Renewal requirements for the CISSP [updated 2022]
The (ISC)² Certified Information Systems Security Professional (CISSP) certification is considered the gold standard in information security credentials.
A person with this designation is deemed to have sufficient technical knowledge and skills to develop or enhance a security program when compared with standard worldwide measurements.
There are stringent requirements that must be met in order to become recognized as a CISSP:
- Have five years of cumulative, paid work experience in two or more of the eight domains of the (ISC)² CISSP common body of knowledge (CBK).
- Pass a three-hour English exam consisting of 100 to 150 questions for the computerized adaptive testing (CAT); Alternatively, answer 250 questions in a six-hour testing window if taking the linear, fixed-form test administered in all other languages.
- Get endorsed by an (ISC)² certified professional who is currently an active member. This endorsement must happen no later than nine months after the date of the exam; otherwise, retaking the exam is required.
- Recertify every three years in order to maintain the CISSP-certified status.
Next are the answers to some frequently asked questions about the recertification and renewal requirements.
How long is the CISSP certification good for?
While the CISSP certification is valid for three years, there are certain requirements for (ISC)² certified members and associates to maintain their membership, certification and active status. As per (ISC)²’s member policies, they “must earn a minimum amount of continuing professional education (CPE) credits for each of their one -year or three-year certification cycles, as well as pay an annual maintenance fee (AMF).”
Note: (ISC)² allows certified members and associates a 90-day grace period for fulfilling the AMF and CPE requirements on time.
What are CISSP CPEs?
Part of the renewal requirements for those holding the CISSP is meeting a certain amount of CPE credits annually and throughout the three years. Failure to comply will result in the revocation of an individual’s CISSP designation and needing to retake the exam to be recertified.
To satisfy the CISSP CPE requirements, beginning the calendar year after becoming certified, members need to engage in activities that directly relate to the domains of the certification (categorized as “Group A” credits) or that are outside the domains but still part of the general professional development (“Group B” credits).
What are CISSP AMFs?
(ISC)² certified members pay a single AMF of $125 (regardless of how many certifications they earn) which is due each year upon the anniversary of their certification date. Associates of (ISC)² pay an AMF of $50 due each year. Failure to pay within 90 days will result in certification suspension. The reinstatement fee is $600, which needs to be added to repaying the application fee of $100 and the AMF costs before registering and then scheduling for the exam by creating an account with Pearson VUE.
What is the code of ethics?
The Code of Ethics, or “The Code,” must be adhered to by all information security professionals recognized and certified by (ISC)², not just CISSPs. The Code is composed of four mandatory canons:
- Protect society, the common good, necessary public trust and confidence and the infrastructure.
- Act honorably, honestly, justly, responsibly and legally.
- Provide diligent and competent service to principles.
- Advance and protect the profession.
Members who violate any clause of The Code, whether knowingly or unknowingly, will be subject to action, which can result in the cancellation of their certification.
What are the CISSP CPE maintenance requirements?
Certified members are required to earn and submit the following CPE credits: 40 per year (recommended), 120 by the end of the three-year cycle (required).
(ISC)²’s CPE handbook states, “If you hold a CISSP concentration, 20 CPE credits of the total number of Group A CPE credits required in the CISSP three-year cycle must be directly related to your concentration. If you hold more than one concentration, you must earn 20 credits in each concentration. CPE requirements for a concentration are automatically counted toward the CISSP CPE requirement.”
These CISSP CPE activities must be completed during the three years and no later than the expiration date stated in the certification. The CISSP CPE credits can be submitted after the expiration date (but not more than 90 days after); however, those credits must have been earned before the expiration date stated.
What are the various CISSP CPE activities?
Work completed as part of the regular job of a CISSP does not qualify for CPE credits; they are instead granted by attending training sessions, conferences, seminars and similar activities where professionals can gain a high level of knowledge or skill.
The activities are divided into Group A (directly related to the domain) and Group B credits (professional development skills, education, knowledge or competency outside the domain). Here are some examples of the CISSP CPEs for which a member can earn credits:
Group A credits:
- Attending a conference (in-person or virtual), educational course, seminar or presentation in communication and network security
- Publishing a book, whitepaper or article on security operations
- Serving as a subject matter expert (SME) for a panel discussion on asset security
Group B credits:
- Technical skill sets not in information security, such as programming languages
- Management-oriented events that promote development in skills like communication and teamwork
- Project planning activities that expand their knowledge base to perform well at the tasks given
These are just examples and many other activities can be claimed as CPE credits.
Members in “good standing” need not fret about CPE activities, as (ISC)² has made it simple for its members to have access to them. Educational courses and seminars can be attended by obtaining information from (ISC)².
How are CPE credits calculated?
The CPE credits are weighed by the CPE activities one attends or participates in. In general, a member will earn one CPE credit per hour spent in an educational activity, although some are worth more credits. Here are a few CPE opportunities:
- Attendance at conferences (both groups): attendees in conferences related to cybersecurity will qualify for one Group A credit per hour, while other educational conferences (not related to the domains) receive one Group B credit per hour.
- Attendance at vendor presentations (Group A only): for every half hour of attendance, one Group A credit is awarded, as long as the presentation is educational and is related to the domain.
- Completion of self-study, computer-based training (CBT) and podcasts (both groups): attendance and completion of any of these activities will award one credit per hour for the member. Members should keep records of attendance at any of these in order to be able to provide details should they be audited.
- Volunteering for government and charitable organizations (Group A only): each hour of volunteer work will entail one CPE credit. This volunteer work must be related to the member’s credential since only Group A credits will be recognized.
- Reading information security books (Group A only): one completed book per year is equal to five CISSP CPE credits. Only one book per year is allowed in this instance. After completing the book, the member is required to upload a summary of the information gained from the book in order to earn these credits.
What will happen if I don’t meet the requirements for renewal?
Should a member fail to meet any of the requirements stated above, they will have the CISSP certification canceled or revoked. If a member allows their certification to expire without renewing prior to the expiration date, the certification is considered canceled, as well. However, membership can be regained even after the certification has been canceled.
There are two ways to regain membership if the certification is revoked: retaking the exam or by appeal.
- Appeal: the (ISC)² board hears the appeals. In order to formally file an appeal, the members must put it in writing and submit it to the board within 90 days of any event (such as denial of CPE credits or expiration of certification). The board will convene and a decision and a formal written response will be sent out. This decision is considered final.
- Retaking the exam: a member can retake the exam in order to re-obtain a certification. The member will have to go through the same process they did the first time, in terms of scheduling the exam, paying for the examination fee and taking and successfully passing the test. If a prior member successfully passes the exam, they will have to contact the member services department to reactivate the certification.
Renewing your CISSP certification
CPEs are a crucial part of staying a certified information security professional and continuing to learn in an ever-changing industry. “Earning [CPE] credits not only helps individuals maintain their certification but also helps them grow as professionals.”
The steps for obtaining and maintaining a CISSP certificate may be tedious, but it is a requirement because the world of information security is constantly evolving. The (ISC)² has devised these guidelines to ensure the highest standards when it comes to working professionals.