CBK Domain Experience Example

Hello fellow enthusiasts,

I was wondering if the following career experience would be considered valid in terms of CISSP CBK Experience requirements.
This question may sound a bit obvious but I have been having a hard time finding actual examples of what would be considered "valid" security experience.

- 2 years as a security operation analyst. Basically doing access control and audits. Finding out patterns in the day to day and automating it.
- 6 years as a Microsoft System Engineer for a major company. ( Included everything from Architecture planification to license consumption )
- 2 years as a IT/business analyst in a highly regulated financial firm ( Creation of all automations would require in depth SOX knowledge due to regulations. Process/procedure/standards/baselines/ are all actually existing and in effect in such firms compared to most other establishments. )

I also have Security+ Certification dating from 2009 as well as multiple Microsoft certifications.

Although none of these jobs are directly labeled as security ( besides the first one ), the tasks performed certainly pertained to it.
If you already are CISSP and replying to this thread, please also share what was your experience prior to the cert.

Regards

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Webmaster

JDMurray can probably give you some more details, but I wishfully read the requirements once or twice a year to try again to somehow match my experience with the CBKs and there's one line that wakes me up every time:

The five years of experience must be the equivalent ofactual fulltime Information Security work (not just Information Security responsibilities for a five year period); this requirement is cumulative, however, and may have been accrued over a much longer period of time.

With Sec+ and the 2 years security operations analyst you'd still need 2 more years, so you might want to consider the IS2 Associate for CISSP depending on which of the three you mentioned is your current role or whether you are trying to get an infosec position.

Maxcz

Thanks for your input Johan,

Hopefully JD can clarify this quote from ISC website you put up. This is actually the exact reason why I wrote this post in the first place.
I am basically looking to know if we can consider Infosec work exposure through non official security roles as valid experience.

Common Example :: System Administrator/Engineer in a rather large company where the IT team also takes up the security duties because management buy-in for an Infosec team is not a reality yet.

Surely there are countless of people in this situation.

JDMurray

I can give you my opinion if you like, but to be blunt, only the (ISC)2 can give to the official word on what does and does not qualify as acceptable professional work experience for their certifications. I suggest you email registrar@isc2.org and ask.

Maxcz

I am always looking for personal insight. I know some profesionnals are going to quickly brush off my past credentials based on the premise that these positions are not fully recognized.
However I also believe context is primordial when gauging these thresholds.

In any case, I have already sent the same question more or less towards (ISC)2.

Thanks for the input

Maxcz

Reply from ISC2 goes as follow ::

"Although your resume sounds very thorough to me, please keep in mind that the decision to endorse you or not, does not lie with me, ultimately. That falls on a CISSP who will interview you after you have passed your exam. This is a 20 minute interview, in which the member will ask you about your background and afterwards will decide whether or not to endorse. So, if you have any questions about these issues, I always advise candidates to find a CISSP and ask them the same. If they agree, that could be a great opening to ask if they would be willing to endorse you after the exam."

Got in touch with the CISSP currently working for my employer and was met with positive responses so far.
I will therefore be sitting the exam on July 21st.

Shon Harris, Ed Skoudis, Bruce Schneier will be among my best friends for the next few weeks