cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cliffhammock
Viewer II

Documented Work Experience for CISSP

Is there an example of the endorsement form showing the work experience requirement? I am just trying to determine over what period of time can the 4 years of experience can be documented? I already have a degree and Security+. For example if I work 75% security and 25% program management, can I document my 4 years experience over the last 5.5 years? Is there a limit to reach back to show relative work experience? 

3 Replies
Early_Adopter
Community Champion

So,  from the ISC2 website:

 

To qualify for this cybersecurity certification, you must have:

  • At least five years of cumulative, paid, full-time work experience
  • In two or more of the eight domains of the (ISC)2 CISSP Common Body of Knowledge (CBK)

Don’t have enough work experience yet? There are two ways you can overcome this obstacle.

You can satisfy one year of required experience with:

Your second option is to take and pass the CISSP exam to earn an Associate of (ISC)2 designation. Then, you’ll have up to six years to earn your required work experience for the CISSP.

 

Based on this, we can feel reasonably comfortable in setting the lower bound on reach back as six years.

 

This is not official ISC2 policy on pro-rata for work experience (I haven't looked it up)... but frankly, if you told me you had a roll for five years and six months that was 75% focused on InfoSec(decisions/designs/implementation/planning/audit etc not guns and dogs) and 25% program management I'd be inclined(after asking for your opinion on domain mappings) to say that was an InfoSec role.

 

Additionally, while I don't know your role so can't comment on specifics, programatic thinking is so important for security, I'd think it would be worth describing that remaining work to your sponsor and seeing if what you were doing didn't map to the following domains in some way:

 

  • Security and Risk Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Remember you should discuss this with your sponsor, with CV, JD etc and he or she can ask questions. If they are not sure they can ask for assistance/opinion from ISC2. Ultimately I guess they could say, actually that works for three years and the Security+ for one, but then you'd have six years to get the last year in.

 

Moreover, I think It would be hard to find someone who's whole role was just cybersecurity even if it had that title. Even the Grand Vizier of Securiness probably has to complete their expenses or participate in team building every now and again...

 

If you want to IM me with specifics I can give you my opinion.

cliffhammock
Viewer II

Thanks for your detailed reply. We have a local ISC2 chapter so I will follow up with some people there at our next meeting. 

testior
Newcomer I

How old can be the 'reach back' ? (four to six years here) Is there an age limit ?

Thanks