PrerequisitesCCSPISC2 · Professional

CCSP Prerequisites & Eligibility

The CCSP is a gated cloud-security credential — you cannot simply book it and be certified. You need five years of cumulative paid IT experience, three of them in security and one in a cloud-security domain. Here is exactly what counts, the shortcuts that waive it, the Associate route for those without the experience, and the endorsement step at the end.

Updated June 202610 min readLevel: ProfessionalBy ExamCert Team

YesFormal prereqs

5 yearsExperience

3 yearsIn security

1 yearIn cloud

CISSPWaives all

CCSP prerequisites and eligibility requirements explained

01 The short answer

To be certified CCSP you need five years of cumulative, paid work experience in IT — three of those years in information security, and one in one or more of the six CCSP domains. Two shortcuts change the picture: holding a current CISSP waives the entire experience requirement, and if you have none of the experience yet you can still pass the exam first and become an Associate of ISC2 while you earn it.

This is what sets the CCSP apart from a standard cloud certification — there is no “just sit the exam and you are done” route to the full credential. You pass the exam, you attest to your experience, an existing member endorses you, and only then are you certified. The requirements are stacked, but each layer is well-defined, and the CISSP and Associate routes give two clear ways around the experience bar.

✓

Five years cumulative IT experience Required

A minimum of five years of paid, full-time (or equivalent part-time) work experience in information technology — the broad base the other two layers sit inside.

✓

Three of those years in information security Required

Within the five years, at least three must be specifically in information security — not general IT operations or development.

✓

One year in a CCSP domain Required

At least one year must fall in one or more of the six domains of the CCSP Common Body of Knowledge — i.e. genuine cloud-security work.

02 The experience breakdown

The five-year figure is not five separate requirements — it is one total experience pool with conditions on how it is composed. The three years of security and one year of cloud both count inside the five, they are not added on top. Here is the full matrix, including the substitutions that can shave time off.

Requirement	Amount	Notes
Cumulative IT experience	5 years total	Paid, full-time or equivalent; the umbrella the other two layers sit within.
Information-security experience	3 years (of the 5)	Counts inside the five years, not on top — must be security-specific work.
CCSP-domain experience	1 year (of the 5)	In one or more of the six CCSP CBK domains — real cloud-security work.
CISSP substitution	Waives all 5 years	A current ISC2 CISSP satisfies the entire experience requirement.
CSA CCSK substitution	Waives 1 cloud year	The CCSK certificate can substitute for the one-year cloud-domain requirement.

The one year of cloud experience is the part people lack. Plenty of candidates have five years in IT and three in security — but the single year in an actual CCSP domain is the bottleneck. That is precisely the slice the CCSK certificate is allowed to substitute for, which is why it pairs so well with the CCSP.

The substitutions do not stack to zero. The CCSK only ever covers one year, and only the cloud-domain year — it does not waive the broader three-year security or five-year IT totals. Only the CISSP removes the whole requirement. Always confirm the current rules on ISC2's site before you rely on a waiver.

03 The shortcuts — CISSP, CCSK & the Associate route

If the full five years feels distant, you have more options than the experience matrix alone suggests. These are the recognised ways to qualify faster — or to sit the exam now and qualify later.

✓

Hold a current CISSP Waives all

An active ISC2 CISSP satisfies the entire CCSP experience requirement — pass the exam and you can be certified without separately documenting five years.

✓

Hold the CSA CCSK Substitutes 1 year

The Cloud Security Alliance's CCSK certificate substitutes for the one-year cloud-domain requirement — useful if that year is the piece you are missing.

★

Become an Associate of ISC2 No experience yet

No experience at all? Pass the CCSP exam and register as an Associate of ISC2. You then have up to six years to earn the five years of qualifying experience.

✓

Get endorsed Required either way

Whichever route you take, an existing ISC2-certified member must endorse your application, attesting your experience claims are accurate, before you are certified.

The CISSP-first play is common. Many cloud-security professionals earn the CISSP first — it both proves the broad security grounding and, as a happy side effect, completely removes the CCSP's experience hurdle. If you are weighing the order, that sequencing is worth a serious look.

04 The path from “eligible” to “certified”

Meeting the experience bar is only the first layer. Here is the full sequence from raw experience to a certificate on the wall.

Build the experience

Accumulate the five years — three in security, one in a CCSP domain (or hold a CISSP).

Pass the exam

Sit and pass the CCSP exam — you may do this first and qualify later as an Associate.

Get endorsed

An ISC2-certified member endorses your experience claims within nine months of passing.

Pay AMF & certified

Pay the annual maintenance fee, and you are officially certified CCSP.

Endorsement has a clock on it. You complete the endorsement application within nine months of passing the exam. If you cannot find a certified member to endorse you, ISC2 can act as the endorser instead — so a lack of contacts is not a dead end, but do not let the window lapse.

05 Which CCSP route is yours?

The right path depends entirely on how much qualifying experience you already hold. If you are short, the Associate route lets you lock in the exam now and finish the experience later.

You can pursue full CCSP

You have five years of IT experience, three of them in security
At least one of those years is in a CCSP cloud-security domain
Or you simply hold a current CISSP, which waives it all
You can have a certified member endorse your claims

Take the Associate route

You do not yet have the five years (or the cloud-domain year)
Pass the CCSP exam first to prove the knowledge now
Register as an Associate of ISC2 and earn the experience after
You have up to six years to convert to the full credential

Bottom line: the CCSP's experience requirement is why it carries weight, not a wall you cannot pass. If you are short on the cloud year, the CCSK can bridge it; if you hold the CISSP, it is already handled; and if you have nothing yet, the exam still belongs in front of you via the Associate route.

06 FAQ

What are the prerequisites for the CCSP?

To be certified CCSP you need a minimum of five years cumulative, paid work experience in information technology. Of that, three years must be in information security, and one year must be in one or more of the six domains of the CCSP Common Body of Knowledge. You can also sit the exam first without the experience by becoming an Associate of ISC2, and holding a current CISSP waives the entire experience requirement.

Does CISSP waive the CCSP experience requirement?

Yes. Holding a current ISC2 CISSP credential satisfies the entire CCSP experience requirement. A CISSP holder can pass the CCSP exam and be certified without separately documenting the five years of experience. Earning the CSA CCSK certificate is a smaller substitution — it covers one year of the one-year cloud-domain requirement, but not the whole five years.

Can I take the CCSP exam without any experience?

Yes. If you do not yet have the required experience you can still sit and pass the CCSP exam, then become an Associate of ISC2. As an Associate you have up to six years from your exam date to earn the five years of experience (three in security, one in a CCSP domain) needed to convert to full CCSP.

What is endorsement for the CCSP?

After you pass the exam and confirm you meet the experience requirement, your application must be endorsed by an existing ISC2-certified professional in good standing, who attests that your experience claims are accurate. You complete the endorsement application within nine months of passing; if no one can endorse you, ISC2 can act as endorser. Once endorsed, you pay the annual maintenance fee and become certified.

ExamCert TeamCertified cloud & security pros helping you qualify and pass.