The CISSP Experience Waiver [updated 2021]

March 24, 2021 by Greg Belding

What is CISSP?

The Certified Information Systems Security Professional, or CISSP, is an information security certification hosted by the International Information System Security Certification Consortium, or (ISC)². To earn this certification, candidates have a relatively steep professional experience requirement compared to other certifications in the proverbial information security market. Luckily, certification candidates will have the opportunity to forgo some of that experience requirement with the CISSP experience waiver. 

The CISSP professional experience requirement may seem daunting use this article to help determine if you can waive some of that experience requirement.

A little about CISSP

The CISSP certification is for cybersecurity professionals who want to go above and beyond incident response and other foundational cybersecurity skills. This certification verifies that the certification holder can design, implement and manage an effective, best-in-class cybersecurity program.

Beginning in 2021, this certification exam has undergone a major change namely, this exam now uses what is called Computerized Adaptive Testing, or CAT, for all English language exams. This format is abbreviated in both exam duration and number of items; however, it will cover the full spectrum of the domains of knowledge that previous exams have. Below are the important exam details and domains of knowledge of this first CAT CISSP:

Exam details

  • Exam length 3 hours
  • Number of questions 100 to 150
  • Question format multiple-choice and advanced, innovative questions
  • Passing score 700 out of 1000
  • Testing center (ISC)² authorized PPC and selected Pearson VUE testing centers

CISSP CBK domains

Below are the current CISSP domains of knowledge and their respective weight of exam material:

  1. Security and risk management 15%
  2. Asset security 10%
  3. Security architecture and engineering 13%
  4. Communication and network security 13%
  5. Identity and access management (IAM) 13%
  6. Security assessment and testing 12%
  7. Security operations 13%
  8. Software development security 11%

CISSP experience requirement

As mentioned earlier, certification candidates will need to satisfy the experience required to earn the CISSP certification. The standard CISSP experience requirement is that candidates must have acquired at least five years of paid work (that is cumulative) in any two or more of the CISSP CBK domains. With a total of eight possible domains to gain experience in, this certification applies to a variety of different cybersecurity professional roles. 

This certification is helpful for many cybersecurity roles:

  • Chief information security officer
  • Chief information officer
  • Director of security
  • IT director/manager
  • Security systems engineer
  • Security analyst
  • Security manager
  • Security auditor
  • Security architect
  • Security consultant
  • Network architect

Despite this relative flexibility regarding the paid work experience within the cybersecurity sphere, the five years of cumulative paid work experience is prohibitive to some and burdensome to many. With the above being said, it needs to be balanced with the reality that this certification is intended for cybersecurity professionals who have invested at least five years into their careers. Thankfully for those who do not have quite enough paid, cumulative work experience to meet this requirement, there is still a way to meet it.

The CISSP experience waiver

CISSP certification candidates have the option of using the CISSP experience waiver. This waiver allows for one year of the experience requirement being reduced by earning a four-year degree or one of the credentials on the list of (ISC)² approved credentials. Much like how double dipping is not allowed in polite social situations, It should be noted that the experience waiver will only satisfy one year of the CISSP experience requirement. So even if you have both a four-year degree and one of the approved credentials, you will only receive one year for your waiver.

Here is the list of (ISC)² approved credentials that satisfy the CISSP experience waiver:

  • CCSP (Cisco Certified Security Professional)
  • CCNP Security (Cisco Certified Network Professional Security)
  • CERT Certified Computer Security Incident Handler (CSIH)
  • Certified Business Continuity Planner
  • Certified Computer Crime Investigator (Advanced) (CCCI)
  • Certified Computer Crime Prosecutor
  • Certified Computer Examiner (CCE)
  • Certified Forensic Computer Examiner (CFCE)
  • Certified Fraud Examiner (CFE)
  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified Internal Auditor (CIA)
  • Certified Protection Professional (CPP)
  • Certified Wireless Security Professional (CWSP)
  • CIW Web Security Associate
  • CIW Security Analyst
  • CIS Web Security Professional
  • CIW Web Security Specialist
  • CompTIA Security+
  • Cyber Security Forensic Analyst (CSFA)
  • GIAC Certified Enterprise Defender (GCED)
  • GIAC Security Essentials Certification (GSEC)
  • GIAC Certified Firewall Analyst (GCFW)
  • GIAC Certified Intrusion Analyst (GCIA)
  • GIAC Certified Incident Handler (GCIH)
  • GIAC Certified Windows Security Administrator (GCWN)
  • GIAC Certified UNIX Security Administrator (GCUX)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Security Leadership Certification (GSLC)
  • GIAC Systems and Network Auditor (GSNA)
  • GIAC ISO 27000 Specialists (62700)
  • GIAC Certified Forensics Examiner (GCFE)
  • GIAC Information Security Professional (GISP)
  • GIAC Information Security Fundamentals (GISF)
  • Certified Penetration Tester (GPEN)
  • Information Security Management Systems Lead Auditor (IRCA)
  • Information Security Management Systems Principal Auditor (IRCA)
  • MCITP Microsoft Certified IT Professional
  • Microsoft Certified Systems Administrator (MCSA)
  • Microsoft Certified Systems Engineer (MCSE)
  • Master Business Continuity Planner (MBCP)
  • Systems Security Certified Practitioner (SSCP)

Attaining the CISSP certification

CISSP is a versatile cybersecurity certification that requires certification candidates to have at least five years of cumulative, paid work experience in at least two of the eight domains of knowledge. Candidates can forgo one of these years of experience by using the CISSP experience waiver. While this will not be a large reduction in the years of experience required, it may help you pass the threshold and pursue the certification. 



  1. CISSP Certification Exam Outline. (ISC)².
  2. What Counts as CISSP Experience? CBTNuggets.
Posted: March 24, 2021
Articles Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.

Leave a Reply

Your email address will not be published. Required fields are marked *