Question if I can get the CISSP Certification

Hey everyone. Currently, I have a CISA and just passed the CRISC. I am working in internal audit for a company where I also help out in IT auditing. I have been doing this for about 3 years now and I want to move more towards the IT side of things. I was planning on taking the CISSP, but, I don't think 5 years of IT audit would suffice for the experience requirement, I just wanted to check with you guys. Also, I don't have an CISSP's at work that I work directly with, so it may even be hard to get my application signed. Just looking for general advice if I should try to get in to a IT role now and then do the CISSP once I am positive I meet the requirements to get certified or take it now and try to find someone with a CISSP to sign off.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

mstd0n

Just for clarification why do you need someone from within your company to "sign off" on you getting a CISSP?

cyberguypr

I think he means the endorsement. OP, you can have ISC2 endorse you:

"If you do not know an (ISC)² certified professional in good standing, (ISC)² can act as an endorser for you. In this case, please download and submit the Applicant Endorsement Assistance Form for the credential you are pursuing."

rohit10

cyberguypr wrote: »

I think he means the endorsement. OP, you can have ISC2 endorse you:

"If you do not know an (ISC)² certified professional in good standing, (ISC)² can act as an endorser for you. In this case, please download and submit the Applicant Endorsement Assistance Form for the credential you are pursuing."

Awesome, thanks for that, yea I meant the endorsement.

bpenn

Your CISA will waive one year of experience and then you need 4 years of experience in at least 2 of the 8 domains:

Security and Risk Management (Security, Risk, Compliance,
Law, Regulations, and Business Continuity)

Confidentiality, integrity, and availability concepts
Security governance principles
Compliance
Legal and regulatory issues
Professional ethic
Security policies, standards, procedures and guidelines

Asset Security (Protecting Security of Assets)

Information and asset classification
Ownership (e.g. data owners, system owners)
Protect privacy
Appropriate retention
Data security controls
Handling requirements (e.g. markings, labels, storage)

Security Engineering (Engineering and Management of
Security)

Engineering processes using secure design principles
Security models fundamental concepts
Security evaluation models
Security capabilities of information systems
Security architectures, designs, and solution elements vulnerabilities
Web-based systems vulnerabilities
Mobile systems vulnerabilities
Embedded devices and cyber-physical systems vulnerabilities
Cryptography
Site and facility design secure principles
Physical security

Communication and Network Security (Designing and
Protecting Network Security)

Secure network architecture design (e.g. IP & non-IP protocols,
segmentation)
Secure network components
Secure communication channels
Network attacks

Identity and Access Management (Controlling Access and
Managing Identity)

Physical and logical assets control
Identification and authentication of people and devices
Identity as a service (e.g. cloud identity)
Third-party identity services(e.g. on-premise)
Access control attacks
Identity and access provisioning lifecycle (e.g. provisioning
review)

Security Assessment and Testing (Designing, Performing, and
Analyzing Security Testing)

Assessment and test strategies
Security process data (e.g. management and operational controls)
Security control testing
Test outputs (e.g. automated, manual)
Security architectures vulnerabilities

Security Operations (Foundational Concepts, Investigations,
Incident Management, and Disaster Recovery)

Investigations support and requirements
Logging and monitoring activities
Provisioning of resources
Foundational security operations concepts
Resource protection techniques
Incident management
Preventative measures
Patch and vulnerability management
Change management processes
Recovery strategies
Disaster recovery processes and plans
Business continuity planning and exercises
Physical security
Personnel safety concerns

Software Development Security (Understanding, Applying, and
Enforcing Software Security)

Security in the software development lifecycle
Development environment security controls
Software security effectiveness
Acquired software security impact