- What Are the CCSP Experience Requirements?
- Breaking Down the Five-Year Requirement
- Acceptable Work Experience by Domain
- Waiver Paths and Substitutions
- The Associate of ISC² Path
- The Endorsement Process Explained
- How Your Experience Maps to Exam Content
- Preparing Your Application for 2026
- Comparing Qualification Routes
- Frequently Asked Questions
- CCSP requires five years of cumulative paid work experience in IT, with three years specifically in information security.
- At least one year of experience must align directly with one of the six CCSP exam domains.
- Holding a CISSP in good standing satisfies the entire CCSP experience requirement.
- Candidates who pass the exam without meeting experience requirements earn the Associate of ISC² designation and have six years to qualify.
What Are the CCSP Experience Requirements?
The Certified Cloud Security Professional (CCSP) certification is one of the most respected credentials in cloud security, but earning it is not just about passing an exam. ISC², the body that administers the CCSP, sets specific professional experience requirements designed to ensure that every certified professional has real-world competence - not just theoretical knowledge.
To be eligible for the CCSP, a candidate must have a minimum of five years of cumulative, paid work experience in information technology. Of those five years, at least three years must be in information security, and at least one year must be in one or more of the six CCSP domains. These are not interchangeable categories - each layer of the requirement must be satisfied independently.
Understanding exactly how these requirements intersect - and how to document them correctly - is the single biggest hurdle many candidates face. If you're also evaluating whether the CCSP is the right credential for your goals, the comparison in CCSP vs CISM: Which Certification Fits Your Career offers a useful framework for making that decision before you invest time in the application process.
Breaking Down the Five-Year Requirement
Total IT Experience: Five Years
The five-year baseline covers any paid, full-time work in information technology. Part-time work and internships can count on a prorated basis. Volunteer work in qualifying IT roles may also be considered, provided it was a structured, ongoing professional engagement - not a casual contribution. Unpaid positions are evaluated on a case-by-case basis by ISC².
Information Security Subset: Three Years
Within those five years, three must be specifically in information security. This includes roles where your primary or significant secondary responsibility involved protecting information assets, managing security risks, implementing security controls, or conducting security audits. General systems administration, software development, or IT support do not typically qualify for this subset unless those roles had a documented security component.
Cloud or Domain-Specific Experience: One Year
The final layer is the most specific: at least one year of your experience must fall within one or more of the six CCSP exam domains. This is where cloud security experience becomes directly relevant. If you have spent a year working on cloud platform security, cloud data governance, or cloud application security, that year satisfies this requirement. This is the portion of your experience that ISC² scrutinizes most closely, because it confirms genuine cloud security exposure rather than general IT security work.
Acceptable Work Experience by Domain
The six CCSP exam domains define exactly what counts as relevant cloud security experience. Understanding each domain's scope helps you identify which parts of your career history are creditable - and which gaps you might need to address before applying.
Domain 1: Cloud Concepts, Architecture and Design
Experience designing cloud architectures, evaluating cloud service models (IaaS, PaaS, SaaS), and implementing cloud deployment strategies qualifies here. Roles involving cloud migration planning or cloud-native application architecture are strong fits.
- Cloud reference architecture design
- Security by design in cloud environments
- Evaluation of cloud service provider capabilities
Domain 2: Cloud Data Security
Work involving data classification, data lifecycle management, encryption strategies for data in transit and at rest, and data loss prevention in cloud contexts is highly creditable for this domain.
- Cloud data governance and policy implementation
- Key management in cloud environments
- Data residency and sovereignty compliance
Domain 3: Cloud Platform and Infrastructure Security
Roles involving securing cloud infrastructure - including virtualization security, container security, and network security in cloud environments - map directly to this domain.
- Hardening cloud workloads and hypervisors
- Managing identity and access in cloud platforms
- Infrastructure-as-code security practices
Domain 4: Cloud Application Security
Experience in secure software development lifecycles (SDLC), DevSecOps practices, and application-layer security testing within cloud environments qualifies here.
- Cloud-native application threat modeling
- API security and microservices security
- Security testing in CI/CD pipelines
Domain 5: Cloud Security Operations
Security operations center (SOC) work, incident response, and continuous monitoring in cloud environments are central to this domain. Experience managing cloud security tools and SIEM platforms is particularly relevant.
- Cloud incident response and forensics
- Vulnerability management in cloud environments
- Security automation and orchestration
Domain 6: Legal, Risk and Compliance
Roles involving regulatory compliance, privacy law application to cloud services, third-party risk management, or cloud contract review and negotiation are creditable for this domain.
- Cloud-specific regulatory frameworks (GDPR, HIPAA, FedRAMP)
- Risk assessment and risk treatment in cloud contexts
- Cloud service agreement and SLA evaluation
Waiver Paths and Substitutions
ISC² provides two significant waiver mechanisms that can reduce the experience burden for qualified candidates.
The CISSP Waiver
If you hold a current, active CISSP certification in good standing with ISC², the entire CCSP experience requirement is waived. This is the most powerful substitution available. A CISSP holder can sit for the CCSP exam and, upon passing, immediately proceed to endorsement without documenting any additional work experience history. For professionals who already hold the CISSP, this makes the CCSP a highly accessible credential to add to their portfolio.
CSA CCSK Waiver
Holding the Cloud Security Alliance's Certificate of Cloud Security Knowledge (CCSK) substitutes for one year of the required experience in one CCSP domain. This reduces the domain-specific experience requirement, though you still need to meet the broader five-year IT and three-year information security thresholds independently.
Advanced Degrees
ISC² does not offer a direct educational substitution for CCSP experience in the same way some other certifications do. A relevant master's degree or doctoral degree may be considered, but candidates should confirm current ISC² policy directly, as substitution rules can be updated.
The Associate of ISC² Path
If you are earlier in your career and do not yet meet the experience requirements, you are not locked out of the CCSP. ISC² allows candidates to take the CCSP exam at any point, regardless of experience. Candidates who pass the exam without satisfying the full experience requirement earn the Associate of ISC² designation and are given six years to accumulate the necessary qualifying experience.
This is a legitimate and increasingly popular route for early-career professionals in cloud security roles. The Associate designation is visible to employers and signals that you have passed one of the most rigorous cloud security exams available. Many hiring managers view it favorably, particularly for candidates in roles where cloud security experience is actively being built.
Practicing for the exam and understanding the full scope of all six domains is essential before sitting as an Associate candidate. The CCSP practice test platform is specifically designed to mirror the style and difficulty of the actual exam, helping candidates build the domain knowledge needed to pass before their experience documentation is complete.
The Endorsement Process Explained
Passing the CCSP exam is necessary but not sufficient. To receive the full certification, you must complete ISC²'s endorsement process. This is a formal verification step where a current ISC² member in good standing reviews and validates your professional experience claims.
Finding an Endorser
Your endorser must be an active ISC² certified professional. They do not need to be your current employer or direct supervisor - any qualified ISC² member who can attest to your professional experience is eligible. If you cannot find an endorser, ISC² itself can serve as the endorser of last resort, though this option involves a more detailed review process and may take longer.
What the Endorser Reviews
Your endorser will review your experience documentation against the CCSP experience requirements. They are confirming that your described work history is credible, that the roles qualify under the applicable domain categories, and that the time periods claimed are accurate. They are not conducting an audit - but they are attesting under professional standing that your claims are genuine.
After Endorsement
Once endorsed, ISC² reviews the submission. Upon approval, you receive full CCSP certification and are required to maintain it through continuing professional education (CPE) credits and annual maintenance fees, as with all ISC² credentials.
How Your Experience Maps to Exam Content
There is a deliberate alignment between the CCSP experience requirements and the exam's six domains. Candidates with strong hands-on experience in cloud security operations, for example, will find that Domain 5 questions feel familiar - because the exam tests judgment and decision-making that only comes from real exposure, not just textbook study.
This alignment cuts both ways. Your strongest domains on the exam are likely the ones where you have the most direct work experience. Your weakest domains are almost always the ones furthest from your daily role. A cloud platform engineer may excel in Domains 1, 3, and 5 but find Domain 6 (Legal, Risk and Compliance) significantly more challenging without targeted preparation.
Key Takeaway
Map your current job responsibilities to each of the six CCSP domains before you begin studying. The domains where you have thin experience are the ones where you need to invest the most preparation time - and they may also indicate gaps in your experience documentation that need to be addressed before you apply for full certification.
Regular practice testing is one of the most effective ways to identify those domain-level gaps before exam day. The CCSP Exam Prep practice test platform lets you track performance by domain so you can see exactly where your knowledge - and by extension, your experience - is strongest and where it needs reinforcement.
Preparing Your Application for 2026
Candidates applying in 2026 should begin documenting their experience well before they sit for the exam. ISC² requires detailed descriptions of your roles, not just job titles and dates. For each qualifying position, you should be able to articulate:
- The specific security responsibilities you held, not just general IT duties
- Which CCSP domain or domains those responsibilities align with
- The approximate percentage of time spent on qualifying activities
- The cloud environments or platforms involved, where applicable
Keeping a running professional experience journal throughout your career makes this process significantly easier. If you're applying for the first time and need to reconstruct several years of history, review your performance reviews, project documentation, and LinkedIn history as source material.
Audit Your Experience Against All Six Domains
- List every security role you've held in the past five years
- Match each role's responsibilities to specific CCSP domains
- Identify which domains lack coverage and assess whether additional experience is needed
Identify Your Endorser Early
- Reach out to ISC² members in your professional network
- Brief them on the endorsement process and your experience history
- Confirm their willingness to endorse before you sit for the exam
Document Everything Before Exam Day
- Draft your experience descriptions in ISC² application format
- Have a colleague or mentor review for clarity and accuracy
- Keep copies of supporting documentation such as job descriptions or project records
For a deeper look at how the full qualification process compares across leading security certifications and which career paths each credential supports, the article on CCSP vs CISM: Which Certification Fits Your Career provides detailed context worth reviewing before you commit to a certification path.
Comparing Qualification Routes
| Candidate Profile | Recommended Path | Key Consideration |
|---|---|---|
| Active CISSP holder | Direct CCSP - no experience documentation needed | Fastest route to full certification |
| 5+ years IT, 3+ years infosec, 1+ year cloud domain | Full CCSP application with endorser | Must document and map experience to domains carefully |
| Holds CCSK certification | CCSP with one-year domain experience waiver | Reduces domain experience gap by one year |
| Early-career with <5 years IT experience | Associate of ISC² after passing exam | Six years to accumulate qualifying experience |
| Strong exam knowledge, limited cloud-specific history | Associate of ISC²; build cloud security role experience | Focus on Domain 1, 3, and 5 roles for experience credit |
You can also revisit the full CCSP Experience Requirements: How to Qualify in 2026 overview to share with colleagues or use as a checklist as you work through your own qualification timeline. And as your exam preparation intensifies, the CCSP Exam Prep practice tests give you the domain-specific testing environment that mirrors the actual exam structure.
Frequently Asked Questions
Yes. ISC² allows paid contract and freelance work to count toward the experience requirement, provided it was compensated, professionally structured, and falls within qualifying IT and information security categories. You should document the nature of the engagement, the client industry, and the specific security responsibilities involved. ISC² may request additional verification for contract work.
ISC² does not have a blanket educational substitution policy for the CCSP in the way that some other certifications do. Academic credentials can be considered as part of a holistic application review, but they do not automatically replace specific years of required work experience. Candidates should check the most current ISC² policies before relying on this as a substitution strategy.
Your endorser only needs to attest that they believe your experience claims are credible and professional - they are not required to have personally observed every role you list. If you cannot find an endorser with direct knowledge of your work, ISC² can act as the endorser of last resort. In that case, ISC² will conduct its own review of your submitted documentation, which may involve additional follow-up questions.
ISC² requires candidates to complete the endorsement process within nine months of passing the exam. If endorsement is not completed within that window, the exam result may lapse and the candidate would need to retake the exam. Finding and briefing a potential endorser before sitting for the exam is strongly recommended to avoid time pressure.
The six-year period begins from the date you passed the CCSP exam and earned the Associate of ISC² designation. This clock runs regardless of when you formally submit your experience documentation. Candidates are encouraged to track their qualifying experience actively from the moment they receive the Associate designation so they are ready to apply well before the deadline.