CISSP Experience Waiver April 2026: 31 Certifications Removed — Is Yours Safe?

In December 2025, ISC2 quietly posted an announcement in its community forum: effective April 1, 2026, the list of certifications that qualify for the CISSP experience waiver will be reduced from approximately 50 credentials down to 25. That's 31 certifications removed in one policy update — including some of the most widely held credentials in cybersecurity.

The certifications being removed include the CEH (Certified Ethical Hacker), CISA (Certified Information Systems Auditor), CRISC, and OSCP — credentials held by hundreds of thousands of security professionals. If you were counting on one of these to waive a year of your CISSP experience requirement, your window is closing fast.

This guide covers everything: what the waiver is, exactly which credentials survive and which don't, and a specific action plan based on the credentials you hold right now.

What Is the CISSP Experience Waiver?

The standard CISSP certification requires candidates to have five years of cumulative, paid, full-time work experience in at least two of the eight CISSP domains. For many working security professionals, this is the only real barrier — the exam is passable with focused study, but five years of documented experience takes time.

ISC2 offers one mechanism to reduce this requirement: if you already hold a certification from their approved list, you can waive one year of the experience requirement, reducing it from five years to four.

The waiver applies during the endorsement and application process, not the exam itself. You can sit the CISSP exam without the required experience — if you pass, you become an Associate of ISC2 with up to six years to accumulate the qualifying experience. The waiver reduces your target during that window.

For candidates who pass the exam with less than four years of experience on hand, the waiver means one fewer year of waiting. For those hovering right at the four-year mark, it can mean being eligible immediately rather than waiting another year.

What's Changing on April 1, 2026

ISC2 announced the change on December 6, 2025 via their community forum, framing it as an effort to ensure the waiver reflects directly relevant security management experience. The organization's stated position: a credential that demonstrates broad security governance thinking is a valid proxy for a year of hands-on experience; a specialist technical certification is not.

The result is a dramatically shorter list. Broad-scope certifications at the management and governance level survived. Technical specialist credentials — even well-regarded ones — were largely cut.

The endorsement and review process takes four to eight weeks. If you're planning to submit before April 1 using a credential that's being removed, you should be submitting now — not in two weeks. Applications submitted in mid-to-late March may not be fully processed before the deadline.

What Survived vs. What Was Removed

Here is the complete breakdown of key certifications on each side of the April 1 policy change:

Note that ISC2's own certifications (SSCP, CCSP) remain on the list — this is consistent with their ecosystem logic. CISM also survived, while CISA and CRISC did not. Among GIAC certifications, nearly all were cut. The CompTIA track remained largely intact. Cloud security certifications from AWS and Google survived; some Microsoft certs did as well (SC-200, SC-300) while others did not (AZ-500).

Why Some Certs Survived and Others Didn't

The pattern across ISC2's revised list reveals a clear philosophy: certifications that demonstrate broad security governance and management thinking qualified; certifications that validate deep technical skills in a narrow domain did not.

Why CISM survived but CISA and CRISC didn't

This is the most surprising cut for many security professionals. All three are ISACA credentials, all three are rigorous. But they test fundamentally different things:

• CISM covers Information Security Governance, Risk Management, Program Development and Management, and Incident Management — a scope that maps almost directly onto CISSP's management and governance themes. ISC2 considers CISM a genuine proxy for security management experience.
• CISA focuses on auditing, control, and assurance — verifying that security controls exist rather than building and managing the programs that create them. The ISC2 view: audit expertise doesn't substitute for a year of security management experience.
• CRISC is a specialist credential in IT risk identification and control. Valuable, but narrower in scope than CISSP's eight-domain breadth.

Why CEH was cut

CEH is an offensive security credential — it teaches candidates how attackers think and operate. That's useful knowledge, but it's technical specialization, not the broad governance and management competency CISSP is designed to test. ISC2's argument: knowing how to perform a penetration test doesn't substitute for a year of experience managing security programs.

Why OSCP and most GIAC certs were cut

Same logic applied more broadly. OSCP, GIAC's various certifications (GCIH, GCFA, GSEC, GCIA), and similar credentials go deep on technical security operations. They represent real expertise, but in highly specialized areas. CISSP is a management-level exam that rewards breadth over depth — holding a specialist cert doesn't demonstrate the breadth required.

Why CompTIA survived

CompTIA Security+, CySA+, and CASP+/SecurityX all survived. Security+ is specifically a broad-baseline certification that covers exactly the kinds of foundational domains CISSP tests. CySA+ adds analyst-level breadth. CASP+ is explicitly a management-level technical certification. These align well with the philosophy behind the waiver — broad security knowledge rather than technical depth.

Your Action Plan Based on What You Hold

Here's exactly what to do depending on which credentials you currently hold:

How to Submit the CISSP Experience Application

The experience application process is separate from the CISSP exam itself. Here's how it works:

Step 1: Pass the CISSP exam (or become an Associate)

The exam is the gateway. You can pass the exam first and then accumulate experience — if you pass without sufficient experience, you become an Associate of ISC2 with six years to earn full certification. Alternatively, if you already have the years, you can document experience first and apply for full membership once you pass. Either path works.

Step 2: Document your qualifying experience

ISC2 requires detailed work history: employer name, dates of employment, job title, and a description of your specific responsibilities mapped to the CISSP domains. Your experience must cover at least two of the eight domains. Be specific — vague descriptions ("worked on security projects") don't pass review; detailed descriptions of actual responsibilities do.

With a qualifying certification waiver, you need to document four years of qualifying experience instead of five. Without a waiver, you need five.

Step 3: Secure an endorser

Your endorser must be an active ISC2-certified professional (CISSP, SSCP, CAP, CCSP, CSSLP, or CGRC) who can attest that your documented experience is accurate. If you don't know anyone with these credentials personally, the ISC2 community forum is a good place to ask — experienced professionals regularly volunteer to endorse qualified candidates they've never met, provided the documentation is solid.

Step 4: Submit your application with the waiver credential

In the ISC2 candidate portal, include your qualifying certification details when submitting your experience documentation. ISC2 will verify the credential against their approved list as of your application date — this is why applications submitted before April 1 can use the current expanded list even if the cert is being removed.

Step 5: Await review (4–8 weeks)

ISC2 reviews applications manually. The process typically takes four to eight weeks. If your documentation is complete and detailed, it usually goes smoothly. Incomplete or vague applications generate follow-up requests that extend the timeline.

What Counts as Qualifying CISSP Experience

Not all security work counts equally for the CISSP experience requirement. ISC2 specifies that your experience must be in paid, full-time work in at least two of the eight CISSP domains. Part-time work, volunteer work, and internships have reduced credit calculations under ISC2's policy.

The eight CISSP domains and examples of qualifying experience:

• Domain 1 — Security and Risk Management: Risk assessments, security policy development, compliance management, business continuity planning, legal and regulatory compliance work
• Domain 2 — Asset Security: Data classification programs, data lifecycle management, retention and destruction policy, privacy program management
• Domain 3 — Security Architecture and Engineering: Security architecture design, cryptographic implementation, system and network hardening, secure design reviews
• Domain 4 — Communication and Network Security: Network security design, firewall management, VPN administration, secure network architecture work
• Domain 5 — Identity and Access Management: IAM program management, identity governance, privileged access management, authentication system administration
• Domain 6 — Security Assessment and Testing: Vulnerability assessments, penetration testing (yes, offensive security work counts here), security audits, control testing
• Domain 7 — Security Operations: SOC operations, incident response, SIEM management, forensics, log analysis, patch management
• Domain 8 — Software Development Security: Secure SDLC implementation, code review, application security testing, DevSecOps program management

Most security professionals working in mid-to-senior roles accumulate experience across multiple domains naturally. If you've been in security operations, you likely have Domain 7 covered and elements of Domains 1, 4, and 5. If you've been in risk or compliance, Domains 1 and 2 are likely strong. If you hold CISM, your governance and risk management work maps directly to Domains 1 and 2.

Document each domain separately in your application. ISC2 reviewers look at each domain's documentation independently — more detail is always better.

Frequently Asked Questions

Can I use a degree AND a qualifying certification to waive two years?

No. The maximum waiver is one year, regardless of credentials held. A four-year CS degree + CISM + CompTIA Security+ = still one year waived. The reduction is always five years down to four.

I passed the CISSP but I'm still an Associate. Does the waiver apply?

Yes. Associates of ISC2 can use qualifying credentials to reduce their experience requirement to four years. The waiver applies to your path to full CISSP membership, not to the exam itself. Your credential is evaluated against the list in effect at the time you submit your experience application.

If I submit before April 1 using a cert that's being removed, is my application locked in?

Your waiver claim is evaluated based on the approved list at the time ISC2 receives your application. Applications submitted before April 1 are processed against the current expanded list. However, ISC2 has discretion in edge cases — if your application arrives on March 31 and takes eight weeks to process, the waiver was still applied at submission time. When in doubt, submit as early as possible.

My CEH was cut. If I also have Security+, am I still eligible?

Yes. CompTIA Security+ is on the surviving list. You can use Security+ as your waiver credential, and the one-year reduction applies exactly the same way. You don't need to rush anything — Security+ gives you the waiver before and after April 1.

Does the change affect CCSP certification requirements too?

The April 2026 change is specific to the CISSP experience waiver list. CCSP has its own experience requirements (five years of IT experience, three years in information security, one year in one of the six CCSP domains). These are not affected by this update. See CCSP.app for the full CCSP certification guide.

How do I verify which certifications currently qualify?

ISC2's official "Certification Requirements" page maintains the current approved list. Before submitting your application, confirm your credential against the official ISC2 list — not third-party summaries (including this one). Policy details can update between when this article was written and when you submit.

Can I get CISM before April 1 to use as a waiver instead?

In theory, if you passed the CISM exam before April 1 and obtained your certification before submitting your CISSP application, you could use it as a waiver credential. In practice, CISM requires five years of work experience in information security management (with some waivers for degree holders), so it isn't a quick path to a waiver credential. If you're already CISM-eligible, focus on getting CISM first — it's an excellent CISSP waiver credential and a high-value certification on its own.