Requirements for CISSP Candidates

By Lawrence C. Miller, Peter H. Gregory

The Certified Information Systems Security Professional (CISSP) candidate must have a minimum of five cumulative years of professional (paid), full-time, direct work experience in two or more of the domains listed here.

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The work experience requirement is a hands-on one — you can’t satisfy the requirement by just having “information security” listed as one of your job responsibilities. You need to have specific knowledge of information security — and perform work that requires you to apply that knowledge regularly. Some examples of full-time information security roles that might satisfy the work experience requirement include (but aren’t limited to)

  • Security Analyst
  • Security Architect
  • Security Auditor
  • Security Consultant
  • Security Engineer
  • Security Manager

Examples of information technology roles for which you can gain partial credit for security work experience include (but aren’t limited to)

  • Systems Administrator
  • Network Administrator
  • Database Administrator
  • Software Developer

For any of these preceding job titles, your particular work experience might result in you spending some of your time (say, 25 percent) doing security-related tasks. This is perfectly legitimate for security work experience. For example, five years as a systems administrator, spending a quarter of your time doing security-related tasks, earns you 1.25 years of security experience.

Furthermore, you can get a waiver for a maximum of one year of the five-year professional experience requirement if you have one of the following:

  • A four-year college degree (or regional equivalent)
  • An advanced degree in information security from a U.S. National Center of Academic Excellence in Information Assurance Education (CAE/IAE)
  • A credential that appears on the (ISC)2approved list, which includes more than 40 technical and professional certifications, such as various SANS GIAC certifications, Cisco and Microsoft certifications, and CompTIA Security+.

In the U.S., CAE/IAE programs are jointly sponsored by the National Security Agency and the Department of Homeland Security.