What Counts As CISSP Experience?
The (ISC)2 CISSP is considered one of the most difficult security exams, but not for the reasons you'd think. The CISSP isn't a technical exam. It's a management exam. Some people say it's tough. Others breeze through.
What makes earning the CISSP difficult is the experience requirement. There's nothing stopping anyone from taking the exam. If you pass, however, you'll be caught in a CISSP purgatory (aka CISSP Associate) for up to six years until you get the minimum work experience.
(ISC)2 requires a minimum cumulative five years paid work experience to earn the CISSP — and, yes, they check. But it's not as stringent as it sounds. In this post, we'll dig into the "cumulative" aspect of the experience required for the CISSP.
The easiest way to pass the CISSP process is honest-to-goodness full-time paid security work. It's as simple as that. However, there are other ways to count CISSP experience. Here are a few.
How CISSP Evaluates Work Experience
First, let's discuss how (ISC)2 evaluates work experience. Having a job title with "security" in it will certainly speed up the process. But the absence of that word isn't a deal breaker. (ISC)2 is clear that they're looking for "security work experience," which is easily satisfied in a security role. However, that's distinct from working in a security role.
Luckily, you have the opportunity to explain yourself. In most professional environments, that's accomplished with a strong customized-to-the-position resume. The CISSP experience validation process is no different. When you're pulling together your resume for the CISSP, take time to dig deep into the eight security domains:
Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management (IAM)
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security
You can find the CISSP exam outline here. Taking a look at the domains, you'll notice that (ISC)2 wants to know that you were administering, managing, and designing security for an organization.
For instance, if you're a system administrator at a small organization, then you were regularly handling security (and everything else). That's perfect. By emphasizing your hands-on technical experience with security policies and appliances, you'll probably be fine. (ISC)2 wants to know that you have hands-on experience — even if it didn't take 100 percent of your time.
Part-Time Experience Counts for CISSP
(ISC)2 understands that it takes effort — and sometimes part-time work — to get into the security field. That's why it offers an option to piece together part-time experience for the CISSP. There's an asterisk here. Part-time experience can't be less than 20 hours per week. It also can't be more than 34 hours per week — otherwise, you'd be full-time.
Be specific when submitting part-time work to (ISC)2 — particularly with the number of hours. They will take the total hours you worked part-time and translate them into full-time work based on the 40-hour work week (and 2,080-hour work year).
For instance, 1,040 hours of part-time work is equal to six months of full-time work. Again, you don't have to be in a security role, but part-time experience must still fall into two or more of these eight security domains.
Security Internships Require More Work to Prove
Internships are a great way to add experience to your CISSP application — as long as they're well-documented. Internships can be paid or unpaid, but they still require experience under two or more security domains. If part-time, hours are calculated the same way as part-time experience.
Importantly, internship experience must be accompanied by a letter on a company or organization letterhead that confirms your position. We'd also recommend that your current or former internship supervisor is prepared to field a call from the (ISC)2 for further verification.
Experience Waiver for a Degree or Certification
(ISC)2 will either accept an approved certification or a degree in lieu of one year of work experience, but not both. As with most of the CISSP experience process, there are asterisks here, too.
You can earn a year of work experience with a four-year degree, or specialized advanced degree. To clarify, you either need a four-year degree OR the advanced degree to earn this year. It's a little confusing because most people earn a four-year degree on the way to a master's degree. Either way, you only need four years of work experience with a degree in either category.
(ISC)2 will also waive a year of work experience for anyone holding other security certifications. Here's a partial list of the most popular certifications in the CBT Nuggets course library:
CompTIA Advanced Security Practitioner (CASP)
Again, (ISC)2 doesn't allow double-dipping for experience. CISSP applicants must have at least four years of work experience — even with a four-year degree, advanced degree, or one of the approved certifications.
You're not done, yet
In addition to the passing the exam and validating your experience, you'll also have to find an (ISC)2 sponsor to endorse you. There's a reason the CISSP is one of the most valued security certifications in the industry. It's a lengthy process to earn the CISSP, but once you do — it's worth it.
delivered to your inbox.