CISSP CPE Credits

Last updated: December 15, 2025 in CISSP Certification

Passing the CISSP exam is the hard part. Keeping the certification active requires ongoing effort, but nothing close to the intensity of exam preparation. ISC2 requires certified professionals to earn Continuing Professional Education credits throughout their certification cycle—40 CPE credits per year, 120 total over each three-year cycle. The ISC2 CPE policy defines what counts, how to document activities, and what happens if you fall short.

The CPE requirement exists because security changes constantly. Frameworks update, threats evolve, regulations expand, and technologies shift. A certification earned in 2020 means little if the holder stopped learning in 2020. CPE credits force ongoing engagement with the field, ensuring CISSPs maintain relevance rather than coasting on credentials earned years ago.

Most CISSPs find the requirement manageable once they understand how broadly ISC2 defines qualifying activities. Reading security articles, attending webinars, participating in professional groups, and even work projects can generate credits. The challenge isn’t finding enough activities—it’s documenting them properly and spreading effort across the year rather than scrambling before deadlines.

CISSP CPE Requirements 40 CPEs per year Minimum annual 120 Total per cycle 3-year certification $125 AMF per year Annual fee required Three-Year Certification Cycle Year 1: 40 CPEs Year 2: 40 CPEs Year 3: 40 CPEs Earn at least 40 CPEs each year—no carrying forward excess credits Pay $125 AMF annually to maintain active status

The Annual and Cycle Requirements

ISC2 structures CPE requirements around both annual minimums and three-year cycle totals. You must earn at least 40 CPE credits every year—no exceptions. You cannot earn 80 credits in year one and skip year two. The annual minimum ensures consistent engagement rather than cramming professional development into concentrated bursts.

Over your three-year certification cycle, you need 120 total CPEs. Since the annual minimum is 40, meeting each year’s requirement automatically satisfies the cycle total. There’s no benefit to earning extra credits beyond 40 per year; excess credits don’t carry forward to the next cycle. If you earn 60 credits in year one, you still need 40 in year two—the extra 20 don’t count toward anything.

Your certification cycle starts when you earn CISSP, not January 1st. If you passed your exam on March 15th, your first year runs through March 14th of the following year. ISC2 tracks your cycle dates and sends reminders as deadlines approach, but ultimately you’re responsible for monitoring your own credits and ensuring compliance.

Beyond CPE credits, you pay an Annual Maintenance Fee of $125 to ISC2 each year. This fee funds ISC2 operations, exam development, and member services. Missing the AMF payment suspends your certification regardless of how many CPE credits you’ve earned. Both requirements—credits and payment—must be met to maintain active status.

Why ISC2 Requires Continuing Education

The CPE requirement reflects a fundamental reality of cybersecurity: static knowledge becomes obsolete knowledge. When CISSP launched in 1994, the internet was barely commercial, cloud computing didn’t exist, and mobile devices meant pagers. A certification testing 1994 knowledge would be worthless today without mechanisms forcing ongoing learning.

ISC2 updates the CISSP exam every three years through Job Task Analysis studies, surveying thousands of security professionals about actual work activities. The exam outline shifts accordingly—domain weights change, topics appear and disappear, and emphasis moves toward current practices. CPE requirements ensure certified professionals evolve alongside the exam content rather than holding credentials that no longer reflect their knowledge.

From an employer perspective, CPE compliance signals that a CISSP holder remains engaged with the profession. Anyone can pass an exam once; maintaining certification over years demonstrates sustained commitment. When organizations require CISSP for positions, they’re partly buying assurance that the credential holder continues learning, not just that they once knew enough to pass a test.

The requirement also serves professional liability purposes. CISSPs bound by the ISC2 Code of Ethics commit to providing competent service. Continuing education supports that commitment by ensuring practitioners stay current with evolving threats, technologies, and best practices. A CISSP advising on cloud security should understand current cloud architectures, not just the concepts tested when they originally certified.

CPE Credit Categories and Values

ISC2 divides CPE activities into Group A (directly related to CISSP domains) and Group B (general professional development). All 40 annual credits can come from Group A activities. A maximum of 10 credits per year can come from Group B activities—activities that enhance professional skills but don’t directly address CISSP domain content.

Education: Courses, Seminars, and Training

1 CPE per hour of instruction

Formal training generates one credit per contact hour. A 40-hour training course yields 40 CPEs. This includes vendor training, college courses, professional seminars, and structured online learning. The training must relate to CISSP domains for Group A credit—a project management course counts as Group B, while a threat intelligence course counts as Group A. Retain certificates of completion or transcripts as documentation.

Conferences and Events

1 CPE per hour of attendance

Security conferences like RSA, Black Hat, or regional events generate credits based on actual session attendance. A three-day conference with six hours of sessions daily yields 18 CPEs. Exhibitor hall time and networking don’t count—only educational sessions. ISC2’s own events, including Security Congress and chapter meetings, qualify. Keep your badge, registration confirmation, and ideally a log of which sessions you attended.

Self-Study: Reading and Research

1 CPE per hour of study (up to 40 per year)

Reading security books, research papers, articles, and technical documentation counts as self-study. One hour of reading equals one CPE. You can earn your entire annual requirement through self-study alone, though ISC2 may request documentation of what you studied. Maintain a reading log with titles, authors, dates, and time spent. The NIST publications library offers extensive free material that clearly qualifies.

Professional Contributions: Writing and Speaking

Variable: 10-40 CPEs depending on contribution

Publishing articles, whitepapers, or books generates significant credits. A published article earns 10 CPEs; a book can yield 40. Speaking at conferences or leading training sessions earns credits based on preparation and delivery time—typically 4 CPEs per hour of presentation (accounting for preparation). These activities multiply your impact: you learn while preparing, and others learn from your contribution.

Volunteer Work and Mentoring

1 CPE per hour

Serving on ISC2 committees, volunteering for chapter activities, mentoring candidates preparing for CISSP, or contributing to security community projects generates credits at one per hour. This includes reviewing exam questions for ISC2, participating in working groups for standards bodies, or mentoring through formal programs. Document your hours and the organization you supported.

Unique Work Experience

Up to 40 CPEs per year for qualifying projects

Work projects that push you into new security areas can qualify for CPE credit. Implementing a new security technology, leading an incident response for a novel threat, or developing a security program from scratch involves learning that ISC2 recognizes. The key distinction: routine job duties don’t count, but projects requiring you to learn new skills or apply existing knowledge in new ways can qualify. Document the project scope, what you learned, and hours invested.

Group A vs Group B Credits Group A: Domain-Related Up to 40 CPEs annually Security training courses Security conferences Technical security reading Publishing security content Security certifications Vendor security training Security work projects Group B: Professional Dev Maximum 10 CPEs annually Project management Leadership training Communication skills Business management General IT certifications Non-security conferences Career development

Tracking and Submitting CPE Credits

ISC2 provides an online portal through your member account for tracking CPE credits. You submit activities as you complete them, entering descriptions, dates, credit hours claimed, and the applicable CISSP domain. The system tracks your running total against annual and cycle requirements, showing exactly where you stand at any moment.

You don’t need to submit documentation with each entry, but you must retain supporting evidence for five years after submission. ISC2 conducts random audits where they request proof of claimed activities. Acceptable documentation includes certificates of completion, conference badges, transcripts, publication copies, and detailed logs for self-study activities. Failed audits can result in credit rejection and certification suspension.

The domain mapping matters because ISC2 wants to see engagement across the CISSP body of knowledge, not narrow focus on a single area. While there’s no requirement to earn credits in every domain, spreading activities across domains demonstrates broad ongoing competence. If all your credits come from network security training, consider branching into governance, risk management, or software security topics.

Submit credits promptly rather than batching entries at year end. Regular submission creates an audit trail showing consistent engagement throughout the year. It also prevents the frustration of trying to remember activities from months earlier when documentation details have faded from memory.

Free and Low-Cost CPE Opportunities

Earning 40 CPEs annually doesn’t require expensive training or conference attendance. Numerous free resources generate legitimate credits for engaged professionals.

  • ISC2 webinars and online events run throughout the year at no cost to members. Each hour of attendance generates one CPE. Topics cover current threats, emerging technologies, career development, and deep dives into CISSP domains. The ISC2 webinar archive contains hundreds of recorded sessions available on demand.
  • Vendor webinars and training often qualify when focused on security topics. Microsoft, AWS, Google Cloud, and most major vendors offer free security training. Their motivation is product adoption, but the content often addresses genuine security concepts applicable beyond their specific platforms. Document the security focus when submitting these credits.
  • Government publications provide extensive free reading material. NIST Special Publications cover everything from risk management frameworks to cryptographic guidelines. CISA resources address current threats and defensive practices. Reading and understanding these publications directly supports CISSP competence while generating self-study credits.
  • Security podcasts count toward self-study credits when you engage actively. Passive listening while commuting doesn’t qualify, but focused attention with note-taking does. Shows like Darknet Diaries, Security Now, and Risky Business cover current events and technical topics that reinforce CISSP knowledge. Document episodes and key takeaways in your study log.
  • Local ISC2 chapter meetings often occur monthly and are free for members. Chapters host speakers on various security topics, and attendance generates one CPE per hour. Beyond credits, chapters provide networking opportunities and local professional community that pure online learning can’t match. Find your nearest chapter through the ISC2 chapter directory.

Strategies for Consistent CPE Accumulation

The CISSPs who struggle with CPE requirements typically share a pattern: they ignore professional development for eleven months, then panic-search for activities in month twelve. Those who find CPEs effortless integrate learning into their regular routine.

Set a monthly target of 3-4 CPEs rather than thinking annually. At 3.5 CPEs per month, you exceed the 40-credit requirement without any single month demanding significant time investment. Four hours of security reading, one webinar, or half a day at a local chapter meeting satisfies a month’s worth of credits. This pace feels sustainable rather than burdensome.

Tie CPE activities to actual work needs. If your organization is evaluating SIEM platforms, research options thoroughly—that investigation generates self-study credits while serving your job. If you’re preparing a security awareness presentation, the preparation time counts toward professional development. Aligning CPE activities with work responsibilities doubles the value of time invested.

Stack activities for maximum efficiency. Attending a two-day security conference generates 12-16 CPEs in concentrated time. Earning a new certification in a related field yields credits based on study hours. Writing an article for publication can generate 10+ CPEs while building your professional reputation. These high-yield activities can cover multiple months of requirements in single efforts.

Build a CPE calendar at the start of each year. Identify conferences you’ll attend, certifications you might pursue, regular chapter meetings, and webinar series you’ll follow. Scheduling these activities in advance ensures they happen rather than getting displaced by daily urgencies. Review progress quarterly and adjust if you’re falling behind pace.

Sample CPE Plan: 40+ Credits Annually ISC2 Chapter Meetings 12 CPEs Monthly, 1 hour each Security Reading 10 CPEs ~1 hour weekly Vendor Webinars 8 CPEs 8 webinars annually Work Projects 6 CPEs New security initiative Podcasts 4 CPEs Active listening, notes Total: 40 CPEs No expensive training needed

When CPE Requirements Become Challenging

Certain circumstances make CPE compliance genuinely difficult. Extended illness, family emergencies, military deployment, or career transitions can disrupt professional development activities. ISC2 recognizes that life happens and provides accommodation processes for members facing hardship.

If you anticipate difficulty meeting CPE requirements, contact ISC2 before your deadline passes. They may grant extensions, accept alternative documentation, or work with you on modified requirements. Reaching out proactively demonstrates good faith; waiting until after a deadline and then explaining circumstances appears like excuse-making rather than genuine hardship.

Career changes that take you outside security temporarily create CPE challenges. A CISSP who moves into general IT management, product development, or a non-technical role may find fewer natural opportunities for security-specific learning. These transitions require more intentional effort to maintain credits—scheduling webinars, committing to reading time, and attending events you might otherwise skip.

Some CISSPs question whether maintenance is worthwhile if they’re no longer working directly in security. The answer depends on your likelihood of returning to security roles. Letting certification lapse means retaking the exam from scratch if you later want credentials. If there’s any reasonable chance you’ll want CISSP on your resume in the future, maintaining it is far easier than re-earning it.

Consequences of Non-Compliance

Missing CPE requirements or AMF payments doesn’t immediately revoke your certification—ISC2 provides a grace period and remediation process. However, consequences escalate quickly if you don’t address deficiencies.

Initial non-compliance results in suspension. Your certification becomes inactive, you can no longer use the CISSP designation, and ISC2’s member directory won’t confirm your credentials. Employers verifying certification status will see you as non-current. Suspension lasts until you satisfy outstanding requirements and pay any back fees.

Extended non-compliance leads to certification revocation. Once revoked, there’s no reinstatement path—you would need to pass the current exam and restart the endorsement process as if you’d never held the certification. Given the effort required to earn CISSP initially, revocation represents a significant loss.

Beyond formal consequences, CPE non-compliance signals professional disengagement. Job applications asking about certification status require honesty about suspended credentials. Interview questions about recent professional development become awkward when you haven’t engaged with the field in years. The credential’s value comes partly from what it signals about ongoing commitment, not just past achievement.

Making CPEs Work for Your Career

The most effective approach treats CPE requirements not as administrative burden but as structured motivation for growth you’d pursue anyway. Forty hours of annual professional development is modest—less than one hour per week. Framing CPEs as permission to invest in yourself rather than obligation to ISC2 changes the entire experience.

Use the requirement to explore areas outside your daily work. A security analyst focused on detection might use CPE activities to learn governance and risk management, broadening skills toward management roles. A GRC specialist might dive into technical security architecture, building credibility with engineering teams. CPEs provide justification for learning that immediate job pressures might otherwise crowd out.

Leverage high-visibility activities for career advancement beyond credit accumulation. Publishing articles establishes thought leadership. Speaking at conferences builds professional reputation. Mentoring creates networks and develops leadership skills. These activities generate CPEs while delivering career benefits far exceeding the credits themselves.

If your employer supports professional development, align CPE activities with available resources. Many organizations fund conference attendance, training programs, and certification pursuits. Using employer resources for CPE activities extracts maximum value from available benefits while reducing personal costs.

CPE requirements ensure CISSP certification remains meaningful rather than becoming a static credential from years past. Approach them as opportunity rather than obligation, integrate learning into your regular routine, and the 40-credit annual requirement becomes nearly invisible—a natural byproduct of staying engaged with a field that constantly evolves.

author avatar
Elias Ward
Elias is a deep coding specialist who has spent most of his career working in places most people never hear about. Starting with a background in secure systems and backend development, he eventually moved into roles that required quiet precision and the ability to build or fix technology in environments where reliability mattered more than recognition.
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *