Beginning 30 April 2008, members with the
affected certification(s) must earn the minimum number
of CPEs annually during each year of the three-year
certification cycle. Although members may earn more than
the minimum CPEs required for credential maintenance for
the three-year cycle, they are still required to earn
and submit the minimum annual number to maintain
their certification in good
What are the new requirements for the CISSP?
Currently, to maintain the CISSP certification, a member is
required to earn and submit a total of 120 CPEs by the end of
their three-year certification cycle and pay the AMF of US$85
during each year of the three-year certification cycle before
the annual anniversary date. With the new changes effective
30 April 2008, CISSPs are required to earn and post a
minimum of 20 CPEs (of the 120 CPE certification cycle total
requirement) and pay the AMF of US$85 during each year of the
three-year certification cycle before the member’s certification
or recertification annual anniversary date. For CISSPs who hold
one or more concentrations, CPEs submitted for the CISSP
concentration(s) will be counted toward the annual minimum CPEs
required for the CISSP.
Effective 1 October 2007, professional work experience
requirements for the CISSP® will increase
from four to five years, and direct full-time security
professional work experience will be required in two or
more of the ten CISSP® CBK®
domains. A new endorsement policy will also be in
effect, requiring anyone who passes a CISSP, CAP®,
or SSCP® exam to have their qualifications
endorsed by another CISSP credential holder.
CISSP professional experience includes:
Work requiring special education or intellectual
attainment, usually including a liberal education or
Work requiring habitual memory of a body of
knowledge shared with others doing similar work.
Management of projects and/or other employees.
Supervision of the work of others while working with
a minimum of supervision of one's self.
Work requiring the exercise of judgment, management
decision-making, and discretion.
Work requiring the exercise of ethical judgment (as
opposed to ethical behavior).
Creative writing and oral communication.
Teaching, instructing, training and the mentoring of
Research and development.
The specification and selection of controls and
mechanisms (i.e. identification and authentication
technology) (does not include the mere operation of
Applicable titles such as officer, director,
manager, leader, supervisor, analyst, designer,
cryptologist, cryptographer, cryptanalyst,
architect, engineer, instructor, professor,
investigator, consultant, salesman, representative,
etc. Title may include programmer. It may include
administrator, except where it applies to one who
simply operates controls under the authority and
supervision of others. Titles with the words "coder"
or "operator" are likely excluded.
Waiver of Experience:
circumstances apply and with appropriate documentation,
candidates are eligible to
a maximum of two years of professional experience
One-year waiver of the professional experience
requirement for education.
Candidates can substitute a maximum of one year of
direct full-time security professional work
experience described above if they have a four-year
college degree OR a Master's Degree in information
security from a U.S. National Center of Academic
Excellence in Information Security (CAEIAE) or
If you hold both a four-year degree and a Master’s
degree, you may only apply for a one-year waiver of
waiver of the professional experience requirement
for holding an additional credential:
CERT Certified Computer Security Incident
Certified Business Continuity Planner (CBCP)
Certified Computer Crime Investigator (Advanced)
Certified Computer Crime Prosecutor
Certified Computer Examiner (CCE)
Certified Fraud Examiner (CFE)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified Internal Auditor (CIA)
Certified Protection Professional (CPP)
Certified Wireless Security Professional (CWSP)
Computer Forensic Computer Examiner (CFCE)
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Certified Forensic Analyst (GCFA)
GIAC Information Security Officer (GISO)
GIAC IT Security Audit Essentials (GSAE)
GIAC Security Expert (GSE)
GIAC Certified ISO-17799 Specialist (G7799)
GIAC Security Leadership Certification (GSLC)
GIAC Systems and Network Auditor (GSNA)
GIAC Certified Security Consultant (GCSC)
Microsoft Certified Systems Administrator (MCSA)
Microsoft Certified Systems Engineer (MCSE)
Master Business Continuity Planner (MBCP)
System Security Certified Practitioner (SSCP)