I don't know how they validate the 5 years but I know people that have the CISSP cert. and have 5 years total in mainstream corporate IT. I'm guessing all it take is a higher up (non IT even, like a owner) to say that they have it and they got it. Oh, there is the 6" thick book to "learn", and the multi hour test.