More candidates get tripped up by the CISSP experience requirement than by the exam itself. I've watched people pass the test and then discover, six weeks into the endorsement process, that (ISC)² doesn't count two of the jobs they were banking on. That's a painful way to find out.
The rule itself is one sentence: five years of cumulative, paid work in at least two of the eight CISSP domains. Every word in that sentence is doing work, though, and the gap between what candidates think it means and how (ISC)² actually interprets it is where the pain happens. Let's go through it properly.
The eight domains — and why "in a domain" is the slippery part
Here are the eight, in the order (ISC)² lists them:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
Your job title doesn't need to include the word "security" for the work to count. What (ISC)² cares about is whether your actual duties involved the substance of these domains. A network engineer who spent real time configuring firewalls, VPNs, and network access controls is doing Domain 4 work — nobody at (ISC)² is going to argue with that. A sysadmin who managed IAM policies and authentication systems is doing Domain 5 work. A DevOps engineer who built secure CI/CD pipelines and ran application security testing is doing Domain 8 work.
This is where most people stop reading, assume they're fine, and move on. Don't do that yet. The murkier cases are where applications get rejected.
A help desk analyst who "handled security tickets sometimes" probably doesn't qualify — not unless a meaningful portion of the role was genuinely security work (managing privileged access, running incident response, etc.). A project manager who ran a few security projects can count under Domain 1, but only if the work was actually security program management and not generic PM work that happened to touch security. A software developer who built applications but didn't deliberately focus on secure coding — usually doesn't count. A corporate trainer teaching basic awareness courses — also usually doesn't count, though teaching at a level that requires real domain expertise can qualify.
One pattern I've seen trip candidates up repeatedly: they list five jobs, confident they're across multiple domains, but when you actually map the duties, three of those jobs are Domain 4 variants and the other two are generic IT. That's not two domains — that's one domain with IT adjacent to it. (ISC)² will catch this during audit.
The honest question to ask yourself, role by role: if I had to describe my duties in CISSP language, which domain's official description do they match? If you have to squint, it probably doesn't count.
What doesn't count, briefly
Unpaid internships don't count (with narrow exceptions for formal cooperative education programs). Volunteer work doesn't count toward the initial five years, though once you're certified it counts fine toward your CPEs. Pure IT roles with zero security responsibilities — nope. Time spent studying for CISSP or earning other certifications — that's education, not experience, and (ISC)² keeps those buckets separate.
The word "cumulative" matters
Your five years don't need to be continuous and they don't need to be recent. They're cumulative across your whole career, which is more generous than candidates often realize.
Two years as a network engineer with real security responsibilities from 2012–2014, then grad school, then three years as a security engineer from 2016–2019 — that's five cumulative years across at least two domains, and you qualify. Different employers is fine. A gap is fine. What matters is that it's verifiable, because (ISC)² can and does request documentation (LinkedIn, former manager confirmations, sometimes HR records).
Part-time work is prorated
(ISC)² treats 35+ hours/week as full-time. Below that, it's prorated — 20 to 34 hours generally counts as half credit, so two years of part-time equals one year of full-time. Under 20 hours/week usually doesn't count at all.
If you've cobbled together security work through contract gigs while holding another primary job, you can sometimes build qualifying time out of the aggregate. Keep documentation as you go. Trying to reconstruct hours from 2017 three years later is a bad position to be in.
The one-year waiver
(ISC)² lets you knock one year off the requirement with either a qualifying degree or a qualifying credential. Just one, not both — you can't stack a bachelor's degree waiver on top of a Security+ waiver. Pick whichever you have and move on.
Educational options include a four-year college degree in any field (yes, any field), a master's in information security from an NCAE-C institution, or a post-graduate degree in cybersecurity. Credential options are broader than people assume — Security+, CySA+, CASP+, CCNA Security, CEH, CISA, CISM, and a bunch of others from the (ISC)² approved list all qualify.
With the waiver applied, you need four years instead of five.
The Associate of (ISC)² pathway
If you're not at four or five years yet, you can still sit the exam. Pass it, and you become an Associate of (ISC)² — officially recognized as having passed CISSP but not yet fully certified. You then have up to six years to accumulate the qualifying experience and complete endorsement. Once you do, you convert to full CISSP.
Is it worth doing? For most people in this situation, yes. Your exam pass locks in (no expiration during the six-year window), your resume can say "CISSP Associate," and employers often read that as a strong signal of commitment. The reduced Annual Maintenance Fee ($50 vs $135) is minor but real. You still need 15 CPEs per year to maintain Associate status.
One thing to be clear-eyed about: the salary lift most people associate with CISSP arrives when you're fully certified, not while you're Associate. Some employers treat Associate as nearly equivalent; others treat it as "you passed a test, come back when it's real." Don't book an exam date assuming a promotion the day after.
Submitting your experience
Once you believe you qualify, you submit through (ISC)²'s portal — job history with dates, titles, employers, and a description of duties mapped to domains. The single biggest mistake I see: vague duty descriptions. "Worked on networking" is not going to survive an audit. "Configured and maintained Palo Alto firewall rule sets, implemented network access controls across three VLANs, and led VPN deployment for 400 remote users" absolutely will.
Be specific. Be boring. Think of the reviewer at (ISC)² as someone who needs to tick boxes against domain descriptions — make their job easy.
The endorsement process
You also need an endorsement from someone who already holds an (ISC)² credential in good standing (CISSP, CCSP, SSCP, CC, HCISPP, CGRC, or CSSLP). They vouch for your experience and ethics through the portal. If you don't know anyone with one of those credentials, (ISC)² itself can endorse you based on your application, but it's genuinely faster to find a former manager, mentor, or colleague who can do it.
Start identifying this person before you take the exam, not after. Every year we see candidates pass CISSP, realize they don't know a single certified professional, and then lose weeks sorting it out.
Common patterns that cause rejections
The most common rejection I've seen isn't fraud — it's candidates counting work that doesn't actually map to two domains. Five years of network administration where "security" meant "I sometimes looked at the firewall logs" is not Domain 4 experience. Be honest with yourself before you submit.
The second most common: candidates who've spent their whole career in one narrow area (say, IAM) and don't realize they need to articulate at least a second domain. You probably do have second-domain experience — network access work often maps to Domain 4, access reviews often map to Domain 6 — but you have to frame it that way in the application. Nobody's going to do that framing for you.
The third: assuming a degree program counts as work experience. Work you did as a paid employee while also being a student can count; the time you spent as a student earning the degree cannot.
If you're close but not quite there
A few things actually accelerate qualification, in rough order of impact. Taking on security-adjacent projects in your current role tends to pay off fastest — you don't need a new job title, just duties that map to a second domain. Changing roles entirely, if that's realistic, can jump you from "sort of qualifies" to "clearly qualifies" in under a year. Apply the waiver if you haven't; a degree or Security+ gets you a full year back with no additional work. And if you're one or two years short with no path to close the gap quickly, sitting as Associate is a legitimate move rather than a consolation prize.
Document your duties in real time. Every six months, write down what you did and map it to domains. When you eventually submit, you'll thank yourself — trying to reconstruct a mapping from four-year-old memories is a miserable exercise.
For more on what happens after the exam itself, we have a separate walkthrough of the CISSP endorsement process that covers finding an endorser and what they need to submit.
Where this leaves you
Most people with five or more years of varied IT and security work have qualifying experience — they just haven't framed it in (ISC)²'s language yet. The honest answer to "do I qualify?" usually comes from sitting down with the eight domain descriptions and your last five years of job duties, and mapping one against the other. If two domains are clearly represented and the hours add up, you're in. If you're short, the waiver, Associate pathway, and strategic role changes cover almost every situation.
The experience question is worth resolving, but don't let it stall your studying. Most candidates who pass wish they'd started practicing earlier. If you haven't tested where you actually stand on the content yet, LearnZapp has a free CISSP diagnostic that covers all eight domains in about 30 minutes — no signup. It's a fast way to see whether the content is your real obstacle, or whether this qualification question is the only thing standing between you and the certification.