CISSP.app Blog
In This Article
- What Is the CISSP Endorsement Process?
- The Complete Timeline at a Glance
- Before You Pass: Pre-Endorsement Prep
- Weeks 1–2: Right After You Pass
- Weeks 3–4: Preparing and Submitting Your Application
- Weeks 5–8: Under ISC2 Review
- Weeks 9–12+: If It Takes Longer
- The Six Most Common Delay Causes (and How to Avoid Them)
- The Associate of ISC2 Path: If You Don't Have Enough Experience Yet
- FAQ
Every guide about the CISSP mentions that the endorsement process exists. Almost none of them tell you what it actually looks like week by week, what decisions you need to make and when, or what separates the candidates who are certified in eight weeks from the ones still waiting at month four.
This guide fixes that. We will treat the endorsement like the project it is: distinct phases, clear owners, specific inputs and outputs at each stage, and a list of the mistakes that kill your timeline.
From exam pass to certificate in hand, budget 8–12 weeks if you start your endorsement preparation promptly. The ISC2 review phase alone takes 4–8 weeks. Candidates who wait until after passing to think about their endorser, or who submit vague experience documentation, routinely add a month or more to their timeline.
What Is the CISSP Endorsement Process?
Passing the CISSP exam does not make you a CISSP. It makes you eligible to apply. The endorsement process is how ISC2 verifies that your work experience is real, relevant, and sufficient — and that a fellow ISC2 member can vouch for it.
There are two components ISC2 is evaluating:
- Experience: You must document five years of full-time, paid work experience in at least two of the eight CISSP domains. If you hold a qualifying credential (such as CISM, CompTIA Security+, or CCSP), one year is waived, reducing the requirement to four years.
- Endorsement: An active ISC2 member in good standing must sign off on your documented experience. They are attesting that your claimed experience is accurate to the best of their knowledge.
The process is administered entirely online through the ISC2 candidate portal. There are no paper forms, no in-person meetings, and no scheduled interviews — the review is asynchronous and document-based.
The Complete Timeline at a Glance
Below is the master timeline, from your last day of study through receiving your CISSP certification. Each phase has its own section with details. Use this table as your project plan.
| Phase | Timing | Owner | Key Output |
|---|---|---|---|
| Pre-endorsement prep | Before exam day | You | Endorser identified and briefed; experience draft started |
| Exam result | Day 0 | Pearson VUE / ISC2 | Provisional pass; portal access activated |
| Experience documentation | Days 1–14 | You | Complete, domain-mapped work history |
| Endorser review | Days 7–21 | Your endorser | Signed endorsement submitted to ISC2 |
| Application submission | Days 14–21 | You | Complete application in ISC2 portal |
| ISC2 review | Weeks 4–12 | ISC2 | Approval decision (or request for additional info) |
| Certification issued | After approval | ISC2 | CISSP credential, member number, certificate |
Before You Pass: Pre-Endorsement Prep
Most candidates think about their endorser after they pass. That is the single biggest self-inflicted delay in the process. Identifying and briefing your endorser before exam day means you can move to application submission within days of passing instead of spending two weeks tracking someone down.
What your endorser needs to be
Your endorser must be an active ISC2 member in good standing — meaning they hold an active ISC2 certification (CISSP, SSCP, CCSP, CSSLP, CGRC, or HCISPP) and are not suspended or lapsed on Annual Maintenance Fees. They do not need to be your direct supervisor or even know you personally. They need to be able to attest that your documented experience is consistent with what they know or can verify about your work history.
How to find an endorser if you don’t know one
- Your workplace: Many mid-to-large organizations have multiple CISSP holders. HR or a quick LinkedIn search of your colleagues will surface them.
- ISC2 chapter events: Local ISC2 chapters hold regular meetups. Attending one before your exam — or immediately after — often produces an endorser within a single conversation.
- ISC2 community forums: ISC2 maintains an official community platform where experienced members regularly volunteer to endorse qualified candidates they have not met. The key is presenting complete, credible documentation.
- LinkedIn: A direct message to a CISSP-credentialed connection explaining that you recently passed and need an endorser is a completely normal ask in this community.
Start drafting your experience documentation now
The experience documentation is more work than most candidates expect. You need to describe your responsibilities for each role you are claiming — with enough specificity that a reviewer can map your work to named CISSP domains. “Worked on security projects” fails review. “Managed quarterly vulnerability assessments across 200 endpoints using Nessus, triaged findings against CVSS scores, and reported remediation timelines to the CISO” passes review. Starting this draft during your last weeks of exam preparation means you can submit quickly after passing.
Still Studying? Don’t Stop Now.
The endorsement process takes weeks — use that time to sharpen your weakest domains with adaptive practice questions. CISSP.app identifies exactly where your knowledge gaps are so you go into exam day prepared for anything.
See Your Weak Areas →Free 7-day trial · No credit card required
Weeks 1–2: Right After You Pass
You receive your result at the testing center immediately after completing the CAT exam. The result shown on screen is provisional — ISC2 confirms it within a few business days. Shortly after confirmation, you will receive an email from ISC2 with instructions to access your candidate portal and begin the endorsement process.
What to do immediately
- Confirm your email with ISC2: Make sure your ISC2 account uses an email address you check. All endorsement communication comes through the portal and via email.
- Contact your endorser: Let them know you passed and share your experience documentation draft. Give them context: what role you are in, how long you have been in security, and the domains you are claiming.
- Log into the candidate portal: The endorsement application lives in your ISC2 online profile. Familiarize yourself with the form fields before you start filling them in.
- Check your waiver credential (if applicable): If you hold a qualifying cert like CISM or CompTIA Security+, have that credential information ready to include. Note that the April 2026 waiver list revision removed CEH, CISA, OSCP, and most GIAC credentials — make sure yours still qualifies.
ISC2 requires you to complete the endorsement process within nine months of passing the exam. Nine months sounds comfortable, but candidates who let months slip by without progress often face complications later — endorsers who have become unavailable, employment records that are harder to retrieve, or ISC2 policy updates that affect their situation. Start within the first two weeks.
Weeks 3–4: Preparing and Submitting Your Application
This is the most labor-intensive phase for you personally. Your application must include a complete, verifiable work history mapped to CISSP domains. Here is exactly what ISC2 expects:
What your experience documentation must include
- For each role: Employer name, job title, start and end dates (month and year), full-time or part-time status, and whether the role was paid employment
- Domain mapping: For each role, describe your specific responsibilities in language that maps to named CISSP domains. You must cover at least two domains across your total documented experience.
- No gaps required: Your five years (or four with waiver) do not need to be continuous. Multiple roles over a longer span are fine, as long as the cumulative full-time equivalent reaches the threshold.
Domain-by-domain experience examples
If you have not yet mapped your experience to the eight CISSP domains, do it now before writing your application. The domains most commonly satisfied by mid-career security professionals are:
- Domain 1 (Security & Risk Management): Risk assessments, policy development, BCP/DR planning, compliance management
- Domain 5 (Identity & Access Management): IAM system administration, privileged access management, directory services, authentication design
- Domain 7 (Security Operations): SOC operations, incident response, SIEM management, patch management, vulnerability triage
- Domain 3 (Security Architecture & Engineering): Security architecture reviews, system hardening, cryptography implementation, secure design
Submitting your application
Once your documentation is complete and your endorser has reviewed it, you submit through the ISC2 portal. The endorser receives an automated email prompting them to log in and confirm their endorsement. Both steps — your submission and your endorser’s confirmation — must be complete before ISC2 will begin their review.
Run through this checklist before submitting: (1) Every role has specific, domain-mapped responsibility descriptions. (2) Your total experience meets the five-year (or four-year with waiver) threshold. (3) Your endorser is an active ISC2 member and knows to expect the confirmation email. (4) Your qualifying waiver credential is listed if you are claiming one. An incomplete submission gets returned, adding weeks to your timeline.
Weeks 5–8: Under ISC2 Review
Once your complete application is submitted — with both your documentation and your endorser’s confirmation — the file goes to ISC2’s review queue. This is the phase where candidates have the least control and often the most anxiety.
What ISC2 is actually reviewing
- Whether your claimed experience maps credibly to the domains you cited
- Whether the dates and roles you listed are internally consistent
- Whether your endorser’s confirmation was completed by an active ISC2 member in good standing
- Whether any documentation raises questions that require follow-up
ISC2 does not contact your employers independently. The review is based entirely on the documentation and endorsement you submit. This is why the quality of your written descriptions matters so much — the reviewer cannot call your manager to confirm what you did day-to-day.
If ISC2 asks for additional information
Some applications receive a request for clarification — either because a domain mapping seems thin, an employment date is unclear, or a description is too vague to evaluate confidently. These requests come via portal notification and email. Respond promptly and specifically. A detailed, responsive follow-up typically adds only one to two weeks to your timeline. A slow response or a response that does not address the specific question can add a month.
Weeks 9–12+: If It Takes Longer
A minority of applications take longer than eight weeks. The most common reasons are a backlog in ISC2’s review queue (which fluctuates seasonally), an additional information request that requires multiple exchanges, or an endorser-side issue (the endorser’s credentials lapsed, or they did not respond to the confirmation email).
How to follow up without creating friction
ISC2 has a member services team you can contact via the candidate portal if your application has been in review for more than eight weeks with no update. When you reach out, include your candidate ID, exam pass date, and the date you submitted your application. A polite, factual inquiry generally moves things along. Escalating immediately or writing frustrated messages is rarely productive.
If your endorser becomes unavailable
If your original endorser becomes unavailable after you submitted but before they confirmed, you can request a new endorser assignment through the portal. This resets the endorser-confirmation step but does not require you to re-document your experience. Addressing this promptly is important — an application sitting in “waiting for endorser” status indefinitely will eventually expire.
The Six Most Common Delay Causes (and How to Avoid Them)
| Delay Cause | Impact | How to Avoid |
|---|---|---|
| Vague experience descriptions not mapped to domains | Application returned for revision — adds 2–4 weeks | Write specific, role-based descriptions tied explicitly to domain names before submitting |
| Endorser not lined up before passing | Adds 1–3 weeks post-exam before you can even start the formal process | Identify your endorser during your study phase; confirm availability before exam day |
| Endorser fails to confirm in the portal | Application stalls in “pending endorser” indefinitely | Brief your endorser on what to expect; follow up within five business days if they haven’t confirmed |
| Waiver credential removed in April 2026 | Waiver denied; application requires revision if experience total changes | Verify your credential is on the current approved list before building your experience calculation around it |
| Experience total falls short after review | Application denied or returned for re-documentation | Count your experience conservatively, including only full-time paid roles; do not count internships or part-time work at full weight |
| Slow response to ISC2’s additional-information request | Adds weeks per exchange | Check your portal and email daily during the review phase; respond within 48 hours of any ISC2 inquiry |
The Associate of ISC2 Path: If You Don’t Have Enough Experience Yet
If you pass the CISSP exam but do not yet have the required years of qualifying experience, you become an Associate of ISC2. This is not a consolation prize — it is a formal credential and a practical holding position.
- You have up to six years from your exam pass date to complete the experience requirement and obtain full CISSP certification.
- You are listed in ISC2’s directory as an Associate, which is verifiable by employers.
- The endorsement process is identical once you have accumulated sufficient experience — there is no separate path for Associates.
- Your exam result does not expire during the six-year window; you will not re-sit the exam if you complete your experience in time.
Associates who are actively building their experience should approach those years strategically. Read our piece on how to think like a manager in security roles — that framing accelerates not just exam performance but the kind of decision-making that gets you into roles that generate qualifying CISSP domain experience faster.
And regardless of where you are in the experience accumulation process, if you want to stay sharp on exam content while you wait, your 90-day study plan or a structured practice question routine keeps the knowledge active.
Track Your Exam Readiness While You Wait
Use the endorsement window to close any remaining knowledge gaps. CISSP.app’s exam simulator adapts to your performance and shows your predicted readiness by domain — so you can use the waiting period productively.
Try the Exam Simulator Free →7-day free trial · Covers CISSP, CCSP, and CISM
FAQ: CISSP Endorsement Process
How long does the CISSP endorsement process take?
The ISC2 review phase typically takes 4–8 weeks after you submit a complete application. End-to-end — from exam pass to certificate in hand — most candidates should budget 8–12 weeks, assuming they begin preparing their endorsement application promptly after passing.
Do I need to find my endorser before I pass the CISSP exam?
You do not have to, but you should. Reaching out before you pass means you are not scrambling after the fact. If you cannot find a personal contact, ISC2’s community forums are a reliable source of volunteers who endorse qualified candidates.
What causes the CISSP endorsement to be rejected or delayed?
The most common causes are vague experience descriptions that do not map to specific CISSP domains, experience that does not total the required years, gaps in employment documentation, and an endorser who is not in good standing with ISC2. Incomplete applications are returned for revision, adding weeks to your timeline.
What happens if I pass the CISSP exam but do not have enough experience yet?
You become an Associate of ISC2. You have up to six years from your exam pass date to accumulate the required work experience and complete the endorsement. You are listed as an ISC2 Associate — not a CISSP — but you have cleared the hardest part of the process.
Can I use a qualifying certification to reduce the experience requirement?
Yes. ISC2 maintains a list of credentials that waive one year of experience, reducing the requirement from five years to four. As of May 2026, that list includes CISM, SSCP, CCSP, CompTIA Security+, CySA+, CASP+, and select Cisco and cloud security credentials. Note that ISC2 revised the list on April 1, 2026, removing 31 credentials including CEH, CISA, and OSCP. Verify your credential against the current approved list before building your experience calculation around it.
Is the endorsement required if I already have the experience documented?
Yes. Documentation alone is not sufficient — an active ISC2 member must endorse your application regardless of how strong your experience record is. The endorser’s role is to attest to the accuracy of your documentation, not to add substantive evaluation. Without a valid endorser confirmation, ISC2 will not complete your review.