CISSP Experience Requirement

NavyIT

Is there any way around the 5 year requirement for experience to take this exam? I have been working in the IT field for 4 years and feel I am ready for this test. How is your experience validated? Thanks!

Iristheangel

You only need 4 years because you have the Security+ certification. Problem fixed!

JDMurray

You need to do a thorough reading of the requirements for the CISSP certification. After doing so you will see that there are no requirements to take the CISSP exam. The five years of professional experience are for obtaining the full CISSP certification after you have passed the CISSP exam. One year of experience can be waived for a number of reasons, such as having the Security+ certification, so you only need four years of verifiable, professional work experience. I would say that you are all set to go for the full CISSP certification.

NavyIT

Great reply. Very informative. Thank you. I guess I should have been a little more proactive myself, huh?

JDMurray

No prob. That what TE is here for!

Kong239

I wanted to ask here rather than opening a new thread. I have only been working in IT for just under 2 years. However, the previous 5 years, my job entailed doing a fair amount of work that would certainly qualify as physical security. The 7 years prior to that, my job entailed doing audits and reviews of company assets as well as loss prevention. I even set up video surveilance and designed secure areas for merchandise. My CISSP sponser told me that without a doubt what I did would qualify me for the work requirement. I took and passed the exam. I received notice from ISC2 that I did not have the work experience necessary. Does anyone know if this can be appealed? My resume did not highlight these as job functions and I suppose I should have tailored my resume for this circumstance but its too late for that.

twodogs62

I'd appeal. explain situation and update your resume with cover letter detailing security experience.
Have you current supervisor submit a letter of endorsement.
If you can have previous employers do same.
Don't be surprised if supervisor requests you to write the letter and then they will sign.

Have a CISSP vouch for you.

Kong239

I am typing a letter to the rep at ISC2 explaining in more detail and giving some details on what I did in those jobs. My CISSP sponser and another CISSP I know both told me the work I did was sufficient. As for previous employers, I could get one. But he would take forever to get him to just sign a piece of paper. It took him 3 months to just sign something I needed for school years ago. Anothe went out of business and the other, I would have to track the supervisor down as he no longer works for the company. I just hope that they will actually review it and do consider appeals. I know sometimes they do audits but there was not even mention of an audit. I think an audit would have turned up the information they needed.

JDMurray

Kong239 wrote: »

My CISSP sponser told me that without a doubt what I did would qualify me for the work requirement. I took and passed the exam. I received notice from ISC2 that I did not have the work experience necessary.

This is the first time I've heard of an endorser approving a certification candidate that was afterwards rejected by the (ISC)2. This can certainly happen, but I'm assuming it's very rare.

paul78

@Kong239 - did you actually get some kind of official notification that rejected your application?

Something similar happened to me but it was just an email from ISC2 saying that they needed better information. I spoke with someone who basically said that I needed to reformat the work experience documents that my endorser submitted to actually include the actual domain information.

Apparently, it's preferable to just submit a list employers, dates, title, and applicable domain instead of an actual resume or CV. About 1 hour after, I sent ISC2 my updated work experience document, I got the official email stating the acceptance.

I hope it works out for you. It doesn't sound based on your description that you have anything to worry about.

wes allen

What Paul78 said - I didn't send a resume, just where i worked, the dates I was there, and how many months I spent in each domain at each job. If you search around a bit, you can find some examples of what people send. I just kept it basic and focused on which domains I was working in and for how long.

Kong239

Yes, I got an official notice from ISC2 saying that my work experience was rejected and that I could still get the associate of ISC2. I submitted an appeal e-mail last night. I will let you guys know what comes of it. I wouldn't mind an audit which is what I was essentially asking for in my appeal. I was just wondering if anyone had a similar experience.

TechGromit

I was wondering if my work experience would qualify as CISSP work experience. At a former employer have 7 years experience in patch management, including two years in system hardening and about 18 months in Cyber security with a new employer. I didn't hold a security title in my former position, but the work I was preforming was security related.

storch

Honestly, don't try and "****" the system by trying to come up with different ways to fulfill the work requirements. If you truly have 5 years of full time IT security under your belt then use that. If you were a security guard and did "physical security" by inspecting the building or you work in IT support in a Heldesk role but do patching as one of your duties that's really not fulfilling the full 5 years IT security requirements and you would only be "cheating" your self.

If you go into an interview and get hammered with technical security related questions by the security group you will only fooling yourself thinking that because you have a CISSP that you are qualified to make security recommendations in an organization and they will see right through you. Just my tidbit I guess, not looking to offend anyone who is going that route!

TechGromit

storch wrote: »

If you were a security guard and did "physical security" by inspecting the building or you work in IT support in a Heldesk role but do patching as one of your duties that's really not fulfilling the full 5 years IT security requirements and you would only be "cheating" your self.

While I can see your point, technically the position I hold now doesn't have the word "Security" in my title either, but I still perform Nuclear Cyber Security. Having the word "security" in your title to be considered IT security experience is a little too narrow of a definition in my opinion.

Mike7

TechGromit wrote: »

I was wondering if my work experience would qualify as CISSP work experience. At a former employer have 7 years experience in patch management, including two years in system hardening and about 18 months in Cyber security with a new employer. I didn't hold a security title in my former position, but the work I was performing was security related.

As per https://www.isc2.org/cissp-how-to-certify.aspx,

Candidates must have a minimum of 5 years cumulative paid full-time work experience in two or more of the 8 domains ...

Candidates may receive a one year experience waiver with a 4-year college degree, or regional equivalent or additional credential from the (ISC)² approved list

Note the key word cumulative and the 1 year experience waiver which you can get once your pass your GIAC Security Essentials (Yes. I looked at your profile. )

ISC2 does not stop you from taking the exam. You only get the CISSP title after passing both the exam and the work experience endorsement process. And if they deem your experience insufficient, they probably will award CISSP Associate title. After which, you have up to 5 years to fulfil experience requirement and convert from Associate to full CISSP.

Alternatively (and probably the better option), schedule the exam and check the "Yes, I am taking this exam as an Associate" check box. As there are no work experience requirements, you are CISSP Associate after passing. Apply for conversion later.

So go for it if you will be in infosec for the next 5 years