CPE Maintenance After Certification

CPE Maintenance After Certification

The CISM is not a one-time achievement -- it must be maintained through Continuing Professional Education (CPE) and annual fees, governed by ISACA's CPE policy. Two minimums run in parallel and you must satisfy both:

The annual 20-hour floor is what trips people up: earning 120 hours in one burst does not excuse you from at least 20 in each of the three years. One CPE hour generally equals 50 minutes of qualifying activity. CPE must be relevant to information security management -- it must advance the currency or competence of your CISM-related knowledge.

The reporting cycle is a fixed three-year window tied to your certification, and both clocks reset at its close. The maintenance fee is separate from ISACA membership dues: paying for membership does not cover the certification maintenance fee, and skipping the maintenance fee suspends the credential even if your membership is current. Treat the fee and the 20-hour floor as two independent obligations that both fall due annually -- meeting one never excuses the other, and missing either starts the path toward suspension.

What qualifies and how to track it

Qualifying activities include attending conferences and webinars, ISACA chapter meetings, vendor training, university courses, and self-study; you can also earn CPE by teaching, presenting, publishing articles or books, contributing to ISACA item-writing, or serving on boards/committees. There are caps on certain categories (for example, limits on self-study or on repeated delivery of the same presentation), so spread activities across types.

Recordkeeping is mandatory and audited:

1. Log each activity with date, provider, title, hours, and a description of how it relates to information security management.
2. Keep certificates of attendance or completion as evidence.
3. Retain records for the full reporting cycle plus the prior year -- ISACA randomly audits a percentage of certificants each year and will request proof.
4. Report CPE through your ISACA account before the annual deadline.

Consequences of non-compliance

Missing the CPE minimums or not paying the maintenance fee moves you to a non-compliant/suspended status; if uncorrected, ISACA revokes the certification, after which you would have to re-qualify (including re-sitting the exam) to regain it. A revoked credential cannot be listed on a resume. The practical takeaway: set calendar reminders for the annual fee and the 20-hour floor, and bank a small buffer of CPE each year so an audit or a busy quarter never puts the credential at risk. Note these maintenance rules apply once you are certified -- they are separate from the experience and ethics requirements you satisfied at application.

A worked compliance example

Suppose your three-year cycle runs 2026-2028. A compliant pattern might be:

This clears both the 120-hour cycle and the 20-hour annual floor every year, with a small buffer in case a few hours are disallowed in an audit. Contrast that with 60/60/0, which meets the cycle total but fails the annual floor in the final year and would put the credential at risk.

Cost of ownership and managing multiple ISACA certs

Budget for maintenance as a recurring cost, not a one-time exam expense. At $45 (member) or $85 (non-member) per year, plus membership dues if you choose the member rate, the credential carries an ongoing fee that must be paid by the annual deadline alongside CPE reporting. If you hold more than one ISACA certification (for example CISM and CISA), CPE hours from the same qualifying activity can often count toward each certification's requirement, but you still pay each certification's maintenance fee and meet each one's annual minimum separately. Plan training to maximize that overlap.

Finally, keep your ISACA profile current: missed renewal notices are a common reason holders lapse into non-compliance, and a lapsed-then-revoked credential generally requires re-qualifying -- including re-sitting the exam -- to restore, which is far costlier than the annual fee you skipped.

Earning CPE efficiently and the audit mindset

The most sustainable approach is to weave CPE into work you already do. Reading ISACA journal articles and passing the associated quiz, attending a security webinar, or completing relevant vendor training each yields hours with documentation attached. Higher-value, capped categories -- teaching, presenting, publishing, or item-writing for ISACA -- can quickly cover a year's requirement and tend to produce clean evidence (an agenda, a publication link, a confirmation email).

Adopt an audit mindset from day one rather than scrambling if you are selected. The standard ISACA expectation is that you can produce, for any reported activity, what it was, when, who provided it, how many hours, and why it relates to information security management. A spreadsheet plus a folder of certificates satisfies this. Because ISACA audits a random sample of certificants annually, every CISM should assume they could be picked and keep records accordingly -- the buffer of extra hours and tidy documentation is cheap insurance for a credential that took years of work to earn.