On April 1, 2026, ISC2 is quietly reshaping the CISSP certification landscape. The organization is cutting its experience waiver list from roughly 50 approved credentials down to just 25 — removing CEH, CISA, CRISC, OSCP, and most GIAC certifications in a single policy update.
If you hold CISM, there's good news: ISACA's CISM survived the cut. You can still use your CISM certification to waive one year of CISSP's five-year experience requirement — both before and after April 1.
If you hold CISA or CRISC alongside CISM, you need to read this more carefully. Those ISACA credentials are being removed, and the clock is ticking.
📋 Table of Contents
What Is the CISSP Experience Waiver?
CISSP requires candidates to demonstrate five years of cumulative, paid, full-time work experience in at least two of the eight CISSP domains. For many security professionals, that five-year bar is the only thing standing between them and the certification.
ISC2 offers one path to reduce that requirement by one year: hold an approved credential from their published list. The logic is straightforward — if you've already passed a recognized security certification, you've demonstrated a baseline of knowledge that partially substitutes for a year of hands-on experience.
The alternative waiver path — holding a four-year college degree in computer science, IT, or a related field — remains unchanged by the April 2026 policy update. This article focuses specifically on the certification-based waiver.
The waiver is particularly valuable for security professionals who passed the CISSP exam but need to accumulate experience. If you've already passed the exam, you become an Associate of ISC2 and have up to six years to earn your full certification. The waiver means you only need four years of documented experience instead of five.
What's Changing on April 1, 2026
ISC2 announced in December 2025 that it's significantly tightening the list of credentials that qualify for the CISSP experience waiver. The approved list, which currently includes approximately 50 certifications across vendors like ISACA, EC-Council, GIAC, CompTIA, Cisco, and others, is being reduced to 25 certifications.
That's 31 certifications removed in a single policy update.
ISC2 framed the change as an effort to ensure candidates have directly relevant security management experience, rather than specialized technical skills that may not translate to CISSP's broad, governance-focused scope. The certifications that survived the cut tend to reflect strategic and management-level thinking — exactly what CISSP tests.
For CISM holders specifically, the news is straightforwardly positive: CISM remains on the approved list after April 1. Your path to CISSP via the experience waiver remains intact with no deadline pressure.
Why CISM Made the Cut (And CISA Didn't)
The removal of ISACA certifications is the most surprising element of this change. ISACA is a respected standards body, and its credentials represent substantial professional investment. Yet ISC2 cut two of the three ISACA certifications from the waiver list:
- CISM (Certified Information Security Manager) — ✅ Survived
- CISA (Certified Information Systems Auditor) — ❌ Removed
- CRISC (Certified in Risk and Information Systems Control) — ❌ Removed
The distinction makes sense when you look at what each credential actually tests.
Why CISM survived
CISM is fundamentally a security management certification. Its four domains — Information Security Governance, Information Security Risk Management, Information Security Program Development and Management, and Incident Management — map closely to how CISSP approaches security at the managerial level.
Both CISM and CISSP reward candidates who think like CISOs: setting strategy, managing programs, aligning security with business objectives, and making governance decisions. A CISM holder has demonstrated exactly the kind of broad security management thinking that ISC2 wants to see from a CISSP candidate.
Why CISA was removed
CISA (Certified Information Systems Auditor) focuses on auditing, control, and assurance. CISA professionals are expert reviewers and assessors of security systems — but the credential is primarily about verifying that controls exist, not managing the programs that create them. ISC2's position is that audit expertise, while valuable, doesn't demonstrate the security management breadth that CISSP requires.
Why CRISC was removed
CRISC (Certified in Risk and Information Systems Control) is a specialist credential. It goes deep on IT risk identification, assessment, and control — but it's narrower in scope than either CISM or CISSP. ISC2 appears to have concluded that risk specialization alone doesn't substitute for a year of security management experience.
The Full Picture: What's In and What's Out
Here's a summary of the key credentials on each side of the April 1 cutoff:
✅ Still Qualifies After April 1
- ISACA CISM
- ISC2 SSCP
- ISC2 CCSP
- CompTIA Security+
- CompTIA CySA+
- CompTIA CASP+ / SecurityX
- Cisco CCNA Security
- Cisco CCNP Security
- Microsoft Security Administrator Assoc.
- Select AWS/Azure security certs
❌ Removed After April 1
- ISACA CISA
- ISACA CRISC
- EC-Council CEH
- Offensive Security OSCP / OSCE
- GIAC GCIH, GCFA, GSEC, GCIA
- GIAC GCED, GCTI, GSTRT, GSNA
- Microsoft AZ-500
- Cisco CyberOps Assoc/Pro
- INE eCPPT, eJPT
- CSA CCSK, CIA, IRCA Auditor
The pattern is clear: certifications that demonstrate broad security management and governance knowledge survived. Certifications that go deep on technical skills, audit, or specialist risk were removed. CISM sits squarely in the "survived" category.
Notably, ISC2's own certifications (SSCP, CCSP) naturally remain on the list. If you're already in the ISC2 ecosystem, your credentials are safe.
What This Means If You Hold CISM
If CISM is your primary credential and you're working toward CISSP, the April 1 changes don't create any urgency for you specifically. Your waiver eligibility is intact both before and after the deadline.
However, there are several things worth calculating right now:
Check your experience timeline
The CISSP experience waiver reduces your requirement from five years to four. The key question is how much documented, paid, full-time security experience you can claim across two or more of the eight CISSP domains.
- If you have 4+ years: You're eligible now. Start the application process — don't wait.
- If you have 3+ years: You need one more year. The CISM waiver means you don't need to wait until year five.
- If you have under 3 years: The waiver doesn't accelerate you significantly yet, but plan your path accordingly.
If you also hold CISA or CRISC
Multiple qualifying credentials don't stack — the waiver is always one year maximum, regardless of how many you hold. However, if you were planning to use CISA or CRISC as your primary waiver credential and CISM is a secondary cert, be aware that after April 1, only CISM will carry waiver value.
The endorsement timeline is real
The CISSP application process isn't instant. After you pass the exam, an ISC2 member must endorse your application, and ISC2 reviews it. The entire process can take four to eight weeks. If you're targeting the April 1 deadline for an at-risk credential, you should have already started. If you're using CISM — which survives — you have flexibility on timing.
How to Use Your CISM Waiver for CISSP
Here's the practical step-by-step for CISM holders pursuing CISSP with the experience waiver:
Step 1: Pass the CISSP exam
The experience waiver doesn't affect exam eligibility — it affects how much experience you need to submit for full certification after passing. You can sit for the CISSP exam without the required experience; if you pass, you become an Associate of ISC2 and have up to six years to earn the experience. Alternatively, you can document experience first and apply for full membership after passing.
Step 2: Document your security experience
ISC2 requires detailed documentation of your work experience — employer name, dates, job title, and a description of your duties mapped to CISSP domains. Your experience must be in two or more of the eight CISSP domains. With a CISM waiver, you need to document four years (rather than five) of qualifying experience.
Step 3: Find an endorser
Your endorser must be an active ISC2-certified professional (CISSP, SSCP, CAP, CCSP, or CSSLP) who can attest to your work experience. Reach out to colleagues, LinkedIn connections, or the ISC2 community — most experienced security professionals are willing to endorse qualified candidates.
Step 4: Submit your application
Submit your application through the ISC2 candidate portal. Include your CISM certification details as the qualifying credential for the experience waiver. ISC2 will verify the credential and review your experience documentation.
Step 5: Complete annual CPE requirements
Once certified, CISSP requires 120 CPE credits over three years and an annual AMF (Annual Maintenance Fee). Conveniently, your CISM CPE credits may partially count toward CISSP maintenance — check ISC2's guidelines for cross-credit eligibility.
CISM to CISSP: Your Fast Track
For security managers who already hold CISM, CISSP represents a natural and high-value next step. The two certifications are complementary rather than redundant — and together they represent one of the most powerful credential combinations in information security.
Why CISM holders have an advantage in CISSP prep
CISM's four domains overlap substantially with CISSP's eight domains. When you study for CISSP as a CISM holder, you're not starting from scratch on governance, risk management, or security program concepts — you're deepening and broadening knowledge you already have.
CISM → CISSP Domain Overlap
- CISM: Information Security Governance Maps directly to CISSP Domain 1 (Security & Risk Management) and elements of Domain 7 (Security Operations)
- CISM: Information Security Risk Management Strong overlap with CISSP Domain 1 risk management topics
- CISM: Information Security Program Management Covers CISSP security management concepts across multiple domains
- CISM: Incident Management Maps to CISSP Domain 7 (Security Operations) and BCP/DRP topics in Domain 1
Where CISSP expands beyond CISM: technical topics like cryptography (Domain 3), network security (Domain 4), application security (Domain 8), and physical security (Domain 3 / Domain 7). CISM holders typically need to add depth in these technical areas, but the management and governance foundation is solid.
Career value of CISM + CISSP
Holding both credentials signals to employers that you can manage security programs and understand the technical architecture underlying them. CISM demonstrates management-level thinking; CISSP demonstrates broad technical and governance coverage. Together, they're the standard credential combination for CISO-track professionals.
Salary data consistently shows that CISSP is one of the highest-paying certifications in IT, with average salaries ranging from $110,000 to $160,000+ depending on location and seniority. Adding CISSP to a CISM resume typically yields a meaningful compensation increase — the combination is particularly valued at Director, VP, and CISO levels.
Preparing for CISSP as a CISM Holder?
Practice with thousands of expert-verified CISM and CISSP questions. AI-powered gap analysis identifies exactly where you need to build CISSP-specific depth.
Start Free 7-Day Trial →Frequently Asked Questions
Can I use both CISM and a college degree to waive two years?
No. The CISSP experience waiver caps at one year regardless of how many qualifying credentials or degrees you hold. You can hold CISM, CCSP, and a CS degree, and the maximum reduction is still one year — bringing the requirement from five years to four.
Does the waiver apply if I haven't passed the CISSP exam yet?
Yes. You can use the experience waiver when submitting your experience documentation to ISC2, whether you're applying for full membership after passing the exam or documenting your experience as part of the endorsement process. The waiver isn't exam-stage-specific.
I hold CISA but not CISM. What are my options after April 1?
After April 1, 2026, CISA will no longer qualify for the CISSP experience waiver. You have three options: (1) submit your CISSP application before April 1 using CISA on the current list; (2) pursue CISM, which does qualify; (3) document five full years of qualifying experience without a waiver.
How long does CISSP endorsement take?
The endorsement and review process typically takes four to eight weeks. If you're targeting the April 1 deadline for a cert that's being removed, you should begin the process immediately — there's no guarantee that applications submitted in late March will be processed before the deadline.
If I pass CISSP now, can I use my CISM waiver retroactively?
When you pass the CISSP exam without sufficient experience, you become an Associate of ISC2. You then have up to six years to accumulate and document the required experience. Your CISM waiver remains valid throughout that period — it reduces your target from five years to four years from whenever you earned your qualifying experience.
Does CISM help prepare me for the CISSP exam itself?
Yes, significantly. CISM's governance, risk management, and security program management content overlaps substantially with CISSP Domain 1 (Security & Risk Management). CISM holders typically need to focus additional study time on CISSP's technical domains (cryptography, network security, application security), but the management foundations are a head start. See our guide on CISM vs CISSP for a full comparison.
Is CCSP also on the surviving CISSP waiver list?
Yes. ISC2's own CCSP (Certified Cloud Security Professional) certification is on the surviving list. If you hold CCSP and are pursuing CISSP, your waiver eligibility is unaffected by the April 1 changes. For more on CCSP, see CCSP.app.