What Counts As CISSP Experience?

The ISC2 CISSP is considered one of the most difficult security exams, but not for the reasons you'd think. The CISSP isn't a technical exam. It's a management exam. Some people say it's tough. Others breeze through.

What makes earning the CISSP difficult is the experience requirement. There's nothing stopping anyone from taking the exam. If you pass, however, you'll be caught in a CISSP purgatory (aka CISSP Associate) for up to six years until you get the minimum work experience.

ISC2 requires a minimum cumulative five years paid work experience to earn the CISSP — and, yes, they check. But it's not as stringent as it sounds. In this post, we'll dig into the "cumulative" aspect of the experience required for the CISSP.

The easiest way to pass the CISSP process is honest-to-goodness full-time paid security work. It's as simple as that. However, there are other ways to count CISSP experience. Here are a few.

How CISSP Evaluates Work Experience

First, let's discuss how ISC2 evaluates work experience. Having a job title with "security" in it will certainly speed up the process. But the absence of that word isn't a deal breaker. ISC2 is clear that they're looking for "security work experience," which is easily satisfied in a security role. However, that's distinct from working in a security role.

Luckily, you have the opportunity to explain yourself. In most professional environments, that's accomplished with a strong customized-to-the-position resume. The CISSP experience validation process is no different. When you're pulling together your resume for the CISSP, take time to dig deep into the eight security domains:

• Domain 1: Security and Risk Management

• Domain 2: Asset Security

• Domain 3: Security Architecture and Engineering

• Domain 4: Communication and Network Security

• Domain 5: Identity and Access Management (IAM)

• Domain 6: Security Assessment and Testing

• Domain 7: Security Operations

• Domain 8: Software Development Security

You can find the CISSP exam outline here. Looking at the domains, you'll notice that ISC2 wants to know that you were administering, managing, and designing security for an organization.

For instance, if you're a system administrator at a small organization, you regularly handle security (and everything else). That's perfect. You'll probably be fine by emphasizing your hands-on technical experience with security policies and appliances. ISC2 wants to know that you have hands-on experience — even if it didn't take 100 percent of your time.

Part-Time Experience Counts for CISSP

ISC2 understands that getting into the security field takes effort — and sometimes part-time work. That's why it offers an option to piece together part-time experience for the CISSP. There's an asterisk here. Part-time experience can't be less than 20 hours per week. It also can't be more than 34 hours per week — otherwise, you'd be full-time.

Be specific when submitting part-time work to ISC2 — particularly with the number of hours. They will translate the total hours you worked part-time into full-time work based on the 40-hour work week (and 2,080-hour work year).

For instance, 1,040 hours of part-time work equals six months of full-time work. Again, you don't have to be in a security role, but part-time experience must still fall into two or more of these eight security domains.

Security Internships Require More Work to Prove

Internships are a great way to add experience to your CISSP application — as long as they're well-documented. Internships can be paid or unpaid but still require experience under two or more security domains. If part-time, hours are calculated the same way as part-time experience.

Importantly, internship experience must be accompanied by a letter on a company or organization letterhead that confirms your position. We'd also recommend that your current or former internship supervisor is prepared to field a call from the ISC2 for further verification.

Experience Waiver for a Degree or Certification

ISC2 will accept an approved certification or a degree instead of one year of work experience, but not both. As with most of the CISSP experience process, there are asterisks here, too.

You can earn a year of work experience with a four-year or specialized advanced degree. To clarify, you need a four-year degree OR an advanced one to earn this year. It's a little confusing because most people earn a four-year degree on the way to a master's degree. Either way, you only need four years of work experience with a degree in either category.

ISC2 will also waive a year of work experience for anyone holding other security certifications. Here's a partial list of the most popular certifications in the CBT Nuggets course library:

• Microsoft Certified Solutions Associate (MCSA)

• Microsoft Certified Systems Engineer (MCSE)

• Cisco Certified Network Associate Security (CCNA Security)

• Cisco Certified Network Professional Security (CCNP Security)

• Cisco Cyber Security Specialist Program

• CompTIA Advanced Security Practitioner (CASP)

• CompTIA Security+

Again, ISC2 doesn't allow double-dipping for experience. CISSP applicants must have at least four years of work experience — even with a four-year degree, advanced degree, or one of the approved certifications.

You're Not Done Yet

In addition to passing the exam and validating your experience, you'll also have to find an ISC2 sponsor to endorse you. There's a reason the CISSP is one of the most valued security certifications in the industry. It's a lengthy process to earn the CISSP, but once you do — it's worth it.