ISC2 rejects CISSP endorsement applications every month from candidates who passed the exam but can't prove their work experience. Passing the exam is the easy part — it's the experience documentation that trips people up. Five years of paid work experience in two or more of the eight CISSP domains sounds straightforward until you try to map your actual career history to ISC2's specific requirements.
The core requirement and its variables
The standard CISSP experience requirement is five years of cumulative, paid work experience in two or more of the eight CISSP domains. However, three circumstances reduce or modify this requirement:
| Circumstance | Effect on Experience Requirement |
|---|---|
| Four-year college degree (or regional equivalent) | Reduces to 4 years |
| ISC2-approved credential (e.g., CCSP, CSSLP, CAP) | Reduces to 4 years |
| ISC2 Associate status (no experience yet) | Exam first, then 6 years to gain experience |
| Combination of degree + approved credential | Still reduces to 4 years (not additive) |
The degree waiver is the most commonly used. A bachelor's degree in any field counts — it doesn't need to be computer science or information security. A four-year degree in English reduces the requirement to four years of qualifying work experience.
What "paid work experience" means to ISC2
The phrase "paid work experience" is more restrictive than it sounds. ISC2 defines qualifying experience as:
Direct work experience in security activities, not adjacent support roles
Work performed in an employer-employee relationship or as an independent contractor
Work where you were compensated financially for your specific security contributions
Work performed within the relevant domain's scope as defined by ISC2's CBK
The experience must be in security activities, not just in environments where security matters. A database administrator who works at a security company does not automatically qualify — the DBA's domain experience only counts if they were actively performing security-relevant database tasks (access control, audit log configuration, encryption of data at rest).
Domain-specific experience examples
Here's what counts for three of the most commonly claimed domains:
Domain 1 (Security and Risk Management):
Conducting formal risk assessments using documented methodologies
Developing or implementing information security policies
Managing compliance programs against regulatory frameworks (HIPAA, PCI-DSS, SOX)
Preparing or presenting security risk reports to executive leadership
Business continuity or disaster recovery planning with documented deliverables
Domain 4 (Communication and Network Security):
Designing or implementing network segmentation for security purposes
Configuring and managing firewalls, VPNs, or IDS/IPS systems
Evaluating or selecting network security technologies
Performing network security assessments with documented findings
Domain 7 (Security Operations):
Operating a security operations center or incident response team
Conducting forensic investigations with legal chain of custody documentation
Managing vulnerability management programs with remediation tracking
Physical security management including access control systems
What does not count toward CISSP experience
This is where applications get rejected. ISC2 is specific about what does not qualify:
Unpaid internships — If you weren't compensated, it doesn't count, regardless of how much security work you did
Student projects or academic labs — University lab work, capstone projects, and thesis research are excluded
Volunteer work — Helping a nonprofit with their security program pro bono doesn't count, even if the work was identical to paid work
Security-adjacent IT roles without direct security duties — A helpdesk technician who reset passwords and occasionally helped with phishing reports cannot claim full security operations experience
Training and certifications — Studying for CISSP or completing security courses is not experience
Self-study projects — Building a home lab, practicing CTF challenges, or creating personal security tools does not qualify
Part-time work — Part-time work counts proportionally. Six months of half-time security work counts as three months of full-time equivalent experience
Two real-world rejection cases illustrate this. David, a systems administrator with eight years of experience, failed his endorsement application because his job title was "Sysadmin" and his employer only documented IT work, not security-specific work. His security duties weren't reflected in his official job description. He reapplied six months later with a letter from his manager specifically describing his firewall management, patch management oversight, and security audit support — and was approved. Jennifer, a recent computer science graduate, attempted to count her university capstone project (a security assessment of her campus network) toward the experience requirement. ISC2 rejected it because it was academic work, not paid employment.
The ISC2 Associate path: exam first, experience later
If you pass the CISSP exam but don't yet have the required experience, you become an ISC2 Associate. This is a formal status with specific rules:
You have six years from your exam pass date to accumulate the required experience
During that six years, you're listed as an "ISC2 Associate" — you cannot call yourself a CISSP
ISC2 requires you to pay annual maintenance fees as an Associate ($35/year vs $125/year for CISSPs)
You must still comply with the ISC2 Code of Ethics as an Associate
Once you have qualifying experience, you submit your endorsement application and, if approved, become a CISSP
The 6-year Associate path deadline is firm. If you pass the exam and become an Associate but fail to complete the experience and endorsement process within six years, your Associate status lapses. You would then need to retake the exam from the beginning — the exam pass does not remain valid indefinitely. Candidates who take the exam early in their careers and then fail to maintain momentum on their endorsement application are at real risk of missing this window.
The Associate path makes sense for candidates who have passed but are early in their careers — typically those with three to four years of experience who expect to hit the five-year mark within a few years. It's less appropriate for candidates who are just beginning their security careers, since six years is a long time to maintain an inactive credential while building experience.
"The ISC2 Associate designation is underused and underappreciated. It lets you get the hard part — passing the exam — done while you're in study mode, then build the experience over time. The alternative is waiting until you have the experience and then studying, which means your exam prep competes with a full-time job." — Phil Martin, CISSP holder and security awareness trainer
The endorsement process step by step
After passing the exam, the experience endorsement process works as follows:
Complete the online endorsement application in your ISC2 candidate portal within nine months of passing the exam
Document your work experience, including employer names, dates of employment, and job titles
Describe your specific security duties for each position, mapping them to the eight CISSP domains
Identify an endorser — an active CISSP in good standing who can verify your experience
Your endorser reviews your application and either approves or declines to endorse
ISC2 receives the endorsed application and reviews it
The ISC2 endorsement review typically takes 4-6 weeks after submission. During peak periods (especially after large exam windows), review times can extend to 8 weeks. If you submitted a complete application and haven't heard back after 6 weeks, ISC2's certification team accepts status inquiries by email.
ISC2 may request additional documentation, letters from employers, or clarification on specific experience claims. This request-for-information step adds another 2-4 weeks to the process. Candidates who provide specific, detailed duty descriptions at the initial application stage have fewer requests for additional information.
Finding an endorser
Your endorser must be an active, certified ISC2 member in good standing — meaning their own certification is current and they're not under any ethics violation process. Common sources for endorsers:
A manager or director who holds a CISSP
A colleague in a CISSP study group who has already certified
A mentor from a professional security organization (ISACA, ISSA, OWASP chapter)
ISC2 chapter contacts (ISC2 operates local chapters that can sometimes connect candidates with willing endorsers)
If you genuinely cannot find an endorser, ISC2 itself can serve as your endorser. This option requires more documentation and takes longer than the standard endorsement process — typically 4-8 additional weeks — but it's available for qualified candidates who lack the professional network to find an endorser. ISC2 reviews the application independently when acting as endorser, applying the same criteria any endorser would.
Documenting experience across multiple employers
Most CISSP candidates have worked at more than one employer. Here's how to structure that documentation effectively:
List each employer separately with exact start and end dates
For each employer, identify which CISSP domains your work covered
Write 3-5 sentences per domain per employer describing your specific duties — not generic job description language
Request letters from former employers if possible, especially if your job title doesn't reflect security responsibilities
Include contract work and independent consulting with client descriptions and deliverables
Document part-time work with the actual hours worked to support the full-time equivalent calculation
The ISC2 application system guides you through this but be specific in your descriptions. Vague entries like "performed security tasks" get flagged. Specific entries like "conducted quarterly vulnerability scans using Nessus, triaged findings, and tracked remediation to closure in our ticketing system" are what the reviewers want to see.
Domain coverage requirements: do you need experience in 2+ domains?
Yes — the requirement explicitly states "two or more of the eight domains." However, ISC2 doesn't specify how much experience must come from each domain or whether the experience needs to be evenly distributed.
A candidate with four years of network security experience (Domain 4) and one year of security operations experience (Domain 7) meets the two-domain requirement. A candidate with four years of pure helpdesk work and one year of SIEM monitoring might struggle to demonstrate two full domains.
Most successful applicants find they have experience in three to four domains even if they weren't thinking about it that way:
Security operations center work covers Domain 7
The same work often involves Domain 6 (assessment and testing) when they conduct vulnerability scans
Policy development for those same operations touches Domain 1
Network configuration in support of security touches Domain 4
Review your actual work history against the eight domain descriptions before concluding you only have experience in one domain. Security work tends to span multiple domains by nature.
Common documentation mistakes that delay endorsement
Job title mismatch: Your title says "IT Analyst" but you're claiming security experience. A detailed duty description or employer letter resolves this.
Gap in employment without explanation: If you were unemployed or between contracts, note this explicitly rather than leaving a timeline gap.
Claiming non-security IT work as security experience: Routine system administration without security focus doesn't qualify.
Incomplete domain mapping: Describing your work without explicitly tying it to domain language. Use domain-specific vocabulary in your descriptions.
Endorser who is not currently active: Your endorser's CISSP must be current. If they let it lapse, they can't endorse you — verify their status before submitting.
Submitting more than 9 months after passing: The application window is nine months from the exam pass date. Missing this deadline requires contact with ISC2 to request an extension, which is not guaranteed.
See also: CISSP domains ranked by difficulty: where most candidates lose points, CompTIA Security+ as a CISSP stepping stone: the logical path
References
ISC2. (2024). CISSP Experience Requirements. https://www.isc2.org/certifications/cissp/experience-requirements
ISC2. (2024). ISC2 Associate Program. https://www.isc2.org/associate
ISC2. (2024). CISSP Endorsement Process. https://www.isc2.org/certifications/cissp/endorsement
Gordon, A. (2021). The Official ISC2 CISSP CBK Reference, 5th Edition. Wiley. ISBN: 978-1119790006
Chapple, M., & Seidl, D. (2022). CISSP Official Study Guide, 9th Edition. Sybex. ISBN: 978-1119786153
Harris, S., & Maymi, F. (2022). CISSP All-in-One Exam Guide, 9th Edition. McGraw-Hill. ISBN: 978-1260467376
Frequently Asked Questions
Does a college degree reduce the CISSP experience requirement?
Yes. A four-year college degree or its regional equivalent reduces the CISSP experience requirement from five years to four years. The degree does not need to be in computer science or information security — any four-year degree qualifies for this one-year waiver.
Can I use an internship to meet the CISSP experience requirement?
Unpaid internships do not count. ISC2 requires paid work experience, meaning you must have been compensated financially for your security work. Paid internships may count toward the requirement, but you must document them with employer verification and specific security duty descriptions.
What is the ISC2 Associate and how does it work?
The ISC2 Associate designation is available to candidates who pass the CISSP exam but don't yet have the required work experience. Associates have six years from their exam pass date to accumulate qualifying experience and complete the endorsement process. During that time they pay reduced annual fees and may not use the CISSP title.
Who can endorse my CISSP application?
Your endorser must be an active ISC2 certified member in good standing — most commonly a CISSP. They verify your work experience and professional claims. If you cannot find a qualifying endorser, ISC2 itself can serve as your endorser, though this path requires more documentation and takes longer.
Do I need experience in all 8 CISSP domains?
No. ISC2 requires paid work experience in two or more of the eight CISSP domains. There's no minimum per domain, and most security professionals find their actual work history naturally covers three to four domains when they map their duties against the official domain descriptions.