Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

CISSP experience waiver vs. CSSLP/CCSP requirements

Good day,

I was looking at the portfolio of certifications offered to check what kind of degree can be used as an experience waiver and I noticed something strange. The CISSP certification offers a one-year waiver for persons already holding other credentials, including SSCP, under the "Prerequisite Pathway" offer. However, no other certification allows this, putting 1) SSCP worth two years instead of one for the CISSP track and 2) CISSP and CSSLP on the same level when considering "experience required", but not on the same level of benefits for persons interested in securing software architecture. Furthermore, CISSP is listed as a prerequisite waiver for CCSP, unlike CSSLP, despite them being otherwise on par with experience required for any person for whom the CISSP was not the first InfoSec certification pursued. Even though I understand the CSSLP is a niché certification for people who actively endorse cyber security rules in application development, this basically puts it WAY behind compared to CISSP, as they both have identical worktime experience (not considering having an IT degree) and the CSSLP domains are already contained in two or three domains of CISSP. Is this on purpose? Or was there supposed to be a "Prerequisite Pathway" for CSSLP that got dropped off later in the proces? And if so, will it be coming again one day?

4 Replies

@Illsteward Thank you for your inquiry. Please note, this was done on purpose, unfortunately, I am not able to discuss why. I will be happy to bring your feedback to management for review.


Best Regards,

Amanda Vance

Newcomer II

Thank you @amandavanceISC2 for your reply. I just find it really sad, because it devaluates the CSSLP, or rather, it bascially tells anyone willing to take the exam that "this is a dead end". All while the scope and domains of the certificates are different enough. It simply seems like an operation overseer (CISSP suggested role) can have much less experience and still get much higher than a software engineer with hands-on security development experience (CSSLP suggested role).
Contributor I

@amandavanceISC2, I know this is an old thread, but I just  came across it while searching for information about experience requirements.


As many of us hold multiple certifications, it might be helpful if (ISC)2 published a matrix or similar chart explaining what certs fulfill some - or all - of the experience requirements for other certs.  I know the certs focus on different aspects and areas of cybersecurity, but there's also a lot of overlap.  Gaining credit for the overlap is what I'm concerned with.


For example, when I submitted my info after passing the CCSP exam a few years ago, the system informed me that I met the experience requirements because I had already earned the CISSP.


However, after I passed the CAP exam, neither the CISSP or CCSP completely covered the requirements; I had to get a letter from my company attesting to my experience in cybersecurity compliance and authorizations, although I held my CISSP and CCSP when I did that work.


It was easy to provide proof of experience after I passed the CISSP-ISSMP, because that was basically an attestation of my experience as a cybersecurity program manager.


However, now I'm going for the CSSLP and SSCP certs and I cannot find out if any of my current certs fulfill the experience requirements for them.  If not, I can document the requisite experience, but it seems a bit duplicative.  

Lloyd Diernisse

ISC2 Authorized Instructor and Learning Tree International Certified Instructor
Lean Six Sigma Black Belt | CISSP-ISSMP | CCSP | CGRC | PMP | TBM | CSM | CMMI-A | ITIL-Fv3
Community Champion

Just a heads up, Amanda no longer works as one of the Community admin team.


If you haven't discovered this already, only the CISSP and the CCSP allow certs to be used to waive some or all of the experience requirements.


However, the CISSP, and thanks to a fairly recent change, the CSSLP and the SSCP allow an appropriate degree to waive one year of experience from their respective requirements - so that might help you out.


No other ISC2 certs allow experience waivers of any kind.


NB - the latest, foundational cert, the CC, has no experience requirements.


Always best to check the respective exam outlines for the latest information.