Cybersecurity Credential Verification
How to Verify a CISSP Certification
The CISSP (Certified Information Systems Security Professional) is the most recognized senior-level cybersecurity certification globally. ISC² provides a free verification tool, but there are several nuances — including mandatory endorsement and CPE maintenance — that hiring teams frequently overlook.
Quick answer
Verify CISSP certification at isc2.org/verify — the official ISC² member verification tool. Search by the candidate's name to confirm active certification status. The CISSP requires ongoing CPE credits and an annual maintenance fee; a lapsed CISSP is not equivalent to an active one.
What the CISSP certification is
The CISSP is awarded by ISC² (International Information System Security Certification Consortium) to information security professionals who demonstrate broad knowledge across eight security domains, including access control, cryptography, network security, software development security, and security operations.
Requirements for CISSP certification:
- › Experience: Five years of paid, full-time work experience in two or more of the eight CISSP domains (a four-year college degree or an approved credential waives one year)
- › Exam: Pass the CISSP exam (6 hours, 100–150 adaptive questions)
- › Endorsement: An active ISC² member in good standing must endorse the application, attesting to the candidate's professional experience
- › Agree to the ISC² Code of Ethics
The endorsement requirement distinguishes the CISSP from most IT certifications. A candidate cannot self-certify — a peer with standing must vouch for their experience. If no ISC² member is available to endorse, ISC² itself can serve as endorser after a review process.
How to verify CISSP status
Step 1: Go to isc2.org/verify
Navigate to the ISC² member verification tool at isc2.org/verify. This is the official tool for confirming active ISC² certifications including CISSP, CCSP, SSCP, CGRC, CSSLP, HCISPP, CCSP, and others.
Step 2: Search by name
Enter the candidate's first and last name. For common names, adding location details can help narrow results. ISC² members who have opted into the public directory will appear with their certification status and active credentials.
If the search returns no results, ask the candidate to provide their ISC² member number so you can verify directly. Members can also generate a shareable verification link from their ISC² account.
Step 3: Confirm active status and specific certification
The record shows which ISC² certifications the individual holds and whether they are currently active. Confirm that the specific certification claimed (e.g., CISSP vs. SSCP) is listed, and that it is active rather than suspended or revoked.
CISSP concentration certifications
After earning the CISSP, professionals can pursue concentration certifications in specialized domains. These are separate credentials that require additional exams:
CISSP-ISSAP (Information Systems Security Architecture Professional)
Focuses on security architecture design. Verify at isc2.org/verify — it will appear as a separate credential alongside the base CISSP.
CISSP-ISSEP (Information Systems Security Engineering Professional)
Focuses on security engineering, particularly relevant to U.S. government and defense contractor roles. Required for many DoD positions.
CISSP-ISSMP (Information Systems Security Management Professional)
Focuses on security leadership and management, including risk management and incident response at the organizational level.
All CISSP concentrations require a current active CISSP as a prerequisite. If the base CISSP lapses, the concentration certifications also become inactive.
Maintenance requirements
The CISSP has a three-year certification cycle requiring:
| Requirement | Details |
|---|---|
| CPE credits | 120 CPE credits over the 3-year cycle (minimum 40 per year) |
| Annual maintenance fee (AMF) | $125/year paid to ISC² |
| Code of Ethics compliance | Annual attestation required |
| CISSP concentration CPEs | 20 additional CPEs per concentration, within the relevant domain |
Lapsed CISSP: what to watch for
A CISSP that has lapsed due to missed CPE credits or unpaid fees is not equivalent to an active CISSP. The ISC² verification tool will show the credential as inactive or will not return a result for the individual. Always verify at the time of hiring, not only at onboarding — CPE cycles can lapse after an employee joins.
CISSP vs. other cybersecurity certifications
CISSP vs. CompTIA Security+ (SY0-701)
Security+ is an entry-level certification with no experience requirement. CISSP requires five years of experience. For DoD 8570.01-M (now DoD 8140) compliance, Security+ satisfies IAT Level II while CISSP satisfies IASAE Level I/II/III and ISSM Level II/III. Verify Security+ at verify.comptia.org.
CISSP vs. CISM (Certified Information Security Manager)
CISM is issued by ISACA and focuses on security management and governance rather than technical security domains. Many CISOs hold both. Verify CISM credentials at isaca.org/credentialing/verify-a-certification.
CISSP vs. CCSP (Certified Cloud Security Professional)
The CCSP is also issued by ISC² and focuses specifically on cloud security. It can be pursued alongside or after the CISSP. Both appear in the ISC² verification tool and have identical maintenance requirements.
Verify the degree behind the certification
Many CISSP candidates cite a four-year degree to waive the experience requirement. Use VerifyED to confirm that a candidate's undergraduate degree comes from a legitimately accredited institution — and catch any diploma mill credentials in your security team hiring pipeline.
Search Schools and Accreditation →