Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

View Schedule & Pricing
Get a Quote
Book a Meeting

Popular Searches

CISSP Security+ AWS Azure CCNA CompTIA Cloud Cybersecurity

Quick Links

Careers
C
Christopher Porter Training Camp
Published
Read Time 6 min read
ISC2 Cuts CISSP Experience Waiver List in Half — CEH, CISA, OSCP Removed April 2026

ISC2 Cuts CISSP Experience Waiver List in Half — CEH, CISA, OSCP Removed April 2026

ISC2 just dropped a policy bomb that’s going to reshape how thousands of security professionals plan their certification roadmap. Starting April 1, 2026, the organization is cutting its CISSP experience waiver list from roughly 50 certifications down to 25. And it’s not trimming the fat — they’re removing heavyweights like CEH, CISA, CRISC, and OSCP.

What Happened

ISC2 announced it’s streamlining which certifications qualify candidates for a one-year reduction in the CISSP’s five-year work experience requirement. The current list includes approximately 50 certifications from vendors like EC-Council, ISACA, Offensive Security, and GIAC. That’s getting slashed to 25.

The removals hit hard. EC-Council’s Certified Ethical Hacker (CEH)? Gone. ISACA’s CISA and CRISC? Both cut. Offensive Security’s OSCP, a certification many penetration testers consider essential? Not on the new list. Most GIAC certifications didn’t make the cut either.

Critical deadline: Applications submitted before April 1, 2026 can still use the current, longer waiver list. After that date, only the reduced list applies.

What’s Still on the List

ISC2 kept certifications that align more directly with CISSP’s generalist security management focus. The survivors include:

  • CompTIA Security+, CySA+, and CASP+
  • Cisco CCNA Security and CCNP Security
  • ISC2’s own CCSP and SSCP
  • ISACA CISM (notably, CISM survived while CISA didn’t)
  • Microsoft Certified: Security Administrator Associate
  • Select AWS and Azure security certifications

The four-year college degree waiver remains unchanged. So does the overall five-year experience requirement itself — this change only affects which certifications can shave one year off that timeline.

Who Gets Hit Hardest

This impacts three groups directly. First, security professionals who already hold a removed certification and planned to use it for CISSP eligibility. You’ve got until April 2026 to submit your application using the current rules.

Second, people currently pursuing certifications specifically as stepping stones to CISSP. If you’re halfway through CEH or OSCP training and your main goal was the experience waiver, you need to reassess. Fast.

Reality check: If you’re studying for a removed certification solely for the CISSP waiver, you’re now on a countdown clock. Submit your CISSP application before April 1, 2026, or that waiver value disappears.

Third, training organizations and career advisors who’ve been recommending certification pathways that no longer work. The traditional “get CEH, then CISSP” progression just got disrupted.

What You Should Do Now

If You Hold a Removed Certification

  • Review your work experience now — can you document five years (or four with the waiver)?
  • If you’re close but not quite there, plan to submit your application before April 1, 2026
  • Don’t wait until March 2026 to start gathering documentation — endorsement can take weeks

If You’re Planning Your Certification Path

  • Pivot to certifications that still qualify: Security+, CySA+, or CASP+ from CompTIA remain solid choices
  • Consider ISC2’s SSCP as an intentional stepping stone — it’s their entry-level cert and still qualifies
  • Reevaluate whether the one-year waiver matters for your timeline at all

If You’re Currently in CISSP Training

  • This doesn’t change the exam content or difficulty
  • It might change whether you can apply as an Associate of ISC2 versus full member
  • Focus on passing the exam — the experience requirement is a post-exam concern

The Certification Connection

CISSP Domain 1: Security and Risk Management

This policy change directly impacts how candidates qualify for CISSP certification. Domain 1 covers governance, compliance, and professional ethics — including understanding certification requirements and career development planning. Professionals studying for CISSP need to understand not just technical domains but also the evolving landscape of professional requirements and credentialing pathways. Training Camp’s CISSP bootcamp covers these career planning considerations alongside the eight CISSP domains, helping candidates navigate both the exam and the certification process itself.

CompTIA Security+ Career Pathway Value

Security+ just became more valuable as a CISSP prerequisite. It’s one of the few vendor-neutral certifications that survived the cut, and it’s often the first security certification professionals pursue. This policy change reinforces Security+’s position as a foundational stepping stone in cybersecurity careers. It’s also significantly more accessible than CISSP for early-career professionals. Training Camp’s CompTIA Security+ bootcamp provides accelerated preparation for candidates who need this certification as part of a broader career strategy.

CCSP ISC2 Ecosystem

CCSP remains on the approved list because it’s ISC2’s own cloud security certification. This reveals part of ISC2’s strategy: they’re keeping their internal certification pathway intact while trimming competitor certifications. For cloud security professionals, CCSP serves double duty as both a specialized cloud credential and a CISSP experience waiver. That combination makes it strategically valuable for security architects working in cloud environments.

Why ISC2 Is Doing This

ISC2 hasn’t published a detailed rationale, but the pattern is clear. They’re tightening alignment between waiver certifications and CISSP’s generalist security management focus.

CEH is a hands-on penetration testing certification. OSCP is even more technical and offensive-focused. CISA emphasizes audit and assurance. These don’t map cleanly to CISSP’s eight domains, which span everything from security architecture to business continuity to legal and regulatory issues.

The certifications that survived lean more toward broad security knowledge rather than specialized technical skills. Security+ covers foundational security concepts across multiple domains. CISM focuses on information security governance and program management. CCSP aligns with CISSP but adds cloud-specific knowledge.

Translation: ISC2 is signaling that CISSP is a management and architecture certification, not a technical penetration testing or audit credential. If your background is purely offensive security or audit, you’ll need to demonstrate that five-year experience requirement the old-fashioned way — by actually working five years in broad security roles.

The Bigger Picture

This isn’t just administrative housekeeping. It’s part of a broader trend where certification bodies are getting more selective about prerequisites and experience validation. ISACA has tightened CISM requirements. Offensive Security has strict experience standards for OSCP. Now ISC2 is raising the bar for who gets shortcuts into CISSP.

The cybersecurity skills shortage is real, but certification bodies are simultaneously trying to maintain credential value and rigor. That creates tension. More people need cybersecurity skills, but dumbing down flagship certifications isn’t the answer. Instead, organizations like ISC2 are clarifying prerequisite pathways and enforcing experience requirements more strictly.

For individual professionals, this means certification planning requires more strategic thinking. You can’t just collect alphabet soup and assume it all stacks toward advanced certifications. Each credential needs to serve a specific purpose in your career progression, and you need to understand how certification bodies view relationships between their various programs.

Bottom line: If you hold one of the removed certifications and want to leverage it for CISSP, you’ve got until April 1, 2026. That sounds like plenty of time, but documentation, endorsement, and application processing can eat into that window. Don’t procrastinate. And if you’re planning your certification roadmap, focus on Security+, CySA+, or SSCP as proven stepping stones that aren’t going anywhere. Training Camp’s CISSP bootcamp maintains 94-99% pass rates specifically because we help candidates understand not just the exam content but the entire certification process — including navigating eligibility requirements and application timing.

Sources

Back to All Articles