In December 2025, ISC2 announced a major restructuring of its CISSP experience waiver program. Effective April 1, 2026, the list of certifications that qualify for a one-year experience reduction drops from roughly 50 credentials to 25. The certifications cut include some of the most widely held in cybersecurity: CEH, CISA, CRISC, OSCP, most GIAC certifications, and Microsoft's AZ-500.
CCSP is not among them.
But this story is more interesting than "CCSP survived." CCSP and CISSP have a bidirectional waiver relationship — the only such pair in the ISC2 certification ecosystem. Understanding how this works, and why it matters even more after April 1, is what this guide is about.
What Changed on April 1, 2026
The CISSP experience requirement is five years of cumulative, full-time paid work experience in at least two of the eight CISSP domains. The experience waiver reduces this by one year — not two — if you hold a qualifying certification or a relevant four-year degree. (You can't stack both for a two-year reduction; the maximum waiver is always one year.)
ISC2's stated rationale for the April 2026 cuts: the waiver should reflect credentials that demonstrate broad security governance and management thinking — not technical specialization. A credential that validates narrow deep expertise doesn't proxy for a year of broad security management experience the way a broad-scope governance certification does.
The result is a cleaner, shorter list: ISC2's own family, CompTIA's broad-baseline track, enterprise security credentials from Cisco/AWS, and CISM. Technical specialist credentials — even rigorous, well-respected ones — were mostly cut.
✅ Still Qualifies After April 1
- ISC2 CCSP
- ISC2 SSCP
- ISC2 CGRC
- ISC2 CSSLP
- ISC2 ISSAP / ISSEP / ISSMP
- ISC2 HCISPP
- ISACA CISM
- CompTIA Security+
- CompTIA CySA+
- CompTIA CASP+ / SecurityX
- Cisco CCNA Security
- Cisco CCNP Security
- Cisco CCIE Security
- AWS Security – Specialty
- Microsoft Cybersecurity Architect
- Zscaler ZDTA / ZDTE / ZDXA
❌ Removed After April 1
- EC-Council CEH (all versions)
- ISACA CISA
- ISACA CRISC
- Offensive Security OSCP / OSCE
- Microsoft AZ-500
- Cisco CyberOps Associate / Pro
- GIAC GCIH, GCFA, GSEC, GCIA
- GIAC GCED, GCTI, GSTRT, GSNA
- INE eCPPT, eJPT
- CSA CCSK
- CIA (Certified Internal Auditor)
- CPP (ASIS)
- CWSP
- CIW Web Security Pro/Specialist
- IRCA Lead/Principal Auditor
- JNCIE-SEC
The Bidirectional Unlock: How CCSP and CISSP Waive Each Other
CCSP is the only non-CISSP certification in the world that unlocks the CISSP experience requirement. And CISSP is the only certification that unlocks the entire CCSP experience requirement — not just one year, but all five.
The Only Pair That Works Both Ways
CCSP → CISSP: Holding CCSP waives one year of CISSP's five-year experience requirement. Submit your CISSP application with four years of documented experience instead of five.
CISSP → CCSP: Holding an active CISSP credential satisfies the entire CCSP experience requirement. You don't need to document five years of cloud security experience. You just need to pass the exam.
No other certification pair in ISC2's portfolio has this bilateral relationship. SSCP doesn't give you a full CCSP experience bypass. CGRC doesn't grant a CISSP waiver. Only CCSP ↔ CISSP work both ways.
Here's the exact structure:
| You Hold | Effect on CISSP | Effect on CCSP |
|---|---|---|
| CCSP | Waives 1 year (need 4 years, not 5) | N/A — you already have it |
| CISSP | N/A — you already have it | Waives all 5 years of CCSP experience |
| CCSK | No longer qualifies (removed April 1) | Still waives 1 year of CCSP experience |
| CISM | Waives 1 year (still qualifies post-April 1) | No effect on CCSP experience |
| CompTIA Security+ | Waives 1 year (still qualifies post-April 1) | No effect on CCSP experience |
| CEH / OSCP | No longer qualifies (removed April 1) | No effect on CCSP experience |
This is why "CCSP survived the April 2026 cuts" understates what happened. CCSP's position in the ISC2 ecosystem is structurally stronger after April 1 than before, because many of the alternative paths to a CISSP waiver just closed.
Why CCSP Survived (and CISA Didn't)
The pattern across ISC2's revised list makes their philosophy clear: certifications that prove broad security governance and management thinking qualify; certifications that prove technical depth in a specific area do not.
CCSP maps onto CISSP's management-level domains more closely than people expect. Cloud security architecture, cloud governance, legal and compliance, risk management — these aren't narrow technical skills. They're exactly the breadth ISC2 considers equivalent to a year of general security management experience.
CISA is a more surprising cut — it's a rigorous, governance-focused certification. The likely ISC2 reasoning: CISA validates that security controls exist and work (an audit function), whereas CISSP tests whether you can design, build, and govern security programs. The orientation is different enough that ISC2 no longer considers CISA a proxy for security management experience.
CEH, OSCP, and the GIAC offensive/forensics credentials are a cleaner case — they go deep on specific technical attack and defense domains. Strong credentials, but they don't map to CISSP's management-level breadth.
What CCSK Holders Should Know
CSA's CCSK (Certificate of Cloud Security Knowledge) was removed from the CISSP waiver list effective April 1. This is a meaningful change for cloud security professionals who had planned on CCSK as a CISSP bridge credential.
However, CCSK's relationship with CCSP is unchanged: a CCSK still waives one year of CCSP's experience requirement. This creates a viable chain for cloud security professionals:
The CCSK → CCSP → CISSP Chain
CCSK (CSA) → waives 1 year of CCSP experience → need 4 years of cloud security experience instead of 5 to earn CCSP
CCSP → waives 1 year of CISSP experience → need 4 years of broader security experience to earn CISSP
The chain still works. CCSK no longer bridges directly to CISSP, but it still bridges to CCSP — which bridges to CISSP.
For cloud security professionals with CCSK: this is your path forward post-April 1. CCSK → CCSP → CISSP is still fully viable. The direct CCSK → CISSP shortcut no longer exists, but the chain through CCSP does.
Action Plan: What to Do Based on Your Situation
You hold an active CCSP and are pursuing CISSP
Your CCSP survives the April 1 change. You can submit your CISSP application before or after April 1 and still receive the one-year experience waiver. Calculate whether you currently have four years of qualifying CISSP experience. If yes — there's no reason to wait. If not — CCSP already has you one year ahead of schedule.
You hold an active CISSP and are considering CCSP
Your CISSP satisfies the entire CCSP experience requirement. You don't need to document five years of cloud security experience — you just need to pass the CCSP exam. If you have any cloud security background from your work history, CCSP is accessible to you right now. The only question is whether you've prioritized exam preparation.
This is the most efficient dual-certification path in cybersecurity: one exam, no additional experience documentation, second ISC2 certification in hand.
You hold CEH, OSCP, CISA, CRISC, AZ-500, or a GIAC cert and want the CISSP waiver
Option 1 — Submit before April 1: If you have the required four years of experience documented across two or more CISSP domains, submit your CISSP endorsement application immediately. Applications received before April 1 can use the current, expanded waiver list. Don't wait — the endorsement process takes 4-8 weeks and cut-off is application receipt date, not processing completion.
Option 2 — Pivot your bridge cert: If you can't submit before April 1, the remaining paths are CompTIA Security+/CySA+/CASP+ (faster, lower cost), CISM (management-track, highly aligned to CISSP), or CCSP (cloud-focused, full bidirectional value). Any of these gets you the waiver post-April 1.
Option 3 — Document five full years: If you're close to five years of qualifying experience anyway, skip the waiver. The one-year reduction matters most for candidates sitting at the four-year mark, not those already past five.
You hold CCSK and are building toward CISSP via cloud security
CCSK was removed from the direct CISSP waiver list. But CCSK still qualifies for one year of CCSP experience reduction. Your updated path: use CCSK to reduce CCSP's experience bar from 5 years to 4, earn CCSP, then use CCSP for the CISSP waiver. The chain is longer by one step but still fully intact.
You're early in your cybersecurity career, planning your cert stack
The April 2026 changes simplify the decision: the clearest certification pathways to CISSP now run through CompTIA (Security+ → CySA+ → CASP+), ISC2's own family (SSCP → CCSP), or CISM. If you're cloud-focused, the CCSP → CISSP path is now one of the most efficient routes to both certifications. Start with the one that matches your current role — CCSP if you're doing cloud security work, CISSP if your role is broader.
The April 1 deadline applies to CISSP certification applications, not exam dates. You can pass the CISSP exam after April 1 and still use the old waiver list — as long as you submitted your application before April 1. The Associate of ISC2 path (pass exam first, document experience later) is relevant here: passing the exam locks you in as an Associate, and your application date determines which waiver list applies.
Frequently Asked Questions
Does CCSP qualify for the CISSP experience waiver after April 2026?
Yes. CCSP is on ISC2's post-April 1, 2026 qualifying list. Holding an active CCSP waives one year of the CISSP five-year experience requirement — reducing your documentation burden to four years across two or more CISSP domains. This is confirmed on ISC2's official certification requirements page.
Does CISSP waive the entire CCSP experience requirement?
Yes — the entire requirement. An active CISSP credential satisfies all five years of CCSP's experience documentation. You still need to pass the CCSP exam, but you won't need to separately document cloud security work experience. This applies to current CISSP holders regardless of the April 2026 CISSP waiver changes (those changes affect the CISSP's own requirements, not the CCSP's).
Can I stack the CCSP waiver and a college degree waiver for CISSP?
No. The maximum waiver for CISSP is one year, regardless of how many qualifying credentials you hold or whether you also hold a relevant degree. Holding both CCSP and a CS degree still only reduces your experience requirement from five years to four — you can't combine them for two years off.
Does CCSK still count for anything after April 2026?
CCSK no longer qualifies for the CISSP experience waiver after April 1. However, CCSK still waives one year of the CCSP experience requirement — that relationship is unchanged. CCSK holders can still use it on the path to CCSP, and then use CCSP as the bridge to CISSP.
I have CEH and 4 years of experience. What's my best move?
You have two paths: (1) Submit your CISSP application before April 1, 2026, using CEH under the current expanded waiver list — if you have four years of documented experience in two or more CISSP domains. (2) If you miss April 1, earn CompTIA Security+ or CASP+ (fastest and cheapest route to a qualifying credential under the new list) and then submit your application. CISM and CCSP are also options if they align with your career direction.
How long does the CISSP endorsement/application process take?
ISC2 states the endorsement process typically takes 4-8 weeks. If you're trying to submit before April 1 using a certification being removed, you need to initiate the application process now — not in two or three weeks. The deadline is application receipt date, not processing completion date.
Preparing for CCSP? Start with practice questions.
CCSP.app offers AI-powered CCSP practice questions aligned to all six domains of the 2025 exam outline. Free 7-day trial, no credit card required.
Start Free Trial →