The Bottom Line Up Front
On April 1, 2026, ISC2 quietly cut the CISSP experience waiver list from roughly 50 certifications down to 25. CEH, CISA, CRISC, OSCP — gone. If you were building a cert path around any of those to shave a year off CISSP’s five-year experience requirement, that plan no longer works for new applications. The policy is already live, and it matters far more than most certification blogs are letting on.
This isn’t an exam content change. The eight domains, the question formats, the adaptive scoring — none of that moved. What changed is the gatekeeping around which professional certifications count as proof that you’ve been in the trenches. Here’s exactly what happened, who it hits, and how to adjust your roadmap.
What the CISSP Experience Waiver Actually Does (and Doesn’t Do)
The CISSP requires a minimum of five years of cumulative, full-time work experience across two or more of its eight domains. That’s the baseline, and it hasn’t changed. What has changed is how you can reduce that to four years.
ISC2 offers a one-year experience waiver if you hold a qualifying credential from their approved list. Key details that trip people up: you can’t stack a waiver certification and a degree to knock off two years. It’s one or the other. Full-time means at least 35 hours per week for four consecutive weeks. Part-time experience is converted at 1,040 hours for six months or 2,080 hours for 12 months of full-time credit. Both paid and unpaid internships qualify with proper documentation on official letterhead according to ISC2’s official update.
The waiver doesn’t eliminate experience. It moves the target from five years to four. For professionals early in their security career, that single year can be the difference between applying now and waiting another twelve months. That’s precisely why the April 2026 cut matters.
The Cuts: 31 Certifications Removed
ISC2’s Standards and Practice team reviewed every certification on the waiver list against three criteria: publicly available exam outline, ANAB ISO/IEC 17024 accreditation (or proctored exam from a reputable organization), and at least 90% alignment with two or more CISSP domains. Anything that didn’t clear all three bars got removed as Training Camp documented in their breakdown.
The headline removals that generated the most heat in the community:
- EC-Council CEH — probably the most widely held certification on the old list, and the one people are angriest about losing
- ISACA CISA — a staple for audit-focused security professionals
- ISACA CRISC — valued by risk management specialists
- OffSec OSCP and OSWE — the gold standard for penetration testers
- Microsoft AZ-500 (Azure Security Engineer) — commonly held by cloud security practitioners
- Cisco CyberOps — popular SOC analyst credential
- EC-Council CHFI and CND — forensics and network defense tracks
- GIAC certifications — most individual GIAC credentials were removed, with only GISF, GISP, GSLC, and GICSP surviving
- ISACA CIA (Certified Internal Auditor), ASIS CPP (Certified Protection Professional)
The full list of removals totals 31 credentials per DestCert’s analysis. The community reaction on r/cissp was blunt: ISC2 wants certifications that demonstrate security management breadth, not deep technical specialization in a single niche.
What’s Still on the List — And What’s New
The surviving 25 certifications skew heavily toward vendor-neutral security foundations and ISC2’s own ecosystem. Here’s the current approved list published on ISC2’s official requirements page:
| Certification | Provider | Why It Survived |
|---|---|---|
| CompTIA Security+ | CompTIA | Vendor-neutral, broad security fundamentals |
| CompTIA CySA+ | CompTIA | Security analytics and operations breadth |
| CompTIA CASP+ | CompTIA | Advanced security practitioner scope |
| CompTIA SecurityX | CompTIA | Newest CompTIA security cert, management-focused |
| CISM | ISACA | Security management aligned with CISSP domains |
| CCSP, SSCP, HCISPP, ISSAP, ISSEP, ISSMP, CSSLP, CGRC | ISC2 | ISC2’s own credentials |
| CCNA, CCNP Security, CCIE Security | Cisco | Network security breadth across domains |
| AWS Certified Security – Specialty | Amazon | Cloud security with broad coverage |
| Microsoft Certified Cybersecurity Architect | Microsoft | Architecture-level security scope |
| GISF, GISP, GSLC, GICSP | GIAC/SANS | Surviving GIAC certs with broad domain coverage |
| ZDTA, ZDTE, ZDXA | Zscaler | New additions for zero-trust/SASE environments |
Three things stand out. First, CompTIA’s entire security track survived intact — Security+ through SecurityX. If you’re building a CISSP path from scratch, CompTIA remains the safest bet for the waiver. Second, ISACA’s CISM survived while CISA and CRISC didn’t, which tells you ISC2 favors security management credentials over audit and risk specializations. Third, Zscaler’s three certifications are new additions, signaling that ISC2 is watching the zero-trust and SASE space carefully.
Who Gets Hit Hardest by This Change
This isn’t theoretical — it’s already affecting real people’s certification plans. Three groups need to pay attention right now:
Professionals holding removed certifications who haven’t applied yet. If you earned your CEH, CISA, or OSCP and were counting on it to get you to four years of experience, the clock ran out on April 1, 2026. Your certification is still valuable — it just doesn’t count for the CISSP waiver anymore. You now need either five years of documented experience, a qualifying degree, or a surviving certification from the new list as cybersecurity consultant Mayur Pahwa detailed.
People currently studying for a removed certification as a CISSP stepping stone. If you’re halfway through CEH or OSCP training and the CISSP waiver was a key part of your plan, stop and reassess. Those are still excellent certifications for their respective domains — but they no longer serve as shortcuts to CISSP eligibility. Consider whether your time is better spent on Security+, CySA+, or SSCP instead.
Career advisors and training providers. The “get CEH then CISSP” pathway has been a standard recommendation for years. It’s now outdated, and anyone still giving that advice is doing their students a disservice. The updated pathway for CISSP-aspiring security professionals needs to reflect the new reality.
How to Adjust Your Certification Roadmap
If the waiver matters to your timeline — and for most early-career professionals, it does — here’s what actually makes sense now:
Start with CompTIA Security+. It survived the cut, it’s widely recognized, and it covers enough ground to serve as a legitimate security foundation. It also maps well to CISSP domains 1, 3, 4, and 7, making it genuine preparation rather than just a checkbox.
Add CySA+ or CASP+ if you want depth. Both remain on the approved list. CASP+ in particular is a substantial certification that covers enterprise-level security concepts, making it solid prep for CISSP-level thinking.
Consider ISC2’s own SSCP. This is the most intentional stepping stone to CISSP that exists. It’sISC2’s entry-level security certification, it’s on the waiver list, and studying for it directly reinforces CISSP domain knowledge. It’s the most strategic pick if CISSP is your destination.
Don’t chase removed certifications solely for the waiver. CEH, OSCP, and CISA are all excellent in their own right. If you want CEH for penetration testing knowledge or CISA for audit skills, get them. But don’t expect them to help with CISSP eligibility anymore.
Document your experience meticulously. Whether you have four years with a waiver or need five without one, ISC2 will audit your experience claims. Track dates, roles, domains covered, and hours. Gather supervisor documentation early — endorsement processing can take weeks and you don’t want to be scrambling at the deadline.
The Bigger Picture: What ISC2 Is Really Doing
Beneath the surface, this isn’t just a housekeeping update. ISC2 is tightening the CISSP’s identity as a senior, management-oriented security certification. The CISSP has always been marketed as a “mile-wide, inch-deep” credential — it tests breadth across security domains, not penetration testing virtuosity or audit procedure mastery.
By removing CEH and OSCP, ISC2 is saying that deep technical offensive security skills don’t substitute for broad security management experience. By keeping CISM while cutting CISA and CRISC, they’re signaling that security management is more relevant than audit or risk specialization. By adding Zscaler certifications, they’re acknowledging that cloud-native security is now part of the management landscape.
The 90% domain alignment threshold is the key mechanism here. ISC2 wants waiver certifications to demonstrate competence across multiple CISSP domains, not just one. A certification focused entirely on ethical hacking or internal auditing, no matter how respected, simply doesn’t meet that bar. This is defensible from a standards perspective, even if it stings for the people who invested in those credentials.
Frequently Asked Questions
Does this change the CISSP exam itself?
No. The eight domains, question formats, and passing score are unchanged. This only affects which certifications can waive one year of the post-exam experience requirement. Your study plan doesn’t need to change at all as Thor Pedersen confirmed on LinkedIn.
I passed the CISSP exam but haven’t submitted my endorsement yet. Which waiver list applies?
The cutoff is the application submission date, not the exam date. If you submit your certification application on or after April 1, 2026, the new reduced list applies. If you already submitted before that date, your application is evaluated under the old rules.
Can I still become an Associate of ISC2 without meeting the experience requirement?
Yes. Passing the CISSP exam without the full experience requirement earns you the Associate of ISC2 designation. You then have six years to accumulate the required experience and submit for full certification. The waiver list only matters when you’re ready to convert from Associate to full CISSP.
Will ISC2 add certifications back to the list in the future?
Possibly. ISC2 stated that organizations and candidates can request certifications be reviewed outside the regular maintenance cycle. If a removed certification updates its exam outline and accreditation to meet the new criteria, it could be reinstated. But don’t bank on this happening quickly — the review process isn’t instant.
Does a college degree still count for the waiver?
Yes. A post-secondary degree (Bachelor’s or Master’s) in computer science, IT, or a related field still qualifies for the one-year reduction. This pathway was not affected by the April 2026 changes. Remember, you can’t combine a degree waiver and a certification waiver — it’s one or the other.
References
- ISC2 Official: CISSP Experience Waiver Updates
- ISC2: CISSP Experience Requirements and Approved Waiver List
- Training Camp: ISC2 Cuts CISSP Experience Waiver List in Half
- DestCert: CISSP Experience Waiver 2026 — What ISC2 Just Changed
- ISC2 Community: CISSP Experience Waiver Changes Coming April 2026
- Reddit r/cissp: CISSP Waiver List to Exclude 31 Certifications
- Mayur Pahwa: Heads Up — Your CISSP Short-Cut Might Be Expiring