This post will dive into my journey in which I pursued and eventually acquired the CISSP certification, the gold standard in cybersecurity. It is intended to serve as an example of how an aspiring CISSP can pursue their own credential through comparable routes.
Acquiring the required experience
I have been working in cybersecurity in some way, shape, or form, since 2018. ISC2 requires aspiring CISSPs to have at least 5 years of the relevant experience in cybersecurity to acquire the certification. If you were to tally up my experience by years alone, I have over 7 years of experience in the field. However, due to ISC2’s strict requirements for full time experience, and the fact that they count internships and part time experience differently, I reached the 5 year mark of experience by ISC2’s definition only in July of this year. It isn’t necessary to have at least 5 years of experience to complete the CISSP exam. However, if you pass the exam without the required experience, you will not yet be eligible for the certification. You will be allowed to become an Associate of ISC2 while you pursue the required experience. If you have an existing certification or university degree, you may be eligible to waive a year of experience when completing the endorsement application. That is what I ended up doing. If you have done cybersecurity internships while in school, know that ISC2 only cares about the full time period of your internship. So if you worked full time during your internship in the summer but then had your work schedule relegated to less than 20 hours per week during the fall and spring semesters, the non-full time period cannot be counted towards your overall experience. If you somehow worked between 20 and 34 hours per week during the part time period of your internship, then that time can count towards your overall experience, but then it is counted based on how much time your hours worked would count towards your experience if you were working a 40 hour full time schedule. For example, if you worked for 20 hours for an entire year, then that would net you 6 months of experience by ISC2’s criteria, because 20*52 = 1,040, and 1040/40 = 26 weeks = 6 months.
Training, and Budgeting
I started a CISSP certification course at the University of West Florida in February 2025, in which I was provided a free voucher code for the exam, along with free access to ISC2’s self paced studying platform for 180 days. My access to this program, which was fully paid for by UWF, was made possible by the fact that I am employed by a state agency in Florida. UWF provides free training for certain certifications and certain skills in cybersecurity to anybody who is employed by a state or local government agency or public school in Florida. Having said that, if you are in a position to pursue the CISSP, I strongly recommend you start seeking your employer to back you first. It could save you hundreds of dollars. Many employers have existing training programs for their cybersecurity professionals to get certified with the relevant credentials. For years now, it has been my personal policy to avoid pursuing expensive certifications without support from my employer. In the case of the CISSP, the voucher alone costs over $700. If you pay for the training too, then expect to add on a few extra hundred dollars. If you are unable to get financial backing from your employer to pursue the CISSP, then you may not be out of options yet. You will still have to budget for the voucher; however, there are free training programs online that prepare you for the CISSP exam without providing a voucher. One that I particularly recommend is FRSecure’s CISSP mentor program. This program connects you with other learners and empowers you to study in a collaborative environment.
Studying
The CISSP exam, at the time of this writing, consists of 100 to 150 questions, from eight different domains. To best study for this exam, I recommend creating flash cards or downloading an existing flash card deck, so that you can get an idea of what questions you will be facing during the exam. I personally created my flash card deck from the training material I was provided. Unfortunately, that means that I cannot provide it to you since it is generally hidden behind a paywall. However, there are free flash card decks online if you are not good at creating your own flash cards. Here is an example
If you decide to search for a flashcard deck online, make sure to find one that is recent, and that has as least a few hundred flashcards, with a decent distribution of questions across the eight domains. The example that I included above will become less recent over time, so you probably shouldn’t use it depending on what year you are reading this post. I recommend aiming for a flashcard deck that has at least 500 questions. This is to guarantee that you are exposed to a diverse array of potential themes and topics while studying. That way you aren’t simply memorizing a set of questions which may only cover a very narrow scope in each domain.
To measure my progress, I personally used the Anki app.
It is the same app that I use to create flashcards for studying foreign languages. The Anki app is useful for keeping track of flashcards you have already studied, and which ones you are still learning, and which ones you have already memorized. It is free for Android users, but $24.99 for iOS users (I promise the one time payment is worth it!). The app shows you 20 new flashcards from your decks every day, but it is possible to configure the app to show fewer or more cards depending on how quickly you want to study. The app labels the flashcards based on the stage of learning that you are on for each of them. The major labels include the “new” label, the “young” label, and the “mature” label. “New” means you haven’t been exposed to the card yet; “young” means you have been exposed to the card but haven’t fully stored its contents in your long term memory yet, and “mature” means that you have likely stored the card’s contents in your long term memory.
The repetition of cards will spread out over time, as you become more and more familiar with each one. This is known as the spaced repetition system. This tutorial covers the SRS in a very basic manner. I recommend studying your flashcards for however long it takes for you get at least 90% of your cards in the “mature” category. You will very likely be ready to book your exam by then.
Conclusion
The journey towards the CISSP certification is a long one, but the rewards are ample one you reach the goal. You will have access to an exclusive global professional network of other ISC2 professionals and new opportunities to upskill and advance your career. Other benefits include the right to join or start an ISC2 chapter in your city, volunteer with ISC2, and obtain discounts to certain security conferences. For me though, there is nothing I appreciate more than to be recognized for my extensive experience in the field of cybersecurity, and recognition is definitely something I have achieved with the CISSP.