I have a question about the work experience I need to take the CISSP exam. I worked from 2009 - 2012 for a company as a security admin, but since then I am working in another line of business. Is there a rule that says that I have to work the last five Years in the field of security?
I am an IT auditor with around 4,5 years of external IT audit experience in big fours (ITGCs and IT dependencies audits) as well as nearly a year of IT internal audit experience. I would please like to ask if IT audit experience (i.e assessment of security risks and controls + recommendations and follow-up on associated action plans) qualifies as work experience towards CISSP or if hands-on design, implementation and operation of security controls is required ?