CQSP logo
Focused certification exam prep
Start practice
Home / Study Resources / Core Study Guides / CQSP Prerequisites and Eligibility Requirements

CQSP Prerequisites and Eligibility Requirements 2026

Updated 11 min read CQSP Exam Prep
Table of Contents
TL;DR
  • CQSP requires either one year of information security experience plus cryptography basics, a 16-hour CQSP workshop, or equivalent 16-hour training covering...
  • The exam is 50 multiple-choice questions, 60 minutes, with a 66% passing score - meaning you must answer at least 33 questions correctly.
  • SISA Institute governs the CQSP and grants ANAB-accredited certification status, distinguishing it from self-issued vendor badges.
  • Six specific domains cover everything from quantum computing foundations to post-quantum cryptographic standards and migration strategy.

Who the CQSP Is Designed For

The Certified Quantum Security Professional is not a generalist security certification with a quantum module bolted on. It is built from the ground up around a single, urgent problem: the cryptographic infrastructure that protects virtually every organization on earth is vulnerable to sufficiently powerful quantum computers, and most security teams have no structured plan to address it.

SISA Institute - the governing body behind the CQSP - designed the credential for practitioners who need to own that problem. That typically includes information security managers, cryptography engineers, risk and compliance officers, cloud security architects, and security consultants advising clients on long-term infrastructure resilience. It also increasingly includes professionals in regulated industries - financial services, healthcare, critical infrastructure - where regulators are beginning to ask explicit questions about post-quantum readiness.

If you are already working in information security and want a structured, independently accredited credential that proves you understand quantum threats at a technical and strategic level, the CQSP fills a gap that no major generalist certification currently covers with the same depth. The ANAB accreditation behind the certification means the credential has been evaluated against a recognized conformity assessment standard, not just self-declared by its issuer.

ANAB Accreditation Matters: ANAB (ANSI National Accreditation Board) accreditation signals that SISA's certification program meets independently audited standards for personnel certification. This places the CQSP in a different category from vendor-specific or self-accredited quantum security programs.

Official Eligibility Pathways

SISA Institute publishes three routes to CQSP eligibility. Understanding which pathway applies to you is the first practical decision you need to make - before you look at study materials, before you schedule anything.

Pathway Requirements Best For
Experience + Knowledge One year of information security experience AND demonstrated cryptography basics Working security professionals with existing crypto knowledge
CQSP Workshop Completion of the official 16-hour CQSP workshop delivered by SISA Institute Candidates who want structured instructor-led preparation and eligibility in one step
Equivalent Training 16 hours of training that covers the CQSP examination blueprint topics Candidates who have completed third-party or in-house quantum security training

The training pathways - both the official workshop and the equivalent training route - are notably accessible. A candidate with no prior information security job experience can qualify entirely through 16 hours of blueprint-aligned training. This is a deliberate design choice by SISA: the quantum security talent pool is small, and the credential needs to be reachable for professionals transitioning from adjacent fields like software engineering, network architecture, or mathematics.

If you are pursuing the experience pathway, the one-year requirement is in information security generally - not specifically in cryptography or quantum computing. The cryptography basics requirement sits alongside it as a separate condition. You can review what that cryptography knowledge needs to cover in the next section.

What "Cryptography Basics" and "Information Security Experience" Actually Mean

SISA's published materials do not provide a granular definition of "cryptography basics," but the CQSP exam domains make the implied knowledge level clear. To be genuinely prepared - not just technically eligible - you need to arrive at the exam understanding the following before you open a single CQSP study guide:

  • Symmetric and asymmetric encryption principles: How AES, RSA, and ECC work at a conceptual level, and why key length and algorithm choice matter.
  • Public key infrastructure (PKI): Certificate authorities, digital signatures, and the chain of trust model used across TLS and code signing.
  • Hash functions and their role in integrity verification.
  • Key exchange protocols: Diffie-Hellman and its elliptic curve variant, because understanding why these break under quantum attack is foundational to Domain 1 and Domain 3 content.

If you are uncertain about any of these, address them before you begin domain-specific CQSP study. The exam assumes this knowledge; it does not teach it. Candidates who skip this foundation consistently struggle with Domain 2 (Quantum Cryptography and Key Distribution) and Domain 4 (Post-Quantum Cryptographic Standards and Guidelines), where questions require you to reason about why specific algorithms are quantum-resistant rather than simply recalling that they are.

The "one year of information security experience" requirement is broader. Experience in network security, application security, security operations, GRC, or security architecture all qualify. What matters is that you have practical context for thinking about risk, threat modeling, and security controls - all of which feed directly into Domain 3 (Quantum Threats, Risk, and Mitigation) and Domain 5 (Quantum-Safe Migration Strategy).

Key Takeaway

Meeting the eligibility requirement and being ready to pass are two different things. Build your classical cryptography foundation first - Domain 2 and Domain 4 will be significantly harder without it.

The Six Domains You Must Know Before You Register

The CQSP blueprint organizes its content into six domains. SISA does not publish percentage weights for each domain in its public materials, so candidates cannot reverse-engineer which domains carry more exam questions. The safest approach is to treat all six as equally important until official weighting information becomes available.

Domain 1: Foundation of Quantum Computing and Cryptography

The entry point for the entire credential. Candidates must understand how quantum computers operate differently from classical systems, including superposition, entanglement, and interference. The cryptographic relevance of Shor's algorithm (which breaks RSA and ECC) and Grover's algorithm (which weakens symmetric encryption) must be understood mechanically, not just by name.

  • Quantum bit (qubit) behavior versus classical binary
  • Why Shor's algorithm specifically threatens public key infrastructure
  • The difference between near-term quantum risk and cryptographically relevant quantum computers (CRQCs)

Domain 2: Quantum Cryptography and Key Distribution

Focuses on quantum-native security mechanisms, particularly Quantum Key Distribution (QKD). Candidates must understand BB84 and its successors, the physical constraints of QKD deployment, and where QKD fits relative to post-quantum cryptography as a solution category.

  • BB84 protocol mechanics and security basis
  • Practical limitations of QKD (distance, infrastructure requirements)
  • QKD versus post-quantum algorithms: different problems, different solutions

Domain 3: Quantum Threats, Risk, and Mitigation

Applies risk management frameworks to quantum-era threats. This domain connects directly to the "harvest now, decrypt later" (HNDL) attack model - a current-day threat even before CRQCs exist. Risk quantification, threat actor profiling, and mitigation prioritization are central.

  • HNDL attack mechanics and organizational exposure
  • Cryptographic asset inventorying as a risk management practice
  • Mitigation timelines relative to quantum computing development forecasts

Domain 4: Post-Quantum Cryptographic Standards and Guidelines

Covers the NIST Post-Quantum Cryptography standardization process and the algorithms it has produced. Candidates must know CRYSTALS-Kyber (now ML-KEM), CRYSTALS-Dilithium (now ML-DSA), SPHINCS+, and FALCON, as well as why NIST selected lattice-based and hash-based designs over other candidates.

  • NIST PQC finalized standards and their intended use cases
  • Hybrid cryptography: combining classical and post-quantum algorithms during transition
  • Relevant guidelines from NIST, ETSI, and ISO

Domain 5: Quantum-Safe Migration Strategy

The operational and strategic domain. Covers how organizations plan, prioritize, and execute a transition from classical to quantum-safe cryptography. Crypto-agility - the ability to swap algorithms without rebuilding entire systems - is a central concept.

  • Cryptographic inventory and dependency mapping
  • Prioritization frameworks: which systems migrate first and why
  • Crypto-agility by design in new system architecture

Domain 6: Practical Implementation of Quantum Security

Bridges theory to deployment. Candidates must understand how post-quantum algorithms integrate into TLS, code signing, PKI, and cloud environments, as well as the performance and compatibility considerations that affect real implementation decisions.

  • PQC integration into existing protocols (TLS 1.3, S/MIME, SSH)
  • Hardware security module (HSM) compatibility with PQC algorithms
  • Vendor and product landscape for quantum-safe tooling

For a detailed breakdown of the exam format alongside these domains, see our article on the CQSP Exam Format: Questions, Time Limit, and Scoring.

Matching Your Background to the Domain Map

Your existing background determines where you will need the most preparation time - and understanding this before you start studying is worth more than any generic study plan.

If you come from a GRC or risk management background: Domain 3 and Domain 5 will feel familiar. You will need significant additional work on Domains 1, 2, and 4, where the content is technical and algorithm-specific.

If you come from network or systems security: Domain 6 will leverage your implementation experience. Domain 1 and Domain 2 will require dedicated study of quantum mechanics concepts you may not have encountered professionally.

If you come from software development or cryptography: Domain 4 content around NIST PQC algorithms will likely be the most approachable. Domain 5 and Domain 3 will require you to shift from implementation thinking to strategic risk and organizational change management thinking.

Understanding your starting position against the full CQSP Prerequisites and Eligibility Requirements 2026 framework helps you allocate preparation time where it actually matters rather than reviewing material you already know.

Registration, Format, and What to Expect on Exam Day

The CQSP exam is administered through SISA Institute's own examination platform. The exam fee is not publicly disclosed on SISA's open materials - candidates should contact SISA directly or check the current registration page for pricing. Similarly, the specific logistics of scheduling and testing location options are managed through SISA's platform rather than a third-party testing provider.

The exam itself is 50 multiple-choice questions delivered within a 60-minute time limit. The passing score is 66%, which means you need to answer at least 33 of the 50 questions correctly. This is a meaningful threshold - not so high that a single bad domain sinks you, but demanding enough that surface-level familiarity with any domain is a risk.

Time Management on Exam Day: At 50 questions in 60 minutes, you have an average of 72 seconds per question. CQSP questions in Domains 1 and 2 can require scenario reasoning that takes longer. Budget your time consciously - mark questions for review and keep moving rather than spending five minutes on a single item.

Multiple-choice format does not mean the exam is straightforward. CQSP questions are designed to test applied understanding rather than simple recall. You may encounter scenario-based questions that describe an organization's cryptographic environment and ask which mitigation approach is most appropriate - a format that requires you to integrate Domain 3 risk concepts with Domain 5 migration strategy knowledge simultaneously.

Practice under realistic conditions before your exam date. Using CQSP practice tests that mirror the 50-question, 60-minute format will help you calibrate time management and identify which domains still have gaps.

A Domain-Driven Study Schedule

Given that the CQSP blueprint covers six technically distinct domains and requires both conceptual and applied understanding, a four-to-six week preparation window is realistic for candidates with the relevant background. The schedule below assumes roughly eight to ten hours of study per week.

Week 1

Domain 1 - Quantum Computing Foundations

  • Study qubit mechanics, superposition, and entanglement at a conceptual level
  • Understand Shor's algorithm and Grover's algorithm and their specific cryptographic implications
  • Do not move to Domain 2 without being able to explain why RSA breaks under quantum attack
Week 2

Domain 2 + Domain 4 - QKD and PQC Standards

  • Study BB84 and QKD architecture; compare to PQC as a complementary (not competing) solution
  • Work through NIST's finalized PQC standards: ML-KEM, ML-DSA, SPHINCS+, FALCON
  • Understand the mathematical hardness problems each algorithm relies on (lattice, hash-based)
Week 3

Domain 3 - Threats, Risk, and HNDL

  • Map quantum threats to existing risk frameworks you know (ISO 27005, NIST RMF)
  • Study the harvest now, decrypt later attack model in depth - this appears in exam scenarios
  • Practice identifying which organizational data types have the highest long-term exposure
Week 4

Domain 5 + Domain 6 - Migration Strategy and Implementation

  • Study crypto-agility frameworks and cryptographic inventory methodology
  • Review how PQC algorithms integrate into TLS, PKI, and code signing workflows
  • Practice scenario questions that combine migration prioritization with implementation constraints
Weeks 5-6

Integrated Review and Practice Testing

  • Take full-length timed practice exams at CQSP Exam Prep
  • Identify weak domains from practice results and schedule targeted review sessions
  • Simulate exam conditions: 50 questions, 60-minute timer, no reference materials

Who Hires CQSP-Certified Professionals

Quantum security is transitioning from a research specialization to an operational requirement, and hiring patterns reflect that shift. Organizations building or expanding quantum-readiness programs are actively seeking candidates who can demonstrate structured, verifiable knowledge - which is where an ANAB-accredited credential like the CQSP has direct value.

The sectors with the most visible demand include financial services institutions preparing for regulatory scrutiny of cryptographic infrastructure, government contractors subject to CISA and NIST post-quantum migration guidance, healthcare organizations with long data retention requirements that make them acutely vulnerable to HNDL attacks, and cloud service providers that need to offer customers a credible quantum-safe roadmap.

Within organizations, the CQSP is most relevant for roles like Cryptography Engineer, Security Architect, Chief Information Security Officer, Quantum Security Consultant, and Risk and Compliance Manager with a technology focus. It is also appearing in job descriptions for positions specifically titled "Post-Quantum Security Specialist" or "Quantum-Safe Infrastructure Lead" - roles that barely existed five years ago but are now active in both enterprise and government hiring pipelines.

Regulatory Momentum: Multiple national cybersecurity agencies - including CISA in the United States and ENISA in Europe - have published post-quantum migration roadmaps with explicit timelines. Organizations in regulated sectors are under increasing pressure to demonstrate progress, and credentialed professionals who can lead that work are in short supply.

For candidates still building toward the CQSP, reviewing the full eligibility requirements alongside the domain structure in detail is worth doing early. Revisit the CQSP Prerequisites and Eligibility Requirements 2026 guide and cross-reference with the CQSP Exam Format: Questions, Time Limit, and Scoring article to build a complete picture before committing to a study plan.

Frequently Asked Questions

Can I sit for the CQSP exam without any information security work experience?

Yes. SISA Institute provides two training-based pathways that do not require work experience: completing the official 16-hour CQSP workshop, or completing equivalent 16-hour training that covers the exam blueprint. Both pathways satisfy the eligibility requirement independently of any work history.

What does "cryptography basics" mean in the experience-based eligibility pathway?

SISA's public materials do not define this term with a specific syllabus, but the exam domains make the practical requirement clear. You should understand symmetric and asymmetric encryption, PKI, key exchange protocols like Diffie-Hellman, and hash functions before relying on this pathway. Domain 2 and Domain 4 of the exam assume this knowledge without teaching it.

How many questions do I need to answer correctly to pass the CQSP?

The passing score is 66% on a 50-question exam. That means you need to answer at least 33 questions correctly. One incorrect answer below that threshold is the difference between passing and failing, so consistent performance across all six domains - not just your strongest areas - is essential.

How long does it take to prepare for the CQSP?

Preparation time depends heavily on your existing background. Candidates with strong information security and cryptography experience often prepare in four to six weeks with focused study. Candidates newer to cryptography or quantum computing concepts should budget more time - particularly for Domains 1, 2, and 4, which require technical depth that cannot be absorbed quickly.

Where can I practice for the CQSP exam before I sit the real thing?

Domain-aligned practice questions that mirror the CQSP's 50-question, 60-minute multiple-choice format are available at CQSP Exam Prep. Practicing under timed, exam-realistic conditions is one of the most effective ways to identify which domains still have gaps before your actual exam date.

Ready to Start Practicing?

Test your knowledge across all six CQSP domains with practice questions designed to reflect the actual exam format - 50 multiple-choice questions, 60-minute time limit, and scenario-based reasoning that mirrors what you will face on exam day.

Start Free Practice Test
Continue reading:

Ready to pass your CQSP exam?

Put this into practice with free CQSP questions across every exam domain.