Earning CPE credits to maintain the CISSP

July 3, 2019 by Aroosa Ashraf

Earning CPE credits

Every student of security has to earn continuing Professional Education (CPE) credits to maintain their CISSP certification. They receive attendance certificates indicating the format, number, practice area and title of the CPE credits.

The requirements of CPE ensure that CISSP certification holders remain knowledgeable about the current industry developments. CPE requirements can be fulfilled by attending conference calls, seminars, webinars and industry conventions, and through self-study. You have to keep CPE certificates and attendance files and (ISC)2 management may verify the CPE credit compliances at any time.

It is a significant achievement to qualify and study for a CISSP. It is a difficult task to complete and one must feel proud of such accomplishment. However, once certification is obtained, a CISSP must earn credits by participating in CPE to remain competitive and in a good position in the organization.

CPE policies and guidelines

As per the CPE Policies and Guidelines, there are distinct instructions for necessary CPE activities and requirements in a year for a three-year certification cycle of CISSPs. Audit of the CPE requirements is done to make sure that the members are in a sound position to maintain the CISSP certifications.

There are clear overviews of the various activities that count for CPE credits. Therefore, you must follow proper CPE credit guidelines to accurately calculate your CPE credits. It is important to understand that, to enhance professional development, it is essential to know the types of CPE credits you require and which works can give you CPE Credits on your regular day-to-day performance. However, you may also earn CPE credits for engaging in exclusive activities or projects in your workplace outside of your regular job profile. These activities must expand your skills and knowledge base.

What are the general CPE requirements for CISSPs?

To retain certifications, you may have to earn and submit a minimum CPE credit in every year of your certification cycle. You also need to earn a minimum CPE credit by adding up the CPE credits during the certification cycle.

The CPE credits are categorized into two groups. Depending on the relation of the associated activities to each certification domain of CPE Credits they can be categorized as “Group A” and “Group B” credits. “Group A” credits are given for activities that are directly domain-related, whereas “Group B” credits are awarded for activities outside the main domain that can still enhance the general professional competencies and skills of the CISSPs.

Every CPE activity should be earned and completed during the certification cycle and not after the certification expiration date. Sometimes CISSPs are allowed a grace period for submitting CPE credits, but the credits have to be acquired before the certificate expiration date.

What Happens if you Fail to Have the Required CPE Credits?

CISSPs must meet minimum CPE Credits and failure to meet these requirements may result in suspension and loss of their certification. The suspension will be lifted only after the minimum annual CPE credits are met. Usually, candidates get a 90-day grace period to earn and submit their required CPE credits. CISSPs have the option to file an appeal if they are decertified.

What CPE activities are available?

CPE credits can be earned by participating in various activities where CISSPs gain experience as well as knowledge. Typically, the work carried out as part of a CISSP’s normal duty will not be considered for CPE credits. CISSPs should note that if they are attending conferences or receiving training, they can claim CPE credits in the respective categories, whether they were from attendance or from work done on the job.

If you do additional unique work in your workplace outside your normal daily duties, you may receive some CPE credits for those unique assignments. However, this does not count for conferences, seminars, educational courses, training, vendor presentations, or similar activities, as these are considered as separate CPE activities.

What are the types of CPE credits?

There are two types of CPE credits:

“Group A” credits are associated with domain-related activities that are directly related to the areas governed by the credential’s specific domains.

“Group B” credits are related to knowledge sharing and professional development. They can be earned by completing activities associated with general professional development to enhance your overall education, competency, professional skills, or knowledge outside of the credential’s specific domains. These activities traditionally include professional development programs such as the preparation for management courses or professional speaking. Although these activities do not directly apply to the domains, they are recognized as skills that can play a vital role in your overall professional growth.

Examples of “Group A” and “Group B” credits

“Group A”“Group B”

Risk Management FrameworkManagement Courses

Information System CategoriesCommunication Skills

Security Control SelectionTechniques to Interview

Implementation of Security ControlsSkills for Team Development

Assessment of Security ControlsActivities of Project Planning

Authorization of Information SystemTechnical Skills

Security Controls MonitoringAccounting Courses

How are CPE credit calculated?

CPE credits are calculated as per activity; below are common categories where CISSPs can earn credits for each activity. Generally, one-hour CPE credit can be earned for every one hour spent in any activity related to education. However, several activities will give you more credits because of the depth of study involved or amount of commitment required. Typically, you cannot earn CPE credits through your normal day-to-day job activities.

Attending educational and training seminars or courses 

Attending educational and training seminars or courses can give you “Group A” or “Group B” credits for every hour of attendance. “Group B” credits are earned when the training courses or seminars are not associated with the domains of a credential.

Attending conferences 

Similarly, one CPE credit can be earned for every hour of attendance or for every session of a conference. “Group A” credits can be obtained for cyber-security conferences, whereas other educational conferences will give you “Group B” credits.

Attending presentations from vendor 

You can earn only one “Group A” CPE credit for every one hour of attendance at any presentation from a vendor. The presentation has to be educational and associated with the credential domains.

Higher academic course completion 

One CPE credit can be earned for every hour spent in a higher academic course class. The class may be taken online. The credits will be given only after the course has been successfully completed and passed. “Group A” credit is given for courses related to the credential domains; otherwise, the credit earned is for the “Group B” category.

Preparations for training, lectures or presentations 

CPE credits can also be earned for the time spent preparing training, lectures, or presentations. However, they have to be non-work-related and no CPE credits can be earned for the time spent while presenting them. The credits will be of “Group A” category when the training, lectures, or presentations are directly related to credential domains; otherwise “Group B” credits are earned. No credits can be earned for training or teaching courses involving multiple days (or even of long duration, i.e., weeks or months).

Security book or article publication 

Publication of a security book or article can earn you “Group A” CPE credits if it is the first publication in a magazine or journal, but the article should be related to the credential domains. Either print or electronic publication is eligible for credits. Only “Group A” credits can be earned through this route.

Performing securityrelated board services 

Security-related board services can earn you “Group A” credits only. The CPE credits will be awarded on the basis of the contribution level as determined by the relevant organization board or parent company. It is recommended that you document your service hours through a signed statement from any officer of that organization, or you may attest your own CPE credits if the organization fails to do so.

Completing self-study

A CPE credit can be earned by attending podcasts, webcasts, or CBT (computer-based training) for every hour of such activities. The credits will be of “Group A” category when the podcasts, webcasts, or CBT are directly related to credential domains; otherwise “Group B” credits are earned. However, there is a restriction to the number of CPE credits that can be submitted for podcasts, webcasts, or CBT.

Studying cybersecurity magazine or books 

You can earn specific CPE credits for reading cyber-security magazine or books; only “Group A” credits can be earned.

Whitepaper reading

You can claim CPE credits for reading whitepapers published on authentic websites. You have to write a short summary of the contents that you studied, including the details of the website. The website must be accessible without any restriction. Only “Group A” credits can be earned.

Security white paper writing 

Writing white papers can give you “Group A” credits after they are published on any valid or authentic organizational website. The white paper has to be at least two pages long and should be should be accessible without any restriction.

Reading the InfoSecurity Professional magazine

Reading the InfoSecurity Professional magazine can give you “Group A” credits for every issue. This is a members-only online magazine. You may need to pass an online quiz that is related to the magazine’s content.

Cyber-security book reviews 

You can earn “Group A” credits by reviewing cyber-security books. Credits are given for every book reviewed. The review must be of specified length.

Volunteering for charitable organizations, public sector, or government  

“Group A” CPE credit can be earned for every hour of volunteer work. You have to retain a signed confirmation on the letterhead of the organization clearly indicating the volunteer work hours performed related to the credential domain.

Volunteering for meetings of cybersecurity and information systems

Attending and volunteering for meetings of cyber security and information systems can give you “Group A” or “Group B” credits, depending on the relation of the meeting to the credential domains.

Safe and Secure Online program 

Completion of the Safe and Secure Online program can give you “Group A” credits. You may also attend in-person orientations from ISC. You have to complete and pass the online orientation quiz after attending the Safe and Secure Online program.

Performing unique on-the-job activities and projects

You can earn “Group A” CPE credits for unique on-the-job activities and projects during your normal working hours.

Preparation of new or updating existing classroom, seminars, and training materials

“Group A” credits can be earned by preparing new or updating existing classroom, seminar and training materials. However, the materials should be new and not repeated or recycled and no CPE credits are awarded for the time spent presenting the material.

Getting CPE credits and subsequent certification is considered a significant achievement in the career of a CISSP certification-holder. But it is important to continue the development in their professional fields to ensures their competitiveness and keep up with the ever-expanding information in their field. Through CPE activities the members can grow and enhance their skills, thereby making a valuable investment in their careers as well as themselves. CPE credits help employees to increase their worth to the customers and employers.


A minimum of 40 CPE credits has to be earned each year and a total of 120 CPE credits have to be maintained for the total three-year certification cycle. If you hold more than one CISSP concentration, then the CPE credits will be calculated annually.

What are some free ways to earn CISSP CPE credits?

Earning CISSP CPE Credits is not always easy. However, you can earn credits by performing simple tasks such as attending meetings and conferences organized by sponsored chapters. The problem is that these conferences and meetings often have associated fees. For professionals who are newly certified, this presents a problem as they may not have difficulty in coming up with the money to attend these conferences and meetings.

The good thing is that there are many free options for earning CPE credits. You have to fully understand the requirements  to avoid having your credits rejected. CPE credit is designed to keep you abreast of the new advancements and developments, as well as to enable you to remain active in the community of InfoSec. There are, however, clear differences in the strictness of the certifying authorities. Some of them are very rigid, while others may be more permissive.

For example, if your certification requires 120 CPE Credits for the three-year certification cycle, you need just 3.33 hours per month for the entire 36-month period. Therefore, simply clocking 1 hour every week is enough for you to end up with some surplus and is quite manageable.

Let us go through some of the recognized free methods for earning CPE credits.

One of the simplest ways to earn CPE credits for free is to install some podcast apps on your mobile phones or tablets and then subscribe to several podcasts that are related to your certification. You do not need to go to every podcast URL. Instead, browsing them from your app and listening for only 15 minutes a day for four days will give you one hour a week. Similarly, webcasts are also available.

Some of the top podcasts are:

“Security Weekly” and “Drunken Security” (http://www.PaulDotCom.com): Video available (http://securityweekly.com/watch)

“Security Now!” from Steve Gibson (http://www.grc.com/securitynow.htm)

“Down the Security Rabbit Hole” (http://podcast.wh1t3rabbit.net/)

“Bank Info Security” offers podcasts helpful to professionals outside the banking sector (http://www.bankinfosecurity.com/).

There are, of course, other helpful podcast sites. Always look out for whatever educational avenues you may find suitable for you. It is advisable to go beyond your areas of expertise and look for other materials. Focus more on strengthening your weakest areas.

Recent changes in CPE credits?

CPE policy has undergone some changes in recent years that require you to earn an equal amount of CPE credits every year in a three-year certification cycle. This policy update was done to help you remain current regarding CPE credits on an annual basis, thus making it easier for you to manage the three-year comprehensive certification renewal process. This will ensure that you will not be in a situation where you find yourself significantly lacking CPE credits in the last year of your certification cycle. The new policy went in effect January 1, 2015.

In the current scenario of rapidly increasing cyber-security threats, continuing education has become a critical aspect of staying updated on the possible avenues of security concerns. To remain effective, information security professionals must maintain a continuous learning state because of the rapid changes in technology.

Now the required “Group A” (domain-related) and “Group B” (optional professional development) CPE credits in a year for every three-year renewal cycle can be divided evenly in three years. But the total CPE credit hours needed for every certification will remain the same and will be equally distributed within the total three-year cycle. “Group B” CPE credits can be substituted by the “Group A” CPE credits as it remains optional.


CPE credits are necessary for every individual in the information security profession to maintain their CISSP certification. Earning credits not only helps individuals maintain their certification but also helps them grow as professionals. The CPE credit system is designed to ensure that (ISC)2 members keep up with the ever-expanding knowledge in the field of information security and thus remain competitive. Earning CPE credits is vital for the professional development of information security professionals. They are indeed making some important investment through CPE activities that will help them grow and shape their careers. It enhances their skills, thereby increasing their value to their employers as well as to their customers.

If you’re still looking for a great training boot camp, check out InfoSec’s CISSP course.


Posted: July 3, 2019
Articles Author
Aroosa Ashraf
View Profile

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.

Leave a Reply

Your email address will not be published. Required fields are marked *