How To Earn CISM CPE Credits

July 5, 2019 by Lester Obbayi


The CISM certification is bolstered by the Continuing Professional Education (CPE) policy, whose main purpose is to ensure that certified CISM holders are up to date with the most current knowledge and proficiency possible within the information systems security management field. Just like physicians, lawyers, and other high-level professionals, CISM-holding IT security employees who continue to augment their education with the most recent information will be better equipped to manage, design, oversee, and assess enterprise information security and, by extension, a greater asset to their companies.

How Can I Earn CISM CPEs?

There are numerous ways that CISMs can obtain CPE credits, depending on the preferences of the CISM holder. These options include:

ISACA Professional Education Activities and Meetings (no-limit): CISMs can obtain up to 32 CPE credits per single event for participating in activities that are deemed acceptable by ISACA. Such activities include ISACA conferences, seminars, workshops, chapter programs and meetings. Proof of attendance will be required since not all chapter meetings are recorded in the ISACA database.

Self-Study Courses (no-limit): Attending online courses can guarantee up to about 26 CPE credits per course taken, depending on different variables such as the length of the course taken, the type of course, the total number of courses, and the time commitment for each session.

Non-ISACA Professional Education Activities and Meetings (no-limit): CISMs can engage in various activities such as university courses and in-house corporate training to gain CPE hours. Attending training courses is one common activity but, unlike the online courses, these require traveling to the institutions that issue the courses and have instructors and certified professionals. Up to 32 CPE credits can be earned by this method.

What Are the CISM CPE Guidelines?

The CISM CPE policy dictates the guidelines that should be adhered to in order to maintain the certification. These primarily dictate that, annually and over the three-year certification period, CISMs must attain and report CPE hours. The guidelines are defined as follows:

  1. Attain and Report Annual 20 CPE Hours: CISMs are required to report a minimum of 20 CPE hours that must be appropriate, up to date, and to the advancement of the CISM’s knowledge or ability to perform CISM-related tasks.
  2. Submit Annual Maintenance Fee: CISMs are required to make an annual CPE maintenance fee to the ISACA international headquarters in full.
  3. CIMS Must Attain and Report 120 CPE Hours for a 3-Year Reporting Period.
  4. Submit CPE Activities: If CISMs are selected for the annual audit, they are required to submit the necessary required documentation of CPE activities.
  5. Compliance with Code of Ethics: CISMs are required to comply with the Professional Code of Ethics issued by ISACA.

In addition to the CPE guidelines above, ISACA also states the following in general:

  1. The annual reporting period for CISMs begins on January 1 every year.
  2. To the CISMs making the maintenance fee payment, invoice notification will be sent through email and the hard copy invoice sent within the third quarter of each calendar year.
  3. CISMs who report the required number of CPE hours and submit the maintenance fee in full and in a timely manner will receive a confirmation from ISACA international headquarters, with all reported CPE hours for the three-year certification period.
  4. CISMs are not permitted to make use of the CISM logo for personal use such as overlaying it on business cards or on business products.

ISACA clearly warns that, if the guidelines above are not honored, the certification may be revoked and, if revoked, the holders must “destroy the certificate immediately.”

How Do I Calculate CISM CPE Credits?

According to the CISM policy, a CPE hour is earned for every fifty (50) minutes of active participation (this does not include lunches and breaks) and is for both qualifying and non-qualifying ISACA professional education activities and meetings.

CPE hours can be earned in quarter-hour increments and can also be reported in quarter-hours that are rounded to the nearest quarter-hour. For instance, a CISM who attends an eight-hour presentation (480 minutes) with 90 minutes of breaks will be eligible for 7.75 CPE hours. This is illustrated in the table below:

Study Activity Hours Spent Minutes Spent
9:00 am – 5:00 pm 8.0 480
Subtract: Two 15-minute breaks 0.50 30
Subtract: Lunch (1 hour) 1 60
Total hours spent on activity 6.5 390

The total of 390 minutes spent studying is divided by 50 minutes to result in 7.8 or 7.75 (rounded to the nearest quarter hour) CPE hours.

What Are Some Ways I Can Earn CISM CPEs for Free?

The best part of obtaining CPE hours is that there are a number of methods that do not cost money. CISMs can obtain up to 36 free CPE hours just by attending online webinars and virtual conferences. The fact that these are done online means that travel cost is slashed as well and, by doing so, CISMs become able to schedule such credit opportunities around their busy daily schedules. It is, however, important to note that CPE quizzes are given only to ISACA members.

A CISM can obtain up to 20 free CPE credits annually by serving as an ISACA volunteer in various environments and situations. If participation is on an ISACA committee, taskforce, or board, CISMs can earn a CPE credit for every hour of active service. The same is true if a CISM serves as an officer of an official ISACA chapter.

CISMs can also obtain up to 10 free CPE annually through various mentoring opportunities, for example, coaching, assisting, reviewing work for an individual studying to take a CRISC, CISM, CISA, CGEIT, or any other type of examination.

CPE hours can also be obtained through participating in vendor sales or marketing presentations that involve offering presentations related to management, design, or assessment of enterprise security.

CISMs may also obtain free CPE hours by publishing articles, monographs and books, either in soft copy or hard copy, that are directly related to the management of information security. ISACA requires that submissions of such publications should be made available in hard copy when requested, with a clear table of contents and, in the event of a website publication, the website link be made available upon request. In this case, CPE hours are earned for the actual number of hours taken to complete or review the material.

There exist many more methods of gaining free CPE hours especially for ISACA members.

Have There Been Any CISM CPE Policy Changes Recently?

In 2014, ISACA published the CISM CPE policy that is still in use today. However, a minor change was effected in the area “Passing Related Professional Examinations (no limit).” ISACA allowed, effective from January 1, 2014, two times the number of CPE hours to be earned for every examination hour when a passing score is achieved on a related professional examination. The change was allowed and accepted by the Credentialing and Career Management Board.


CISMs are encouraged to satisfy the guidelines as outlined by ISACA in order to maintain their certification. The different free and paid methods of obtaining CPE credits allow CISMs to easily meet the guidelines by providing a variety of preferences to choose from, and the available formula for calculating CPE credits helps in estimation of effort.

Posted: July 5, 2019
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published.