Renewal Requirements for the CISSP

July 3, 2019 by Infosec

CISSP Renewal Requirements

In today’s digital age, more and more attacks and threats are happening via cyberspace. Crimes such as identity theft, online bank robberies, security breaches, among others, are much more rampant today than they were a decade ago. That’s why companies and businesses make it a priority to have competent information security departments, whose main task is to make sure that the assets and vital information of these companies are protected.

Any person who is or wishes to be a security consultant, security systems engineer, security architect, security manager, IT director, security director, and the like, is recommended to have a CISSP certification. An article in the Washington Post says 56 percent of cyber-jobs in the contracting industry require this certification.

A certified information systems security professional (CISSP) certification is considered the gold standard in information security credentials. A person with this certification is deemed to have sufficient technical knowledge and skills to develop and/or enhance a security program when compared with standard worldwide measurements. This credential is awarded by the International Information System Security Consortium, Inc., or (ISC)² for short, which is a nonprofit dedicated to the field of information security.

There are stringent requirements that must be met in order to become recognized as a CISSP:

  1. Experience of approximately five years, in security-related fields recognized by the (ISC)², must first be obtained.
  2. After gaining the necessary experience, one can then schedule and take the exam, which contains 250 questions and takes around six hours.
  3. After successfully completing and passing the exam, one must then be properly endorsed by an (ISC)² certified professional who is currently an active member. This endorsement must happen no later than nine months after the date of the exam; otherwise, retaking the exam is required.
  4. Once a CISSP certification is granted, recertification is required every three years in order to maintain the standard.

Recertification or renewing the CISSP certification requires that certain renewal requirements be met. For a proper understanding of the entire renewal process and requirements, here are some answers to the frequently asked questions about the recertification.

How Long Is the CISSP Certification Good?

The CISSP certification is valid for three years. However, there are certain requirements that must be met during that period for a member in good standing to qualify for recertification; otherwise, the certification will be terminated. These requirements include meeting continuing professional education (CPE) credits, payment of annual maintenance fees (AMFs), and abiding by the (ISC)² Code of Ethics.

What Are CISSP CPEs?

The (ISC)² sees to it that members are always competitive and not lax after they achieve their CISSP certification, which is why this certification has to be renewed every three years. Part of the renewal requirements is meeting a certain amount of CISSP CPE credits annually, and over the course of the three-year period. Credits are earned by members participating in various CISSP CPE activities, categorized into Group A and Group B credits. Group A credits are given for activities that are directly domain-related to the certification, while Group B credits are for activities outside the domain, but are useful for the member, especially in general professional development.

What Are CISSP AMFs?

CISSP AMFs simply refer to the annual maintenance fees that must be paid as part of the renewal requirements of the CISSP certification. Each year, the member must pay $85, for a total of $255 during the three-year cycle. For CISSPs with one or more concentrations (ISSAP, ISSEP, and ISSMP), an annual fee of $35 per concentration is also required. For example, if a member has two concentrations, it translates to $70 per year plus the $85 for the CISSP AMF.

What Is the Code of Ethics?

The Code of Ethics, also simply known as “The Code,” must be adhered to by all information security professionals recognized and certified by (ISC)², not just CISSPs. The Code is composed of four mandatory canons, which are:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Advance and protect the profession.

Members who violate any clause of The Code, whether knowingly or unknowingly, will be subject to action, which can possibly result in the cancellation of his/her certification.

What Are the CISSP CPE Maintenance Requirements?

CISSP-certified members must earn and submit not only a minimum number of CPE credits for the entire three-year period, but they must also meet an annual total. The credits earned annually are added into the whole required number of credits for the three years. For each year of the cycle, a minimum of 40 CISSP CPE credits is needed, for a total of 120 for the entire three-year cycle. If a member holds one or more concentrations, he/she must earn 20 CPE credits directly related to that concentration annually. These too will apply toward the total requirement of minimum 40 credits per year.

These CISSP CPE activities must be completed during the three-year period and no later than the expiry date stated in the certification. The CISSP CPE credits can be submitted after the expiration date (but not more than 90 days after); however, those credits must have been earned prior to the expiration date stated.

What are the Various CISSP CPE Activities?

Work completed as part of the regular job of a CISSP does not qualify for CISSP CPE credits. The credits are earned when a member attends or participates in training sessions, conferences, seminars, and similar activities where he/she can gain knowledge and expertise. They are divided into Group A (directly related to the domain) and Group B credits (professional development outside the domain). Here are some examples of the CISSP CPE activities for which a member can earn credits:

Security Engineering Team Development Skills
Communication and Network Security Accounting Courses
Security Operations Interpersonal Communications Skills
Security and Risk Management Management Courses
Asset Security Programming Languages

There are other activities that can be claimed as CPE credits; the table above shows only some examples. CISSP CPE activities are not limited to those examples.

Members in good standing need not fret about CPE activities, because (ISC)² has made it simple for its members to have access to these activities. Educational courses and seminars can be attended by obtaining information from (ISC)².

How Are CPE Credits Calculated?

Basically, the CPE credits are weighed by the CPE activities one attends or participates in. In general, a member will earn one CPE credit per hour spent in an educational activity, although there are some activities that are worth more credits. Below are common examples of how credits are calculated based on the activities:

  • Attendance at educational courses or seminars (both groups) – Attendees of courses or seminars related to the domain will receive one Group A credit per hour while a single Group B credit will be awarded per hour if it is not related to the domain. Classes can be taken in an educational institution or via online classes.

Take, for example, a three-credit university course, which normally runs for about 16 weeks (in one semester). If a candidate chooses to attend and complete this course, this will mean a total of 40 class hours, which is then translated into 40 CPE credits. These 40 CPE credits already meet the minimum annual requirement for recertification.

  • Attendance at conferences (both groups) –  Attendees in conferences related to cyber-security will qualify for one Group A credit per hour, while other educational conferences receive one Group B credit per hour.
  • Attendance at vendor presentations (Group A only) – for every half hour of attendance at a vendor presentation, one Group A credit is awarded, as long as the presentation is educational in nature and is related to the domain.
  • Completion of self-study, computer-based training (CBT), and podcasts (both groups) – Attendance and completion of any of these will award one credit per hour for the member. Members should keep records of attendance at any of these in order to be able to prove their attendance, should they be audited.
  • Volunteering for government and charitable organizations (Group A only) – Each hour of volunteer work will entail one CPE credit. This volunteer work must be related to the member’s credential, since only Group A credits will be recognized.
  • Reading cybersecurity books (Group A only) – One completed book per year is equal to five CISSP CPE credits. Only one book per year is allowed in this instance. After completing the book, the member is required to upload a short summary of the information gained from the book in order to earn these credits.

What Will Happen if I Don’t Meet the Requirements for Renewal?

Should a member fail to meet any of the requirements stated above, he/she will have the CISSP certification cancelled or revoked. If a member allows his/her certification to expire without renewing prior to the expiration date, the certification is considered cancelled, as well. However, membership can be regained even after the certification has been cancelled.

There are two ways to regain membership if the certification is revoked: By retaking the exam, or by appeal. There will be a $35 reinstatement fee that has to be paid upon recertification, whether it is by appeal or retaking the exam.

  • Appeal – The (ISC)² Board hears the appeals. In order to formally file an appeal, the members must put it in writing and submit it to the board within 90 days of any event (denial of CPE credits, expiration of certification, etc). The Board will convene and a decision and formal written response will be sent out. This decision is considered final.
  • Retaking the exam – A member can retake the exam in order to re-obtain a certification. The member will have to go through the same process as he/she did the first time, in terms of scheduling the exam, paying for the examination fee, and taking and successfully passing the exam. If a prior member successfully passes the exam, he/she will have to contact the Member Services Department in order to reactivate the certification.


The steps for obtaining and maintaining a CISSP certificate may be tedious, but it is a necessary requirement because the world of digital security is constantly evolving. The (ISC)² has devised these guidelines to ensure the utmost professionalism and the highest standards when it comes to cyber-security. Companies and businesses needing information technology security do not need to look any further than a certified CISSP. They can have confidence in hiring a certified CISSP, knowing that (ISC)² keeps all their members to the highest standard to always ensure quality. The entire process, including the three-year cycle of certification, constant evolution thanks to the requirement of CISSP CPE credits annually, and maintaining a Code of Ethics, proves this point.

Posted: July 3, 2019


We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
View Profile