Earning CPE credits to maintain the CISSP
Every CISSP holder has to earn continuing professional education (CPE) credits to maintain their CISSP certification. It is a significant achievement to earn your CISSP, and the CPE requirements ensure that CISSP certification holders remain knowledgeable about the current industry developments.
CPE requirements can be fulfilled by attending conference calls, seminars, webinars and industry conventions, and through self-study. You have to keep CPE certificates and attendance files and (ISC)² management may verify the CPE credit compliances at any time.
CISSP CPE policies and guidelines
All CISSP holders are required to earn 120 CPEs every three years; however, the (ISC)² CPE handbook suggests earning 40 CPEs annually so that CISSP holders don’t fall behind on their continuing education and can easily maintain their certification.
The handbook provides a clear overview of the various activities that count for CPE credits. Some types of CPE credits may align with your day-to-day job duties and ongoing skill development. Other types of CPE credits may align with activities and projects that may fit outside your normal duties. It is up to CISSP holders to follow proper CPE credit guidelines to accurately calculate their CPEs.
What are the general CPE requirements for CISSPs?
The CPE credits are categorized into two groups.
“Group A” credits are given for activities that are directly domain-related.
“Group B” credits are awarded for activities outside the main domain that can still enhance the general professional competencies and skills of the CISSPs. They can be earned by completing activities associated with general professional development to enhance your overall education, competency, professional skills, or knowledge outside of the credential’s specific domains. These activities traditionally include professional development programs such as the preparation for management courses or professional speaking. Although these activities do not directly apply to the domains, they are recognized as skills that can play a vital role in your overall professional growth.
Every CPE activity should be earned and completed during the certification cycle and not after the certification expiration date. Sometimes CISSPs are allowed a grace period for submitting CPE credits, but the credits have to be acquired before the certificate expiration date.
What happens if you fail to have the required CPE credits?
CISSPs must meet minimum CPE credits and failure to meet these requirements may result in suspension and loss of their certification. The suspension will be lifted only after the minimum annual CPE credits are met. Usually, candidates get a 90-day grace period to earn and submit their required CPE credits.
CISSPs have the option to file an appeal if they are decertified.
What CPE activities are available?
Typically, the work carried out as part of a CISSP’s normal duty will not be considered for CPE credits. If you do additional unique work in your workplace outside your normal daily duties, you may receive some CPE credits for those unique assignments.
As the handbook states, “Members and associates can earn up to 10 Group A CPE credits for activities performed during their regular working hours when they are engaged in unique projects, assignments, activities or exercises. The unique project, assignment, activity or exercise must fall outside of their normal (or day-to-day) job responsibilities or job description.”
CISSPs should note that if they are attending conferences or receiving training, they can claim CPE credits in the respective categories, whether they were from attendance or from work done on the job.
Examples of “Group A” and “Group B” credits
- Taking an online self-paced, blended or instructor-led educational course
- Reading a magazine, book or whitepaper
- Publishing a book, whitepaper or article
- Attending a conference (in-person or virtual), educational course, seminar or presentation
- Preparing for a presentation or teaching information related to information security
- Performing a unique work-related project that is not a part of your normal work duties
- Self-study related to research for a project or preparing for a certification examination
- Volunteering for government, public sector, and other charitable organizations
- Taking a higher education course
- Attending non-security industry conferences
- Participating in non-security education courses
- Preparing for non-security presentation/lecture/training
- Non-security government/private sector/charitable organizations committee
How are CPE credits calculated?
CPE credits are calculated as per activity; below are common categories where CISSPs can earn credits for each activity. Generally, one-hour CPE credit can be earned for every one hour spent in any activity related to education. However, several activities will give you more credits because of the depth of study involved or the amount of commitment required. Typically, you cannot earn CPE credits through your normal day-to-day job activities.
Attending educational and training seminars or courses
Attending educational and training seminars or courses can give you “Group A” or “Group B” credits for every hour of attendance. “Group B” credits are earned when the training courses or seminars are not associated with the domains of a credential.
Similarly, one CPE credit can be earned for every hour of attendance or for every session of a conference. “Group A” credits can be obtained for cyber-security conferences, whereas other educational conferences will give you “Group B” credits.
Attending presentations from vendor
You can earn only one “Group A” CPE credit for every one hour of attendance at any presentation from a vendor. The presentation has to be educational and associated with the credential domains.
Higher academic course completion
One CPE credit can be earned for every hour spent in a higher academic course class. The class may be taken online. The credits will be given only after the course has been successfully completed and passed. “Group A” credit is given for courses related to the credential domains; otherwise, the credit earned is for the “Group B” category.
Preparations for training, lectures or presentations
CPE credits can also be earned for the time spent preparing training, lectures, or presentations. However, they have to be non-work-related and no CPE credits can be earned for the time spent while presenting them. The credits will be of “Group A” category when the training, lectures, or presentations are directly related to credential domains; otherwise “Group B” credits are earned. No credits can be earned for training or teaching courses involving multiple days (or even of long duration, i.e., weeks or months).
Security book or article publication
Publication of a security book or article can earn you “Group A” CPE credits if it is the first publication in a magazine or journal, but the article should be related to the credential domains. Either print or electronic publication is eligible for credits. Only “Group A” credits can be earned through this route.
Performing security–related board services
Security-related board services can earn you “Group A” credits only. The CPE credits will be awarded on the basis of the contribution level as determined by the relevant organization board or parent company. It is recommended that you document your service hours through a signed statement from any officer of that organization, or you may attest your own CPE credits if the organization fails to do so.
A CPE credit can be earned by attending podcasts, webcasts, or CBT (computer-based training) for every hour of such activities. The credits will be of “Group A” category when the podcasts, webcasts, or CBT are directly related to credential domains; otherwise “Group B” credits are earned. However, there is a restriction to the number of CPE credits that can be submitted for podcasts, webcasts, or CBT.
Studying cybersecurity magazines or books
You can earn specific CPE credits for reading cybersecurity magazines or books; only “Group A” credits can be earned.
You can claim CPE credits for reading whitepapers published on authentic websites. You have to write a short summary of the contents that you studied, including the details of the website. The website must be accessible without any restrictions. Only “Group A” credits can be earned.
Security whitepaper writing
Writing whitepapers can give you “Group A” credits after they are published on any valid or authentic organizational website. The whitepaper has to be at least two pages long and should be accessible without any restriction.
Reading the InfoSecurity Professional magazine
Reading the InfoSecurity Professional magazine can give you “Group A” credits for every issue. This is a members-only online magazine. You may need to pass an online quiz that is related to the magazine’s content.
Cybersecurity book reviews
You can earn “Group A” credits by reviewing cyber-security books. Credits are given for every book reviewed. The review must be of a specified length.
Volunteering for charitable organizations, public sector, or government
“Group A” CPE credit can be earned for every hour of volunteer work. You have to retain a signed confirmation on the letterhead of the organization clearly indicating the volunteer work hours performed related to the credential domain.
Volunteering for meetings of cyber–security and information systems
Attending and volunteering for meetings of cyber security and information systems can give you “Group A” or “Group B” credits, depending on the relation of the meeting to the credential domains.
Safe and Secure Online program
Completion of the Safe and Secure Online program can give you “Group A” credits. You may also attend in-person orientations from ISC. You have to complete and pass the online orientation quiz after attending the Safe and Secure Online program.
Performing unique on-the-job activities and projects
You can earn “Group A” CPE credits for unique on-the-job activities and projects during your normal working hours.
Preparation of new or updating existing classroom, seminars, and training materials
“Group A” credits can be earned by preparing new or updating existing classroom, seminar and training materials. However, the materials should be new and not repeated or recycled and no CPE credits are awarded for the time spent presenting the material.
Maintaining your CISSP
CPE credits are necessary for every CISSP holder. Earning credits not only helps individuals maintain their certification but also helps them grow as professionals. The CPE credit system is designed to ensure that (ISC)² members keep up with the ever-expanding knowledge in the field of information security and thus remain competitive.