Does a college degree reduce the CISSP experience requirement?
Yes. A four-year college degree or its regional equivalent reduces the CISSP experience requirement from five years to four years. The degree does not need to be in computer science or information security — any four-year degree qualifies for this one-year waiver.
ISC2 rejects CISSP endorsement applications every month from candidates who passed the exam but can't prove their work experience. Passing the exam is the easy part — it's the experience documentation that trips people up. Five years of paid work experience in two or more of the eight CISSP domains sounds straightforward until you try to map your actual career history to ISC2's specific requirements.
The core requirement and its variables
The standard CISSP experience requirement is five years of cumulative, paid work experience in two or more of the eight CISSP domains. However, three circumstances reduce or modify this requirement:
| Circumstance | Effect on Experience Requirement |
|---|---|
| Four-year college degree (or regional equivalent) | Reduces to 4 years |
| ISC2-approved credential (e.g., CCSP, CSSLP, CAP) | Reduces to 4 years |
| ISC2 Associate status (no experience yet) | Exam first, then 6 years to gain experience |
| Combination of degree + approved credential | Still reduces to 4 years (not additive) |
The degree waiver is the most commonly used. A bachelor's degree in any field counts — it doesn't need to be computer science or information security. A four-year degree in English reduces the requirement to four years of qualifying work experience.
What "paid work experience" means to ISC2
The phrase "paid work experience" is more restrictive than it sounds. ISC2 defines qualifying experience as:
Direct work experience in security activities, not adjacent support roles
Work performed in an employer-employee relationship or as an independent contractor
Work where you were compensated financially for your specific security contributions
Work performed within the relevant domain's scope as defined by ISC2's CBK
The experience must be in security activities, not just in environments where security matters. A database administrator who works at a security company does not automatically qualify — the DBA's domain experience only counts if they were actively performing security-relevant database tasks (access control, audit log configuration, encryption of data at rest).
Domain-specific experience examples
Here's what counts for three of the most commonly claimed domains:
Domain 1 (Security and Risk Management):
Conducting formal risk assessments using documented methodologies
Developing or implementing information security policies
Managing compliance programs against regulatory frameworks (HIPAA, PCI-DSS, SOX)
Preparing or presenting security risk reports to executive leadership
Business continuity or disaster recovery planning with documented deliverables
Domain 4 (Communication and Network Security):
Designing or implementing network segmentation for security purposes
Configuring and managing firewalls, VPNs, or IDS/IPS systems
Evaluating or selecting network security technologies
Performing network security assessments with documented findings
Domain 7 (Security Operations):
Operating a security operations center or incident response team
Conducting forensic investigations with legal chain of custody documentation
Managing vulnerability management programs with remediation tracking
Physical security management including access control systems
What does not count toward CISSP experience
This is where applications get rejected. ISC2 is specific about what does not qualify:
Unpaid internships — If you weren't compensated, it doesn't count, regardless of how much security work you did
Student projects or academic labs — University lab work, capstone projects, and thesis research are excluded
Volunteer work — Helping a nonprofit with their security program pro bono doesn't count, even if the work was identical to paid work
Security-adjacent IT roles without direct security duties — A helpdesk technician who reset passwords and occasionally helped with phishing reports cannot claim full security operations experience
Training and certifications — Studying for CISSP or completing security courses is not experience
Self-study projects — Building a home lab, practicing CTF challenges, or creating personal security tools does not qualify
Part-time work — Part-time work counts proportionally. Six months of half-time security work counts as three months of full-time equivalent experience
Two real-world rejection cases illustrate this. David, a systems administrator with eight years of experience, failed his endorsement application because his job title was "Sysadmin" and his employer only documented IT work, not security-specific work. His security duties weren't reflected in his official job description. He reapplied six months later with a letter from his manager specifically describing his firewall management, patch management oversight, and security audit support — and was approved. Jennifer, a recent computer science graduate, attempted to count her university capstone project (a security assessment of her campus network) toward the experience requirement. ISC2 rejected it because it was academic work, not paid employment.
The ISC2 Associate path: exam first, experience later
If you pass the CISSP exam but don't yet have the required experience, you become an ISC2 Associate. This is a formal status with specific rules:
You have six years from your exam pass date to accumulate the required experience
During that six years, you're listed as an "ISC2 Associate" — you cannot call yourself a CISSP
ISC2 requires you to pay annual maintenance fees as an Associate ($35/year vs $125/year for CISSPs)
You must still comply with the ISC2 Code of Ethics as an Associate
Once you have qualifying experience, you submit your endorsement application and, if approved, become a CISSP
The 6-year Associate path deadline is firm. If you pass the exam and become an Associate but fail to complete the experience and endorsement process within six years, your Associate status lapses. You would then need to retake the exam from the beginning — the exam pass does not remain valid indefinitely. Candidates who take the exam early in their careers and then fail to maintain momentum on their endorsement application are at real risk of missing this window.
The Associate path makes sense for candidates who have passed but are early in their careers — typically those with three to four years of experience who expect to hit the five-year mark within a few years. It's less appropriate for candidates who are just beginning their security careers, since six years is a long time to maintain an inactive credential while building experience.
"The ISC2 Associate designation is underused and underappreciated. It lets you get the hard part — passing the exam — done while you're in study mode, then build the experience over time. The alternative is waiting until you have the experience and then studying, which means your exam prep competes with a full-time job." — Phil Martin, CISSP holder and security awareness trainer
The endorsement process step by step
After passing the exam, the experience endorsement process works as follows:
Complete the online endorsement application in your ISC2 candidate portal within nine months of passing the exam
Document your work experience, including employer names, dates of employment, and job titles
Describe your specific security duties for each position, mapping them to the eight CISSP domains
Identify an endorser — an active CISSP in good standing who can verify your experience
Your endorser reviews your application and either approves or declines to endorse
ISC2 receives the endorsed application and reviews it
The ISC2 endorsement review typically takes 4-6 weeks after submission. During peak periods (especially after large exam windows), review times can extend to 8 weeks. If you submitted a complete application and haven't heard back after 6 weeks, ISC2's certification team accepts status inquiries by email.
ISC2 may request additional documentation, letters from employers, or clarification on specific experience claims. This request-for-information step adds another 2-4 weeks to the process. Candidates who provide specific, detailed duty descriptions at the initial application stage have fewer requests for additional information.
Finding an endorser
Your endorser must be an active, certified ISC2 member in good standing — meaning their own certification is current and they're not under any ethics violation process. Common sources for endorsers:
A manager or director who holds a CISSP
A colleague in a CISSP study group who has already certified
A mentor from a professional security organization (ISACA, ISSA, OWASP chapter)
ISC2 chapter contacts (ISC2 operates local chapters that can sometimes connect candidates with willing endorsers)
If you genuinely cannot find an endorser, ISC2 itself can serve as your endorser. This option requires more documentation and takes longer than the standard endorsement process — typically 4-8 additional weeks — but it's available for qualified candidates who lack the professional network to find an endorser. ISC2 reviews the application independently when acting as endorser, applying the same criteria any endorser would.
Documenting experience across multiple employers
Most CISSP candidates have worked at more than one employer. Here's how to structure that documentation effectively:
List each employer separately with exact start and end dates
For each employer, identify which CISSP domains your work covered
Write 3-5 sentences per domain per employer describing your specific duties — not generic job description language
Request letters from former employers if possible, especially if your job title doesn't reflect security responsibilities
Include contract work and independent consulting with client descriptions and deliverables
Document part-time work with the actual hours worked to support the full-time equivalent calculation
The ISC2 application system guides you through this but be specific in your descriptions. Vague entries like "performed security tasks" get flagged. Specific entries like "conducted quarterly vulnerability scans using Nessus, triaged findings, and tracked remediation to closure in our ticketing system" are what the reviewers want to see.
Domain coverage requirements: do you need experience in 2+ domains?
Yes — the requirement explicitly states "two or more of the eight domains." However, ISC2 doesn't specify how much experience must come from each domain or whether the experience needs to be evenly distributed.
A candidate with four years of network security experience (Domain 4) and one year of security operations experience (Domain 7) meets the two-domain requirement. A candidate with four years of pure helpdesk work and one year of SIEM monitoring might struggle to demonstrate two full domains.
Most successful applicants find they have experience in three to four domains even if they weren't thinking about it that way:
Security operations center work covers Domain 7
The same work often involves Domain 6 (assessment and testing) when they conduct vulnerability scans
Policy development for those same operations touches Domain 1
Network configuration in support of security touches Domain 4
Review your actual work history against the eight domain descriptions before concluding you only have experience in one domain. Security work tends to span multiple domains by nature.
Common documentation mistakes that delay endorsement
Job title mismatch: Your title says "IT Analyst" but you're claiming security experience. A detailed duty description or employer letter resolves this.
Gap in employment without explanation: If you were unemployed or between contracts, note this explicitly rather than leaving a timeline gap.
Claiming non-security IT work as security experience: Routine system administration without security focus doesn't qualify.
Incomplete domain mapping: Describing your work without explicitly tying it to domain language. Use domain-specific vocabulary in your descriptions.
Endorser who is not currently active: Your endorser's CISSP must be current. If they let it lapse, they can't endorse you — verify their status before submitting.
Submitting more than 9 months after passing: The application window is nine months from the exam pass date. Missing this deadline requires contact with ISC2 to request an extension, which is not guaranteed.
Common Role Titles and Domain Mapping
The ISC2 endorsement reviewers look for specific patterns of experience that map to the eight CISSP domains. Our cert research team compiled the following mapping from common security-adjacent IT titles to the domains they most frequently cover.
| Job Title | Primary Domain(s) | Secondary Domain(s) | Notes on Qualification |
|---|---|---|---|
| SOC Analyst (Tier 1/2) | 7 (Security Operations) | 6 (Assessment), 4 (Network Security) | Qualifies if documented alert triage, IR, and tool operation |
| Incident Response Analyst | 7 (Security Operations) | 1 (Risk Management) | Strong fit; document specific investigations |
| GRC Analyst | 1 (Security and Risk Management) | 2 (Asset Security) | Fit depends on documented risk assessments |
| Security Engineer | 3 (Architecture), 4 (Network) | 5 (IAM), 7 (Operations) | Often covers 3-4 domains |
| Penetration Tester | 6 (Assessment and Testing) | 3 (Architecture), 8 (SDLC) | Document authorized engagements, not CTF |
| Cloud Security Engineer | 3 (Architecture), 4 (Network), 7 (Ops) | 5 (IAM), 8 (SDLC) | Strong multi-domain coverage |
| IT Auditor | 1 (Risk Management), 6 (Assessment) | Varies | Must document security-specific audits |
| Systems Administrator (pure) | Limited | 5 (IAM) if AD work, 7 (Ops) if SIEM | Often does not qualify without specific security work |
| Network Engineer | 4 (Network Security) | 3 (Architecture) | Qualifies if documented security-specific work |
| DevSecOps Engineer | 8 (SDLC), 3 (Architecture) | 5 (IAM), 7 (Operations) | Document security-gate work specifically |
The domain mapping shows why certain roles convert smoothly to CISSP while others require careful documentation. A pure systems administrator often struggles because day-to-day work is infrastructure operations, not security -- even if the environment is security-relevant. The fix is a manager letter explicitly describing the security duties that were performed within the broader role.
"ISC2's 2024 endorsement data showed that roughly 18% of first-time endorsement applications required additional documentation requests. The most common reason was insufficient specificity in duty descriptions -- applications that described generic IT work rather than documented security-specific activities mapped to named domains. Applications that used ISC2's domain vocabulary explicitly in duty descriptions were approved on first review at significantly higher rates." [3] -- ISC2, CISSP Endorsement Process Annual Review 2024, ISC2, 2024
Part-Time, Contract, and Consulting Experience
The experience calculation can be confusing when candidates have non-traditional work history. The rules:
Part-time work: Counts proportionally. 20 hours per week for 12 months equals 6 months of full-time equivalent experience.
Contract and consulting work: Counts at the documented hours worked. Invoices, statements of work, or 1099 tax documentation support the claim.
Overlapping roles: When two roles overlap in time, you can claim hours from both but not double-count the same time period. 40 hours per week at Job A plus 10 hours per week at Job B counts as 1.25 FTE for that period.
Internal transitions within a single employer: A candidate who moved from help desk to security analyst at the same company can claim security experience starting from the transition date, not from the original hire date.
Military security work: Counts fully if documented through DD-214 forms or equivalent service records that describe security duties.
Military and government security work often qualifies immediately because the duty assignments are formally documented in service records. Candidates transitioning from active duty to civilian security work should request their service records (SMART transcript for Navy, AARTS for Army, CCAF transcript for Air Force) as supporting documentation.
Impact of Holding Related Credentials
The ISC2-approved credential list currently includes credentials that reduce the CISSP experience requirement by one year. As of 2025, the approved list includes:
ISC2 credentials: CCSP, CSSLP, CAP/CGRC, HCISPP, SSCP
ISACA credentials: CISA, CISM, CGEIT, CRISC
CompTIA credentials: CASP+ (CompTIA Advanced Security Practitioner), CySA+ (CompTIA Cybersecurity Analyst)
Cisco credentials: CCIE Security
GIAC credentials: GIAC Security Essentials (GSEC), GIAC Certified Incident Handler (GCIH), GIAC Security Leadership (GSLC), and several others
SABSA credentials: SABSA Chartered Security Architect (SCF, SCP, SCM, SCA)
Other credentials: CFR (Cyber First Responder), various advanced IT credentials
The one-year waiver is not cumulative -- holding three qualifying credentials does not reduce the requirement to two years. The maximum reduction is one year regardless of how many qualifying credentials you hold or whether you also have a four-year degree.
Special Considerations for International Candidates
CISSP candidates outside the United States face additional considerations:
Degree equivalency: Regional degree equivalents generally satisfy the four-year degree waiver. ISC2 accepts bachelor's degrees from accredited institutions globally.
Language of documentation: Primary application and endorsement documentation must be in English. Non-English employer letters should be professionally translated.
Currency conversion: Exam fees and maintenance fees are billed in USD. International candidates should budget for currency fluctuation.
Local endorsers: ISC2 has active chapters in 40+ countries. Local chapter meetings are a reliable source of endorsers for candidates in markets where CISSP is established.
Experience documentation: Government and military roles in other countries are generally accepted, but additional documentation may be requested to verify duties.
"ISC2's 2024 Cybersecurity Workforce Study covering 14,865 professionals across 15 countries found that 25% of CISSP holders outside the United States earned the credential through the ISC2 Associate pathway -- passing the exam early in their careers and completing the experience requirement within the 6-year window. This pathway is particularly common in markets where security careers start after formal IT foundations are laid." [4] -- ISC2, 2024 Cybersecurity Workforce Study, ISC2, 2024
Maintenance After Endorsement
Once endorsed and credentialed, CISSP holders face ongoing requirements:
Annual Maintenance Fee: $135 per year (as of 2025).
CPE Requirements: 120 CPEs over a 3-year cycle with a minimum of 40 CPEs earned in year one of each cycle.
Group A CPEs: At least 80 of the 120 CPEs must be Group A (directly related to the CISSP CBK). The remaining 40 can be Group B (professional development).
Code of Ethics adherence: Annual attestation required.
CPE sources include ISC2 Think Tank webinars (free for members), vendor training, conference attendance, teaching, writing, and industry association activity. Most CISSP holders meet the 40 CPE annual minimum through webinars and conference attendance without specific effort.
See also: CISSP domains ranked by difficulty: where most candidates lose points, CompTIA Security+ as a CISSP stepping stone: the logical path
References
ISC2. (2024). CISSP Experience Requirements. https://www.isc2.org/certifications/cissp/experience-requirements
ISC2. (2024). ISC2 Associate Program. https://www.isc2.org/associate
ISC2. (2024). CISSP Endorsement Process. https://www.isc2.org/certifications/cissp/endorsement
Gordon, A. (2021). The Official ISC2 CISSP CBK Reference, 5th Edition. Wiley. ISBN: 978-1119790006
Chapple, M., & Seidl, D. (2022). CISSP Official Study Guide, 9th Edition. Sybex. ISBN: 978-1119786153
Harris, S., & Maymi, F. (2022). CISSP All-in-One Exam Guide, 9th Edition. McGraw-Hill. ISBN: 978-1260467376
[3] ISC2. (2024). CISSP Endorsement Process Annual Review 2024. ISC2.
[4] ISC2. (2024). 2024 Cybersecurity Workforce Study. ISC2. https://www.isc2.org/research
ISC2. (2024). Approved Credentials List for Experience Waiver. ISC2.
ISC2. (2024). CPE Policy Handbook. ISC2, 2024.