If you were banking on your CEH, CISA, CRISC or OSCP to knock a year off the CISSP experience requirement, there is news you need to act on. As of 1 April 2026, ISC2 has cut the CISSP experience waiver list roughly in half, from around 50 approved credentials down to about 25, and several heavyweight certifications did not survive the cull.
The short answer to the question in the title is this: CEH, CISA, CRISC and OSCP no longer count towards the CISSP experience waiver for applications submitted on or after 1 April 2026. If your application went in before that date, the old list still governs your case. Below we break down exactly what changed, which certifications still earn you a year, and what to do if yours was removed.
Quick answer: The CISSP experience waiver lets one approved credential reduce the five-year work experience requirement by a single year. From 1 April 2026, CEH, CISA, CRISC, OSCP and most GIAC certifications are no longer on that approved list.
How the CISSP Experience Requirement Actually Works
Before we get to the waiver, it helps to be clear on what you are waiving against. The CISSP is not an entry-level exam, and the experience rule is where most candidates trip up.
To earn the full CISSP certification, you need a minimum of five years of cumulative, paid, full-time work experience in two or more of the eight domains of the current CISSP exam outline. Those eight domains are:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
Part-time work and internships can count on a pro-rata basis, and the experience does not have to be consecutive. What matters is that it is genuine, paid security work that maps to at least two of those domains.
Exam Tip: You can sit and pass the CISSP exam before you have the experience. If you pass without the five years, you become an Associate of ISC2 and have six years to earn the required experience.
What the Experience Waiver Is (and Why It Only Ever Removes One Year)
The experience waiver is a one-year discount, and one year is the maximum no matter how many qualifying items you hold. You can satisfy that single year in one of two ways:
- A relevant post-secondary degree. A four-year bachelor's degree (or regional equivalent, or a master's) in computer science, information technology or a related field waives one year.
- One approved additional credential. Holding a certification from the ISC2 approved list waives one year.
Here is the catch that surprises people: you cannot stack them. A degree plus an approved certification still only removes one year, not two. So the practical requirement for most candidates becomes four years of experience instead of five, and the waiver list change decides whether your certification can be the thing that buys that year.
Exam Tip: The four-year degree waiver was not touched in the April 2026 update. If you hold a qualifying degree, your one-year reduction is safe regardless of which certifications were removed.
What Changed on 1 April 2026
ISC2 reviewed and trimmed the list of additional credentials that qualify for the one-year waiver. The list dropped from roughly 50 certifications to around 25. The stated aim was to keep only credentials that demonstrate security knowledge closely aligned to the CISSP domains.
The removals are the part that stings, because they include some of the most popular certifications in the industry.
Certifications Removed From the Waiver List
- EC-Council CEH (Certified Ethical Hacker)
- ISACA CISA (Certified Information Systems Auditor)
- ISACA CRISC (Certified in Risk and Information Systems Control)
- OffSec OSCP (Offensive Security Certified Professional)
- Most GIAC certifications, with only four exceptions retained (see below)
If you hold one of these and you have not yet submitted your CISSP application, the credential no longer trims a year. You will need either a qualifying degree, a different approved certification, or the full five years of experience.
Which Certifications Still Count Towards the CISSP Waiver
Plenty of strong credentials survived the cut. If you hold any of these, you can still use one of them for the one-year waiver on a post-April 2026 application.
| Vendor | Certifications that still qualify |
|---|---|
| ISC2 | SSCP, CCSP, CGRC, CSSLP, HCISPP, and the concentrations ISSAP, ISSEP, ISSMP |
| CompTIA | Security+, CySA+, CASP+ / SecurityX |
| ISACA | CISM (CISA and CRISC removed) |
| Cisco | CCNA, CCNP Security, CCIE Security |
| AWS | Certified Security - Specialty |
| Microsoft | Cybersecurity Architect Expert |
| GIAC | GICSP, GISF, GISP, GSLC only |
| Zscaler | ZDTA, ZDTE, ZDXA (added in 2026) |
The pattern is clear. ISC2's own credentials and the broad, governance-or-architecture-leaning certifications stayed. Several narrowly offensive or audit-specific certifications came off. CompTIA's security track came through fully intact, which matters for the large number of candidates who build towards CISSP from Security+ and CySA+.
Exam Tip: CompTIA Security+, CySA+ and SecurityX all remain on the approved list. If you are early in your journey, a CompTIA security certification is now one of the most reliable ways to lock in the CISSP waiver year.
The Deadline Detail That Decides Your Case
The change is not retroactive, and the cut-off date is everything.
- Applications submitted before 1 April 2026 are governed by the old, longer list. If your CEH, CISA, CRISC or OSCP application was already in, it still counts.
- Applications submitted on or after 1 April 2026 use the new, shorter list. A removed credential no longer waives a year.
Because we are now past that date, any new endorsement application falls under the new rules. There is no grace period to submit a removed credential after the cut-off.
What To Do If Your Certification Was Removed
Losing the waiver does not block you from the CISSP. It only removes a one-year shortcut. Here are your practical options, in order of how quickly they help.
- Use a different approved credential. If you also hold something on the surviving list (Security+, CySA+, CISM, CCSP and so on), use that for the waiver instead.
- Use your degree. A qualifying four-year degree gives the same one-year reduction and was unaffected.
- Pass the exam now and become an Associate of ISC2. You can sit CISSP without the experience, then have six years to accumulate the five years required. This keeps your momentum while you build the experience.
- Count all your eligible experience carefully. Many candidates undercount. Part-time roles, internships and work spanning two or more domains all count, and the experience does not need to be consecutive.
Exam Tip: After you pass the CISSP exam, you have nine months to complete the endorsement process, where an active ISC2-certified professional verifies your experience against at least two domains. Start lining up your endorser early.
How This Affects Your Certification Roadmap
If you are planning a path towards CISSP in 2026, the waiver change should shape your sequencing.
- Entry and mid-level candidates should favour certifications that still count and double as strong career credentials. Security+ followed by CySA+ keeps you on the waiver list and builds real skills. Our CompTIA Security+ study plan and CySA+ study plan are good starting points.
- Management-track candidates should note that ISACA CISM survived while CISA and CRISC did not. If you are choosing between them with the waiver in mind, CISM now carries extra weight. See our CISA vs CISM comparison and Is CISM Worth It breakdowns.
- Offensive-security professionals holding CEH or OSCP should not panic. Those certifications remain excellent for pentesting careers, they simply no longer trim a CISSP year. Pair them with a surviving credential if the waiver matters to you.
For the bigger picture on whether the CISSP is still the right destination, read our honest take in Is CISSP Worth It in 2026.
CISSP Waiver Change at a Glance
| Question | Answer |
|---|---|
| When did the change take effect? | 1 April 2026 |
| How many certifications were cut? | From around 50 down to roughly 25 |
| Does CEH still count? | No, removed |
| Does CISA still count? | No, removed |
| Does CRISC still count? | No, removed |
| Does OSCP still count? | No, removed |
| Does Security+ still count? | Yes, still approved |
| Does CISM still count? | Yes, still approved |
| Is the degree waiver affected? | No, unchanged |
| Maximum years waivable | One year, always |
Ready to Start Practising?
The CISSP rules around experience and waivers will keep shifting, but the exam itself rewards one thing above all: deep, tested understanding across all eight domains. The fastest way to get there is realistic practice that exposes the gaps in your knowledge before exam day does.
CertCrush gives you exam-style CISSP practice questions with full explanations, plus practice banks for the certifications that still count towards your waiver, including Security+, CySA+ and CISM. Build the knowledge, lock in your eligibility, and walk into the exam ready.
Create your free CertCrush account and start practising today, or browse our certification courses to map out your full path to CISSP.