Do You Have Enough Experience to Take the CISSP Exam?

***UPDATE November 16, 2015***

Check out this link for more information: Can You Take the CISSP Exam Without 5 Years of Security Experience?

***UPDATE November 16, 2015***

A lot of readers have been asking me if they have the required professional experience to take the CISSP exam.

This is a pretty simple question to answer, though there are some complications. So let’s start with the explicit exam requirements.

According to (ISC)2, you must have a minimum of five years’ direct full-time security work experience in two or more of the following domains:

You can click each one to see related posts!


If you want to see how the new domains map to the old domains, check it out here: Old vs New CISSP CBK Domains

How do you gain experience in these domains? Usually, by holding down one or more of these information security jobs:

• Network Security Engineer
• Penetration Tester
• Software Tester
• Risk Analysis Specialist
• Information Security Officer
• Cyber Security Consultant
• SOC Manager
• Computer Forensics Investigator
• Security Auditor
• Security Architect
• Disaster Recovery Manager
• Computer Crime Investigator
• Malware Analyst

If you have one of these jobs, congratulations – you have security experience. We’ll talk about your level of experience and what that means in just a bit.

But first… If you don’t have one of these jobs…

No Security Experience

If you’ve never held one of the above jobs, chances are you don’t have any information security experience, which means you won’t be able to take the CISSP exam. Trust me though, if you haven’t worked in some sort of security field, you probably aren’t ready for the exam anyway.

When I took the exam, I can tell you that for at least 25% of the questions, I had to draw from my personal experience as a network security engineer.

In the course of my studies, I answered over 5,000 practice questions, and I still encountered questions that could not be found in a textbook.

The questions on the CISSP exam are so broad that you must use what you have learned in the field and trust your professional instincts.

Different security jobs have different experiences, but in the end it is all the same CONCEPT, and that is what the exam is testing – not just your knowledge of those concepts, but how to apply that knowledge.

See if you can answer this question: What is the difference between the risk analysis team vs the risk assessment team?

If you have no information security experience, you probably don’t know the answer, which is why you have no business taking this exam.

The CISSP is a gold standard certification, and the barrier to entry is high for a reason. Don’t beat yourself up.

Instead, go get yourself one of those jobs. And start studying.

1-2 Years

Alright, so you’ve got a maximum of two years in the security field, obtained a Security+ or CCNA, and you can probably even pass the CISSP exam if you really studied hard, but you’re still three years shy of the experience requirement.

But don’t stress it. This is actually a good thing because you have plenty of time to get ready for the exam. Take this time to kind of look over the chapters of the CISSP study guide and acclimate yourself with the topics. Don’t start studying deeply yet – you don’t want to get overwhelmed.

Right now, just browse the domains and try to assess your strengths and weaknesses. If you can relate the study topics to what you do in real life (and vice versa), it will help you greatly understand and apply the concepts.

You might feel ambitious and be like “I’m gonna take the test, I bet I can pass it.”  Okay, I like the confidence and you probably will pass it.  But remember, after you pass, you have to prove to the ISC2 that you have 5 years of security experience.  If you can’t prove that within 9 months of taking the exam, you’ll have to take it again! Yikes!

3-4 Years

If you’ve got three years’ experience, you’re still not ready to take the exam, but you can dive deeper into the study materials. As you read through the CISSP book, you’ll no doubt encounter some topics that come easy and some that seem completely foreign.

For example, I am a network security engineer, so the domain of Telecommunications and Network Security was pretty easy. I knew all about the difference between dual-homed firewalls, or the advantages of an IDS vs an IPS.

However, I did not have any programming or software experience AT ALL, so the toughest domain for me was Software Development Security.

Database schema? Fuzzing? Backdoor? These were all new concepts that I had to focus strongly on.

If you have four years of experience and a bachelor’s degree or a CCNP, then you are ready to take the exam! You have met the experience requirement thanks to the one-year education/credential wavier, which allows you to substitute a college degree or accepted certification for one year of security experience.

Click here to see a list of approved experience waivers: CISSP 1 Year Experience Waiver

Over 5 Years

You’re a security guy. You’ve been in the game a long time. You have at least one vinyl figurine and at least three technical manuals on your desk. You’ve seen just about everything. You’ve thwarted DDOS and seen the most devastating malware to ever rip through a network.  You’ve been on-call for 30 days straight and been called every night.

When people ask what you do, you reply “Oh, I work with computers,” keeping it simple because you know they won’t understand what exactly you do anyway.

Maybe your employer requires you to have a CISSP exam, or they’ll pay for any certifications. Maybe you just want to prove to yourself that you can pass the CISSP.

Whatever your motivations, you’re definitely qualified.

You might need to brush up on the particulars of the new exam topics, but you get the general concept and flow. Three months of studying, and you’ll be ready to take the exam.

Hope this answers some questions about the necessary experience required to take the CISSP exam! Thanks for reading.