PrerequisitesCISSPISC2 · Professional

CISSP Prerequisites & Eligibility

The CISSP is a gated credential — before you can hold it you must show five years of paid work experience in two or more of the eight security domains. A degree can shave a year off, and the Associate of ISC2 route lets you pass the exam first. Here is exactly what you need, the experience matrix, endorsement, and how to know if you qualify yet.

Updated June 202611 min readLevel: ProfessionalBy ExamCert Team

YesFormal prereqs

5 yearsExperience

4 yearsWith a degree

2 of 8Domains

AssociateNo-experience path

CISSP prerequisites and eligibility requirements explained

01 The short answer

To hold the CISSP you need five years of cumulative, paid work experience in two or more of the eight CISSP domains. A four-year college degree or an approved credential from the ISC2 list waives one of those years, bringing it down to four. If you do not have the experience yet, you can still sit and pass the exam first — the Associate of ISC2 route — then earn the experience afterwards.

This is what separates the CISSP from a “just book it and sit” cloud exam — it is built to certify experienced practitioners, not newcomers. You can take the test at any time, but the title “CISSP” is only granted once your experience is verified and an existing certified professional endorses you. The good news: most working security professionals already meet the bar without realising how it is counted.

The reason the experience requirement matters so much is that it is the single thing most people get wrong about the CISSP. They assume it works like a vendor exam — pay, study, pass, done — and only later discover that passing is just one of three gates. The other two are the experience itself and the endorsement that verifies it. Understanding all three up front saves you from a passed exam that quietly expires because you never lined up the rest.

✓

Five years of paid security experience Required

Cumulative, paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge — full-time, or its part-time/hourly equivalent.

✓

Pass the CISSP exam Required

You can sit the exam before or after meeting the experience — passing is required either way, and it stays valid while you earn experience on the Associate route.

★

An ISC2 endorser lined up Recommended

An existing ISC2-certified professional must endorse your application. Knowing who will vouch for you before you pass saves weeks — or let ISC2 endorse you.

02 The experience requirement, in detail

The whole eligibility question comes down to one number: five years. What changes that number is your education and how you choose to approach the exam. These are the standard situations — in all cases the experience must be paid and fall within two or more of the eight domains.

A few details on how the five years are counted. The experience is cumulative, so it does not need to be continuous — gaps between roles are fine, and time at different employers stacks. It is measured by a working week: roughly full-time hours over a four-week period earns you one month of credit, and part-time or contract work can count on a pro-rata basis. Internships and paid placements count too, provided the work genuinely sat within the domains. What does not count is unpaid volunteering or coursework on its own — the requirement is paid, professional work.

Your situation	Experience needed	Notes
No degree (experience only)	5 years (cumulative, paid)	The full requirement — in 2 of 8 domains
Four-year degree or regional equivalent	4 years (one year waived)	Degree satisfies one year
Approved credential from the ISC2 list	4 years (one year waived)	Only one year can be waived — it does not stack with a degree
Associate of ISC2 (no experience yet)	Pass now, earn within 6 years	Become an Associate, then build the 5 years

What counts as “the 8 domains” experience? The eight domains are Security & Risk Management, Asset Security, Security Architecture & Engineering, Communication & Network Security, Identity & Access Management, Security Assessment & Testing, Security Operations, and Software Development Security. You only need work in two of them — so a network engineer who also handles access control, or a developer who does secure coding plus assessment, usually qualifies. It is the work that counts, not the job title.

One year, not two. The degree-or-credential waiver removes a single year only. Holding both a four-year degree and an approved credential still waives just one year — you cannot drop to three. Also note ISC2 trimmed its approved-credential list in 2026, so confirm yours still qualifies before relying on it.

03 The Associate of ISC2 path

This is the route for people who can pass the exam but do not yet have the five years. You sit the same exam, pass it, and instead of becoming a full CISSP you become an Associate of ISC2 while you accumulate the experience. It is the same test, the same passing standard, and the same study — the only difference is what you are awarded at the end and how long you have to finish qualifying. Here is how it works.

✓

Pass the exam first Step 1

You take and pass the full CISSP exam without needing the experience up front — the pass is what unlocks Associate status.

✓

Become an Associate of ISC2 Step 2

You hold Associate status and have up to six years from the pass date to earn the five years of qualifying experience.

✓

Pay the AMF and keep CPE current Ongoing

While you build experience you maintain Associate status by paying the annual maintenance fee and earning CPE credits each year, just like a full member.

✓

Convert to full CISSP Finish

Once you have the experience, you submit it, complete endorsement, and convert from Associate to fully certified CISSP.

Why it is worth it: the Associate route lets you sit while the material is fresh — right after a prep course — instead of waiting years. You lock in the hardest part (the pass) and let the experience clock run in the background.

04 The path from “passed” to “certified”

Passing the exam is a milestone, not the finish line. Here is the full sequence that turns a pass into the letters after your name. Depending on which route you take, you may do these steps in a different order — experienced candidates often build the years first and pass last, while Associate-route candidates pass first and earn the experience after — but every CISSP completes all four.

Build domain experience

Accumulate five years of paid work in two or more of the eight domains.

Pass the exam

Sit and pass the CISSP — before or after the experience, via the Associate route if needed.

Get endorsed

An ISC2-certified professional verifies your experience, or ISC2 acts as endorser.

Pay AMF & certified

Pay the annual maintenance fee and you officially hold the CISSP.

Endorsement has a clock too. You complete the endorsement step within nine months of passing the exam. Line up an endorser early, or use the ISC2-as-endorser option — do not let a passed exam expire because you left this to the last minute.

05 Which route is right for you?

The deciding factor is simple: do you already have the experience, or are you building toward it? Neither path is “better” — they just start in different places.

You can pursue full CISSP now

You have 5+ years of paid security experience (or 4 with a degree/credential)
Your work spans two or more of the eight domains
You can evidence it and line up an ISC2 endorser
You pass, get endorsed, and are certified straight away

Take the Associate route

You can pass the exam but do not have the five years yet
You become an Associate of ISC2 and earn experience within six years
You keep status with the annual fee and CPE credits
You convert to full CISSP once the experience is in

Bottom line: the CISSP's experience requirement is why it carries weight — it certifies practitioners, not test-takers. If you have the years, certify now; if you do not, pass first as an Associate and let the clock run.

06 FAQ

What are the prerequisites for the CISSP?

To become a CISSP you need a minimum of five years of cumulative, paid work experience in two or more of the eight domains of the CISSP Common Body of Knowledge. A four-year college degree or an approved credential from the ISC2 list can waive one year, reducing the requirement to four years. After you pass the exam and meet the experience, an existing ISC2-certified professional must endorse your application before you are fully certified.

Can you take the CISSP without experience?

Yes. You can sit and pass the CISSP exam before you have the experience by taking the Associate of ISC2 route. Once you pass, you become an Associate of ISC2 and have up to six years to earn the required five years of experience. During that window you keep your status by paying the annual maintenance fee and earning CPE credits, and once you have the experience you complete the endorsement to become a full CISSP.

Does a degree reduce the CISSP experience requirement?

Yes. A four-year college degree, a regional equivalent, or an approved credential from the ISC2 list satisfies one year of the required experience, cutting the requirement from five years to four. Only one year can be waived - it does not stack, so holding both a degree and an approved credential still only removes a single year.

What is endorsement and why do I need it?

Endorsement is the final verification step. After you pass the exam and have the required experience, an existing ISC2-certified professional in good standing must vouch for your work history by endorsing your application. If you do not know anyone who can endorse you, ISC2 can act as your endorser. You complete endorsement within nine months of passing, then pay the annual maintenance fee to be certified.

ExamCert TeamCertified security & cloud pros helping you qualify and pass.