The CISSP Experience Waiver

June 27, 2019 by Aroosa Ashraf

CISSP Experience Waiver

Certified information systems security professional (CISSP) is an International Information System Security Certification Consortium [(ISC)2] independent information security certification. (ISC)2 is a non-profit professional organization that is an integral part of cyber-security. You frequently encounter the term CISSP in the job descriptions of cyber-security positions.

CISSP is an important certification, as many employers emphasize that the job applicant must have that certification, even for jobs for which CISSP certification may not usually be required. Therefore, not having CISSP can become a serious problem for employees, as it may create understandable resentment, even after having the necessary qualification to work in an advertised position entails.

The CISSP Requirements

Getting CISSP certification usually requires you to pass a six-hour examination. Getting the certification confirms that you are competent enough to handle the information system security of any organization. In other words, it confers you with the knowledge to lead an organization to meeting the growing challenge of information system security. This is somewhat different from being experienced and skilled in all of the technical responsibilities required to undertake the role of the information system security manager. This is the reason that the CISSP is made mandatory for such positions.

CISSP Experience Requirement

A tricky part of CISSP is the CISSP experience requirement. You are required to have a minimum cumulative work experience of five years of full-time employment in two or more CISSP CBK domains (there are eight common body of knowledge (CBK) domains in CISSP). The eight domains are:

  • Security and risk management
  • Asset security
  • Security engineering
  • Communications and network security
  • Identity and access management
  • Security assessment and testing
  • Security operations
  • Software development security

CISSP Policy for Experience Waiver

A CISSP candidate is allowed an experience waiver of one year in the following circumstances:

Based on educational qualifications, the candidate can get a waiver of a maximum of one-year work experience as a direct full-time security professional. This requires an educational qualification such as a four-year degree from recognized college or its regional equivalent. Having an advanced degree from the US in information security (National Center of Academic Excellence in Information Assurance Education or CAE/IAE) can also be considered.

An experience waiver is also considered if the candidate has an additional (ISC)²-approved credential from the following list:

Valid experience includes information systems security-related work performed as a practitioner, auditor, consultant, investigator, or instructor that requires information security knowledge and involves the direct application of that knowledge. The five years of experience must be the equivalent of actual full-time information security work (not just information security responsibilities for a five-year period); this requirement is cumulative, however, and may be accrued over a much longer period of time.

One-year professional experience waiver is also applicable if the candidate possesses an additional (ISC)² credential from the approved list.


The CEH is a somewhat lesser version of CISSP covering mostly pen testing and it requires only two years of security experience compared to five years in the case of the CISSP. CISSP also covers a host of knowledge on ten broad security domains. CEH has a significantly high pass rate (93%) and does not involve the rigorous procedures followed by ISC2to evaluate and audit CISSP examination (having a pass rate 70%).

CISSP requires you to commit to a code of ethics which calls on you to keep on learning even after getting your certification or your certification will expire. This is a sensible requirement considering the ideal role of the CISSP certification. As a CISSP certificate holder, you should possess deep knowledge and experience on technical and managerial aspect of information security to engineer, design, and manage the whole security position of any organization. CISSP however, does not give any certification of specialization on any specific technical skill set of cyber-security.


Certified information security manager (CISM) is a security certification that is highly valued around the world. As per ISACA, CISM is ideal for candidates who have progressed beyond the focus of the practitioner and not emphasizing technical skills or specialist knowledge. CISM professionals usually moved on to the organization’s information security program management.

The CISSP certification, on the other hand, is ideal for individuals looking for an information security career. CISSP and CISM have a special correlation, as the CISM is more of a certification of management while the CISSP is a certification of technical knowledge.

CISM certification is recommended for information security professionals looking to channel their career in management. Individuals having CISM or CISSP certifications are knowledgeable enough to be decision makers in information security management. Overall, the CISSP certification focuses on the operational sector of information security, whereas the CISM certification focuses on the strategic sector of information security.

So, if you want to focus more on technical of information security, it is better to go for the CISSP while, if you think you are better off on the management side of information security, you should opt for CISM certification. The CISM examination focuses more on how information security can help any organization to achieve business objectives, so it focuses on security investments, returns, and budgets.


The certified information systems auditor (CISA) certification focuses on the auditing of information systems and requires a minimum of five years of full-time work experience in information security. Getting a CISSP certification is not a walk in the park and requires serious preparation. CISA is regarded as much less technical. If you want to pursue your career in auditing processes and systems, then CISA is a good option for you.

CISSP certification is for individuals looking for a career in information security or IT. CISA professionals mostly perform auditing while CISSP focuses on security issues. In that sense, CISA and CISSP have very few similarities. The CISSP examination is much tougher, though, and often becomes challenging even for experienced IT professionals.

CISSP and Security+

Security+ is a U.S. government-approved security certification that meets the ISO 17024 standard and is compliant with the regulations of government under the Federal Information Security Management Act (FISMA). Security+ credential is also recognized globally. Security+ is supported by industries and is maintained and developed by leading IT professionals. The Security+ examination content is designed after taking feedback from industry-wide surveys.

The Security+ certification from CompTIA covers network and operation security, network compliance, network vulnerabilities and threats, as well as data, host, and application security. The certification also includes cryptography, identity management, and access control.

Security+ is organized by the Computing Technology Industry Association (CompTIA), which is the association that represents the community of international technology. The goal of CompTIA is to provide global advocacy, a unified voice, and leadership, and to advance growth of the security industry through education, professional competence, standards, and business solutions.

Compared to Security+, the CISSP is much more acclaimed certification because of the difficulty in getting the CISSP certification. To be CISSP-certified, you need to have a practical understanding of the information security concepts and not just remembering facts.

The CISSP CBK covers more concepts than the Security+ certification and the process of CISSP examination is a long and detailed process. The Security+ examination, on the other hand, is quite similar to the general computer-based certification examinations.

IT security is vital to organizations with the growing trend of cloud computing and use of mobile devices to perform business.The massive amounts of information transmitted and stored on various networks all through the world make it essential to have efficient and effective security practices.

Certified professionals from CISSP, CISA, CISM, Security+, CEH, or CAP are in high demand, as they have the required skills to secure the networks carrying a huge amount of data and deter the cyber-attackers from getting that valuable information (CISM for managerial and CISA for auditing).

All of these certifications can land you to high paying jobs ranging close to $100,000 per year, which makes the strenuous efforts to get these certifications worthwhile. Individuals having CISA or CISSP certifications usually get job offers from multiple organizations.



Posted: June 27, 2019
Articles Author
Aroosa Ashraf
View Profile

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117