If you’ve been eyeing the CISSP, you probably know it’s the "Gold Standard" in our industry. But let’s be real—the five-year experience requirement is a steep hill to climb.
For years, many of us have relied on the "one-year waiver" to make that hill a little easier. By holding a degree or a specific certification (like the CISA or CEH), you could knock that five-year requirement down to four.
Well, the rules are changing. Starting April 1, 2026, ISC2 is significantly trimming the list of certifications they’ll accept for that one-year waiver. If your plan relies on a specific cert to get you across the finish line, you need to see if it’s staying or going.
The "Safe" List (These are staying!)
If you hold these, you’re in the clear. They will still count for a one-year waiver after the deadline:
- CompTIA: Security+, CySA+, and the new SecurityX (CASP+).
- Cisco: CCNA and CCNP Security.
- ISC2’s Own: CCSP and SSCP.
- Cloud: AWS Certified Security – Specialty.
- Management: CISM (Certified Information Security Manager).
Complete List :
Staying:
AWS Certified Security - Specialty
Certified Cloud Security Professional (CCSP)
Certified in Governance, Risk and Compliance (CGRC)
Certified Information Security Manager (CISM)
Certified Secure Software Lifecycle Professional (CSSLP)
Cisco Certified Internetwork Expert (CCIE) Security
Cisco Certified Network Associate (CCNA)
Cisco Certified Network Professional Security (CCNP Security)
CompTIA Advanced Security Practitioner (CASP+)
CompTIA CySA+
CompTIA Security+
CompTIA SecurityX
GIAC Global Industrial Cyber Security Professional (GICSP)
GIAC Information Security Fundamentals (GISF)
GIAC Information Security Professional (GISP)
GIAC Security Leadership Certification (GSLC)
HealthCare Information Security and Privacy Practitioner (HCISPP)
Microsoft Certified Cybersecurity Architect
Systems Security Certified Practitioner (SSCP)
The "Use It or Lose It" List (Being removed!)
If you were planning to use one of these, you must submit your CISSP endorsement application before April 1, 2026. After that, they won't count toward your experience waiver:
- CISA (Certified Information Systems Auditor) – This is a big one!
- CEH (Certified Ethical Hacker)
- OSCP (Offensive Security Certified Professional)
- AZ-500 (Microsoft Azure Security Engineer)
- Cisco CyberOps (Associate & Professional)
- CCSK (Certificate of Cloud Security Knowledge)
Complete List:
Being removed:
AZ-500 Azure Security Engineer Associate
Certified Computer Examiner (CCE)
Certified Ethical Hacker v8 or higher
Certified Information Systems Auditor (CISA)
Certified Internal Auditor (CIA)
Certified Protection Professional (CPP) from ASIS
Certified in Risk and Information Systems Control (CRISC)
Certified Wireless Security Professional (CWSP)
Cisco Certified CyberOps Associate/Professional
CIW Web Security Professional
CIW Web Security Specialist
Computer Hacking Forensic Investigator (CHFI)
CSA Certificate of Cloud Security Knowledge (CCSK)
EC-Council Certified Security Specialist (ECSS)
EC-Council Certified SOC Analyst (CSA)
GIAC Certified Enterprise Defender (GCED)
GIAC Certified Forensic Analyst (GCFA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Cyber Threat Intelligence (GCTI)
GIAC Security Essentials Certificate (GSEC)
GIAC Strategic Planning, Policy, and Leadership (GSTRT)
GIAC Systems and Network Auditor (GSNA)
INE eCPPT Certification (Certified Professional Penetration Tester)
INE eJPT (Junior Penetration Tester)
Information Security Management Systems Lead Auditor (IRCA)
Information Security Management Systems Principal Auditor (IRCA)
Juniper Networks Certified Internet Expert (JNCIE-SEC)
Microsoft Identity and Access Management
Microsoft Security Operations Analyst
Offensive Security Certified Professional/Expert (OSCP/E)
The New Additions List
Here are the certifications that are getting added to allow you to use the 1 year waiver,
Information Systems Security Architecture Professional (ISSAP)
Information Systems Security Engineering Professional (ISSEP)
Information Systems Security Management Professional (ISSMP)
Zscaler Digital Transformation Administrator (ZDTA)
Zscaler Digital Transformation Engineer (ZDTE)
Zscaler Digital Experience Administrator (ZDXA)
Wait, Why the Change?
ISC2 wants to ensure the certifications used for waivers are 100% aligned with the security leadership focus of the CISSP. While technical certs like the OSCP are amazing, ISC2 is shifting toward credentials that mirror the broader risk management and governance themes of the CISSP domains.
Your Game Plan
- Check your timeline: If you have 4 years of experience and hold one of the "removed" certs, apply now. Don't wait until the 2026 rush.
- Degree vs. Cert: Remember, you can still use a 4-year college degree (in a related field) for that one-year waiver. You can’t "stack" them, though—it’s either the degree or the cert.
- Don't panic: If you miss the deadline, you aren't disqualified. You just might need to wait for that 5th year of experience to hit before you can move from "Associate" to a full "CISSP."
The bottom line? If you’ve already done the hard work of earning a CISA or CEH, make sure it pays off for your CISSP application before the window closes!
ISC2 Community announcement - https://community.isc2.org/t5/CISSP-Study-Group/CISSP-Experience-Waiver-Changes-Coming-April-2026/td-p/84687
Need help navigating these changes and getting exam-ready? If you're looking for structured guidance to tackle the CISSP, I offer comprehensive courses designed to help you master the material and approach the exam with confidence. You can check them out here: CISSP Collection
Comments ()