This is one, if not THE most common question I ever get asked.
If you have 2 years of experience in networking, you can take the CISSP exam.
If you just graduated college with a Master's degree, you can take the CISSP exam.
If you work at a Mercedes Benz assembly factory in Alabama, you can take the CISSP exam.
If you are a stay at home mom who is trying to change her life around for the betterment of her family, YOU CAN TAKE THE CISSP EXAM.
All the above examples are actual situations of people who have overcome great odds and hardships to pass the CISSP exam and break into the security industry.
Here's the secret though: it is not recommended to take the exam without experience. It is doable, but it is not recommended.
If you have zero security experience, the CISSP exam is going to be extremely difficult, and you will have to study for months and months just to grasp foundational concepts. This is the reason that it is recommended you have the necessary 5 years of direct hands-on security experience before attempting the exam.
My work with firewalls and working out of a Security Operations Center helped me immensely during the actual exam. I was surprised at how much the exam did not compare to anything I read in the books, but relied on what I experienced as a security professional.
There are those who have 10 years and even 20 years of experience in the security industry, who still struggle to pass the exam the first, second, or even the third time. However every person is different, only you can test yourself to see what you are made of and if you have what it takes to become a CISSP.
So what happens if you pass the exam without any experience?
Let's first answer what happens if you pass the exam and you already have the 5 years of security experience. After passing, you get an email from the ISC2 congratulating you on your enormous accomplishment. Then you have to complete the endorsement process.
Click here to read about "The CISSP Endorsement Process".
After submitting all the necessary documents, the ISC2 will look at everything, and then in a couple of weeks you'll receive a package in the mail stating you are now officially designated a CISSP. You can start putting those letters after your name. It's a great feeling.
Now, if you pass the exam and do not have the experience your path is a little different. Just FYI, it's still the same exam. Whether you have experience or not, you will be taking the same exam. And you will also have to pay the annual member dues and provide CPE credits. The only difference is that you will have up to 6 years to gain your five years of experience.
This means that the moment you pass your CISSP exam without any experience, you have up to 6 years to gain your 5 years of experience. Basically right after you are certified, don't wait around and get lazy, immediately start looking for a security job. The idea according to the ISC2 is that your new certification will make it easier for you to land a job in the security industry.
That's it. You can take the CISSP exam without any experience, while not recommended, and then you'll have 6 years to complete your 5 years of industry experience. After that, you officially submit your endorsement to become an official CISSP, and then you can start using those letters after your name. Without becoming an official CISSP, you can't use the "CISSP" designation or the logos of the ISC2.
Hope that clarifies any questions you may have had about the exam and the experience requirement.
Lastly, if you're going to take the CISSP exam without any experience, the rest of us ask that you just please be about the profession, don't just add a certificate to your resume.
The most dangerous thing to an organizaiton is a CISSP who is a CISSP only on paper. If you're a CISSP and you still write passwords on a Post-It note, you're making the rest of us look bad. If you're a CISSP and you still are downloading illegal software or obtaining pirated PDF books, you're destroying your credibility and the certification. And the thing is, real recognizes real. If you aren't a real security professional, the rest of us can tell.
When firewalls are hacked, servers are down, management is screaming on the phone, and your organization is about 60 minutes away from making the news because of a data breach...when everyone is losing their minds and panicking, the true professional can be spotted remaining perfectly calm trying to resolve every single issue. This professionalism comes from experience.
That's what the CISSP is all about.