation is credible and aligns with what you claimed.
If you do not personally know an ISC2-certified professional who can endorse you, ISC2 will review your application directly. This takes longer and requires more thorough documentation.
Start identifying a potential endorser before you sit the exam. If you pass, you have nine months to complete endorsement, but starting that conversation early eliminates one of the most common post-exam delays.
CISSP Maintenance: How to Keep the Certification
The CISSP is not a lifetime credential. Maintaining it requires ongoing commitment.
CISSP is valid for three years. You must renew it by earning 120 Continuing Professional Education credits over those three years or by resitting the exam. You must also pay a yearly $125 membership fee.
CPE credits are earned through a wide range of activities including attending security conferences, completing online training, writing security articles, teaching security courses, and volunteering in security-related roles. ISC2 members have access to free CPE opportunities through ISC2’s own content library.
The 120 CPEs over three years works out to 40 CPEs per year. For an active security professional attending one or two conferences and completing regular training, this is achievable without dedicated effort. For someone in a role with limited ongoing security training, it requires deliberate planning.
CISSP vs. Other Senior Cybersecurity Certifications
Understanding how CISSP compares to other senior-level credentials helps you position it correctly in your career plan.
CISSP vs. CISM: CISM from ISACA focuses specifically on information security management and governance, with less breadth across technical domains. The average CISM salary is roughly $95,000 in the United States compared to $112,000 for CISSP holders. CISM remains on the ISC2 approved credential list, making it a viable CISSP stepping stone if you hold it.
CISSP vs. CASP+: CompTIA CASP+ is the technical counterpart to CISSP. Where CISSP emphasizes governance and management-level decision making, CASP+ goes deeper into technical implementation. CASP+ remains on the ISC2 approved waiver list and is the better choice for candidates who want to stay in hands-on technical roles.
CISSP vs. CCSP: ISC2’s Certified Cloud Security Professional focuses exclusively on cloud security architecture and governance. Many CISSP holders pursue CCSP as a concentration credential. CCSP remains on the approved waiver list, making it a useful step toward CISSP for cloud-focused professionals.
Who Should Pursue CISSP in 2026
CISSP is the right certification for security professionals targeting senior roles with governance and management responsibility. If you are aiming for a role as a CISO, security architect, security manager, IT director with security responsibility, or senior security consultant, CISSP is the credential employers expect.
It is not the right credential if you are early in your career and do not yet have five years of qualifying experience, unless you plan to use the Associate pathway. It is also not the right credential if your goal is hands-on penetration testing or red team work, where OSCP and GIAC credentials are more relevant to employers even though they no longer qualify for the CISSP waiver.
The Bureau of Labor Statistics projects that roles in the security field, such as information security analysts, have a projected growth rate of 29 percent, much faster than average, during the coming decade. The professionals who hold senior credentials like CISSP when that demand arrives will command the salaries that reflect it.
Frequently Asked Questions
How many years of experience does CISSP require?
Candidates must have a minimum of five years cumulative, full-time experience in two or more of the eight domains of the current CISSP exam outline. A post-secondary degree in computer science, IT, or related fields may satisfy up to one year of the required experience, or an additional credential from the ISC2 approved list may satisfy up to one year.
Can I take the CISSP exam without the required experience?
Yes. By passing the CISSP examination without meeting the experience requirement, you become an Associate of ISC2. This gives you six years to earn the necessary five years of experience while holding the associate status.
Which certifications still qualify for the CISSP one-year experience waiver?
After April 1, 2026, the approved list has been reduced to 25 credentials. Certifications that remain include CompTIA Security+, CompTIA CySA+, CompTIA CASP+, ISC2 SSCP, ISC2 CCSP, ISACA CISM, and ISC2’s concentration credentials. CEH, CISA, CRISC, OSCP, and most GIAC certifications were removed from the approved list effective April 1, 2026.
Does a college degree reduce the CISSP experience requirement?
The four-year degree waiver continues without modification. Candidates with bachelor’s or master’s degrees in computer science, information technology, or related fields can still reduce the experience requirement by one year, meaning four years of qualifying experience plus a degree satisfies the full requirement.
How hard is the CISSP exam?
Reports suggest the pass rate for first-time test takers is around 50%, which means half of the people who take it end up retaking it. The exam’s difficulty comes not from technical complexity but from the managerial thinking required. Questions test decision-making at a senior security governance level, not technical recall.
How much does the CISSP exam cost?
The exam fee in the Americas and APAC is US $749. ISC2 membership requires an additional annual fee of $125 after certification.
What is the CISSP retake policy?
After your first attempt, you may retest after 30 test-free days. After your second attempt, you may retest after 60 test-free days. After your third and subsequent attempts, you may retest after 90 test-free days. You may attempt the exam up to 4 times within a 12-month period.
Is CISSP worth it in 2026?
The median total salary for all CISSP holders in the US is $164,000 according to Glassdoor. Against a $749 exam fee, the return on investment is among the highest of any professional certification available. For a security professional targeting senior roles, the CISSP is not optional. It is the expected credential for anyone competing for CISO, security architect, and security director positions.
