nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

CISSP Endorsement Month counting issue

myworld

Hi all

I just got my email saying i Passed CISSP exam. And I am very happy.

I have question regarding Months of experience on endorsement form. I dont have anybody to endorse me so i am applying for ISC2 to endorse me.

So here is my question:
i have experience in 5 CISSP domain from Sept 05 till Now. So it is about 68 Months in total.
So on application i think i have to break 68 months per domain i think? (Please correct me if i am wrong.)

So this is what i did on form:
Access Control = 12 months
Application Development Security
Business Continuity and Disaster Recovery Planning = 12 months
Cryptography
Information Security Governanceand Risk Management = 12 months
Legal, Regulations, Investigations, and Compliance
Operations Security
Physical (Environmental) Security
Security Architecture and Design = 12 months
Telecommunications and Network Security = 20 months

total = 68 months

So is this Right? or i need 60 months in each domain?

I also have MCSE if i need to use waiver for one year. but if what i did above is right then i may not need to apply for waiver.

Please give me your opinion about above math of counting months and the experience required for CISSP.

Thank you

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

JDMurray

Congratulations on passing the CISSP exam!

myworld wrote: »

Please give me your opinion about above math of counting months and the experience required for CISSP.

From the (ISC)2 Web site it states:

"You must have a minimum of five years of direct full-time security work experience in two or more of the[se] 10 domains of the (ISC)² CISSP CBK."

Because I don't see the word "each" used, I interpret the required experience as cumulative across all domains worked rather than exclusive to each domain worked, so you should be good to go. However, regardless of what I think, it's up to the (ISC)2 to make the final determination.

ChooseLife

Interesting question...

JDMurray wrote: »

Because I don't see the word "each" used, I interpret the required experience as cumulative across all domains worked rather than exclusive to each domain worked, so you should be good to go.

Wouldn't that mean that a sysadmin could qualify after 1 year if he worked in 5 areas, e.g.

Access Control
Disaster Recovery Planning
Operations Security
Security Architecture and Design
Network Security

?

P.S. Congrats on passing the exam!

myworld

Thank you for your answers.

I actually called ISC2 and one of the Auditor told me this: if you have one year experience in 3 domains than you need to divide one year by 2 or 3 domain.

so 12 months = 4 months in Domain 1 + 4 months in domain 2 + 4 months in domain 3
OR 12 months = 6 months in domain 1 + 6 months in domain 2

total must be 12 months not more than 12.

so i think my 68 month math may be ok by ISC2.

I will let you know once everything is done.

thank you again.

colemic

Your are correct. The logic behind it is, i(responding to chooselife), if you are claiming full-time experience in 5 domains, then you can't be doing any of them full-time, unless you are working a 200 hour work week.

JDMurray

No double-dipping then?

colemic

Well, the more I think about it, the more I see a possibility that you could - goco's in Iraq working 88 hours a week would definitely count as full-time, but I wonder if someone working 35 hours/week (I think the normal workweek in parts of Europe, France maybe?) would they accrue 'experience' at the same rate as the goco, or higher?

ChooseLife

Ah, okay, I got it now... So the requirement is to have 60 months of experience, with each time period counting towards only one of the domains, and no fewer than 5 domains covered by those 60 months. Is this correct?

Another, somewhat related question - how is the experience calculated in case of a sysadmin job? Using myself as an example, I have spent the past 6 years doing following things:
- designing and carrying out DR plans
- writing security policies
- designing, implementing, maintaining security infrastructure (firewalls, VPNs, IDS'es)
- hardening servers
- monitoring system logs, responding to incidents
- performing security assessments/pen.testing
- et cetera, et cetera...

The thing is, all of these activities have always taken only part of the day, combined with a zillion of other tasks. How does this experience count, if it does at all? At a certain ratio? I don't really see a way to estimate or verify how much time was spent per certain activity....

bdoub1eu

Uh oh...Think I did it the other way (meaning for each domain I had like 70 months or something like that since I figured that each day I dabbled in a few different domains). Submitted my info on April 20th...Should I contact them or will they figure it out? Got about 10 years of IT experience...

bdoub1eu

bdoub1eu wrote: »

Uh oh...Think I did it the other way (meaning for each domain I had like 70 months or something like that since I figured that each day I dabbled in a few different domains). Submitted my info on April 20th...Should I contact them or will they figure it out? Got about 10 years of IT experience...

Called (ISC)2 and they said that they should be able to figure it out based on my resume and if they had any questions, they'd contact me.