CISSP® Exam Requirements

Beginning 30 April 2008, members with the affected certification(s) must earn the minimum number of CPEs annually during each year of the three-year certification cycle. Although members may earn more than the minimum CPEs required for credential maintenance for the three-year cycle, they are still required to earn and submit the minimum annual number to maintain their certification in good standing.

  • What are the new requirements for the CISSP?
    Currently, to maintain the CISSP certification, a member is required to earn and submit a total of 120 CPEs by the end of their three-year certification cycle and pay the AMF of US$85 during each year of the three-year certification cycle before the annual anniversary date. With the new changes effective 30 April 2008, CISSPs are required to earn and post a minimum of 20 CPEs (of the 120 CPE certification cycle total requirement) and pay the AMF of US$85 during each year of the three-year certification cycle before the member’s certification or recertification annual anniversary date. For CISSPs who hold one or more concentrations, CPEs submitted for the CISSP concentration(s) will be counted toward the annual minimum CPEs required for the CISSP.

Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains. A new endorsement policy will also be in effect, requiring anyone who passes a CISSP, CAP®, or SSCP® exam to have their qualifications endorsed by another CISSP credential holder.

CISSP professional experience includes:

  • Work requiring special education or intellectual attainment, usually including a liberal education or college degree.

  • Work requiring habitual memory of a body of knowledge shared with others doing similar work.

  • Management of projects and/or other employees.

  • Supervision of the work of others while working with a minimum of supervision of one's self.

  • Work requiring the exercise of judgment, management decision-making, and discretion.

  • Work requiring the exercise of ethical judgment (as opposed to ethical behavior).

  • Creative writing and oral communication.

  • Teaching, instructing, training and the mentoring of others.

  • Research and development.

  • The specification and selection of controls and mechanisms (i.e. identification and authentication technology) (does not include the mere operation of these controls).

  • Applicable titles such as officer, director, manager, leader, supervisor, analyst, designer, cryptologist, cryptographer, cryptanalyst, architect, engineer, instructor, professor, investigator, consultant, salesman, representative, etc. Title may include programmer. It may include administrator, except where it applies to one who simply operates controls under the authority and supervision of others. Titles with the words "coder" or "operator" are likely excluded.

Waiver of Experience:
If certain circumstances apply and with appropriate documentation, candidates are eligible to waive a maximum of two years of professional experience as follows:

  • One-year waiver of the professional experience requirement for education.
    Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR a Master's Degree in information security from a U.S. National Center of Academic Excellence in Information Security (CAEIAE) or regional equivalent.

    If you hold both a four-year degree and a Master’s degree, you may only apply for a one-year waiver of experience.

  • One-year waiver of the professional experience requirement for holding an additional credential:

    • CERT Certified Computer Security Incident Handler (CSIH)

    • Certified Business Continuity Planner (CBCP)

    • Certified Computer Crime Investigator (Advanced) (CCCI)

    • Certified Computer Crime Prosecutor

    • Certified Computer Examiner (CCE)

    • Certified Fraud Examiner (CFE)

    • Certified Information Systems Auditor (CISA)

    • Certified Information Security Manager (CISM)

    • Certified Internal Auditor (CIA)

    • Certified Protection Professional (CPP)

    • Certified Wireless Security Professional (CWSP)

    • CompTIA Security+

    • Computer Forensic Computer Examiner (CFCE)

    • GIAC Security Essentials Certification (GSEC)

    • GIAC Certified Firewall Analyst (GCFW)

    • GIAC Certified Intrusion Analyst (GCIA)

    • GIAC Certified Incident Handler (GCIH)

    • GIAC Certified Windows Security Administrator (GCWN)

    • GIAC Certified UNIX Security Administrator (GCUX)

    • GIAC Certified Forensic Analyst (GCFA)

    • GIAC Information Security Officer (GISO)

    • GIAC IT Security Audit Essentials (GSAE)

    • GIAC Security Expert (GSE)

    • GIAC Certified ISO-17799 Specialist (G7799)

    • GIAC Security Leadership Certification (GSLC)

    • GIAC Systems and Network Auditor (GSNA)

    • GIAC Certified Security Consultant (GCSC)

    • Microsoft Certified Systems Administrator (MCSA)

    • Microsoft Certified Systems Engineer (MCSE)

    • Master Business Continuity Planner (MBCP)

    • System Security Certified Practitioner (SSCP)