Requirements for CISSP Candidates
The Certified Information Systems Security Professional (CISSP) candidate must have a minimum of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed here.
- Security and Risk Management
- Asset Security
- Security Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)
- Security Analyst
- Security Architect
- Security Auditor
- Security Consultant
- Security Engineer
- Security Manager
Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)
- Systems Administrator
- Network Administrator
- Database Administrator
- Software Developer
For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.
Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:
- A four-year college degree (or regional equivalent)
- An advanced degree in information security from a U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE)
- A credential that appears on the (ISC)2–approved list, which includes more than 40 technical and professional certifications, such as various SANS GIAC certifications, Cisco and Microsoft certifications, and CompTIA Security+.
In the U.S., CAE/IAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security.