Since 2016 I am 'Associate of ISC2 towards CISSP' because I didn't yet have the 5 years experience needed for certification. A while ago I got myself certified in CRISC and that raised the question if that would get me to my CISSP certification somewhat earlier. I found on the ISC2 website 'If you presently hold an active certification that appears on the (ISC)² Approved List, you may receive a one-year experience waiver.' However, CRISC is not in the approved list. Is there a reason for that?
I had a discussion about this recently on here. A guy had a long list of security focused credentials, but none were on the list apart from his Microsoft ones which ironically aren't security focused!
I think the list does appear to be pretty arbitrary. For example, they list CCNA and CCNP Security, but you're out of luck if you are a CCIE Security. Neither CCNA or CCNP Security is a prerequisite for the CCIE Security so it's possible someone could hold Cisco's premier security certification but not be eligible for a 1-year waiver, while someone who holds their lowest level security certification would be - how does that work?!
Conversely, they only list the JNCIE-SEC, but not the JNCIS-SEC or JNCIP-SEC which would be the Juniper equivalents of the Cisco certs they do allow - no consistency in selection being shown here!
Also, if they're going to allow various Cisco and Juniper Firewall/IDP administration/engineering certs, why not allow ones from other current major vendors such as Check Point, Fortinet and Palo Alto Networks which many would argue are more prominent and therefore relevant in today's market?
Going back to the Microsoft certs, why allow those but then not something like the Red Hat equivalent?
Why are CISA and CISM eligible but not CRISC or CGEIT?
However, I would say, the wording on the link you provided states "approved credentials include" which suggests the list may not be exhaustive.
Hopefully someone from ISC2 can provide an answer on how definitive this list actually is?
Thanks for your clear and detailed answer. The amount of possible certifications seems to be pretty confusing for newcomers in the field, as well as for employers. For me it is difficult to see if certain certifications are comparable to each other. Hopefully, someone from ISC2 will provide an answer on CRISC, but also where to turn in case of doubt.
Other than the majority of them being security focused I don't think they're really comparable for the most part. There's a real mixture of security specialist areas from a real mixture of different organisations and a real mixture of different seniority levels, with some certs not even requiring any practical experience.
The Microsoft ones really stick out to me for a couple of reasons. They are not security focused, and, as I pointed out in my previous discussion on this topic, they technically never expire. You could have someone with an MCSE on Windows NT 4.0 rightly claim they're an MCSE and qualify for an experience waiver off the back of a 20-year old certification on a product long since out of vendor support!
I think rather than having a prescribed list of seemingly random certs people can use as experience waivers, they'd be better off defining a list of criteria your certification has to meet to be used to waive a year of experience.
Although, given how different all of the certs on the current list are, I don't know what all the criteria would be? One should be the cert is at least being maintained! (I'd love to know how they arrived at the current list?)
If the list is definitive and therefore your CRISC isn't eligible, you could always pick the one you feel is easiest to attain from the current list, and if you can achieve it in under a year then you're ahead of the game!
Thank you for your post. Waivers listed on the (ISC)2 approved certification for the CISSP can waive one year of work experience. The certifications must meet ANSI requirements in order to be approved. This list is periodically updated with certifications removed or added. If there is a specific certification in question please email email@example.com and we will determine if it can be added to waive a year of time. However, I have inquired about the CRISC and can confirm it can be used to waive a year. The website will be updated accordingly.