11.6 CPE, AMF, and Three-Year Maintenance Plan

Maintenance Begins Before the Celebration Ends

CISSP certification maintenance is part of professional accountability. The source brief states that members must earn continuing professional education credits and pay annual maintenance fees to maintain certification or associate status. For CISSP, the three-year requirement is 120 total CPE credits. Within that total, 90 Group A credits are required over three years, and 30 additional Group A or Group B credits are required over three years.

The suggested annual pace is 40 total CPE credits, including 30 Group A credits and 10 Group A or B credits. This suggested pace matters because deferring maintenance work creates unnecessary risk. A professional who waits until the end of the cycle may struggle to find relevant activities, reconstruct evidence, or align learning to practice. The better approach is to run maintenance as a lightweight quarterly program with records, goals, and review.

Group A credits should relate directly to the domains of the certification. For CISSP, that means activities connected to governance, asset security, architecture, networks, identity, assessment, operations, or software development security. Group B credits can support broader professional development. The exact activity eligibility should always be checked against current ISC2 policies, but the management habit is stable: record what you did, when you did it, how long it took, why it is relevant, and what evidence supports it.

The source brief states that certified members holding CISSP, SSCP, CCSP, CGRC, CSSLP, ISSAP, ISSEP, or ISSMP pay a U.S. $135 annual maintenance fee. Associates of ISC2 pay U.S. $50. Members with multiple certifications pay one AMF, due on the earliest certification anniversary. These numbers are logistics, but they also create a planning requirement. Put AMF dates and CPE checkpoints on the calendar as soon as the credential is active.

A strong CPE plan is not a random stack of webinars. It should improve the professional practice that CISSP represents. If your role is moving into cloud governance, plan activities around shared responsibility, identity federation, data protection, logging, resilience, and supplier risk. If your organization is improving software security, plan learning around secure SDLC, threat modeling, code review, CI/CD controls, and vulnerability management. Maintenance should make you better at the work, not merely compliant on paper.

Evidence discipline is essential. Keep certificates of completion, agendas, notes, attendance records, publication links, presentation materials, or other supporting records as appropriate. Store them in a structured folder by cycle year and activity type. Record the date, provider, topic, duration, domain relationship, and claimed credit. This is the same mindset used in security assessment: if a control or requirement matters, evidence should be retrievable, accurate, and understandable.

Three-Year Maintenance Workflow

1. Record certification cycle start and anniversary dates.
2. Add annual AMF due dates and quarterly CPE review checkpoints.
3. Set a target of at least 10 CPE credits per quarter to maintain margin.
4. Prioritize Group A activities tied to current job risks and CISSP domains.
5. Store evidence immediately after each activity.
6. Review totals twice a year for Group A, Group B, and overall progress.
7. Adjust the learning plan when job duties, technology, or risk priorities change.

Consider a security manager responsible for a new identity governance program. A strong maintenance plan could include a course on identity lifecycle controls, a conference session on privileged access governance, an internal presentation on access review metrics, and a tabletop exercise involving account compromise. The manager records each activity, maps it to IAM, Security and Risk Management, and Security Operations as appropriate, and retains evidence. The CPE record then reflects actual professional growth.

Do not treat CPE as separate from ethics and competence. CISSP professionals are expected to keep learning because security risk changes. Regulations evolve, architectures shift, attackers adapt, and business processes move. Maintenance is the mechanism that keeps the credential connected to current practice. A three-year plan should therefore include both depth in your current role and breadth across domains you touch less often.

The final study chapter includes maintenance because certification is not the end state. It is the beginning of a documented professional cycle. The same habits that helped during study, source control, evidence, risk mapping, and disciplined review, continue after certification. A candidate who understands this before test day will be better prepared for the full credential lifecycle.