- What Are CISSP CPEs and Why They Matter
- Breaking Down the 120-Credit Requirement
- Earning CPEs Aligned to CISSP Domains
- Approved CPE Activities: What Counts
- Activities That Do Not Count Toward Your CPE Total
- Tracking and Submitting CPEs in the ISC2 Portal
- The Annual Maintenance Fee Obligation
- Staying Audit-Ready: Documentation Best Practices
- Frequently Asked Questions
- CISSP certification is valid for three years; maintaining it requires exactly 120 CPE credits per three-year cycle.
- ISC2 requires an annual maintenance fee each year of the certification cycle, separate from exam fees.
- CPEs must be distributed intentionally - Group A credits must relate directly to one or more of the eight CISSP domains.
- ISC2 can audit your CPE submissions; retaining supporting documentation for every activity is non-negotiable.
What Are CISSP CPEs and Why They Matter
Passing the CISSP exam - a computer-adaptive test of 100 to 150 items administered by Pearson VUE at a $749 USD exam fee - is a significant professional milestone. But the credential does not sustain itself. ISC2, the governing body behind CISSP, built a continuing professional education (CPE) system specifically to ensure that holders of the certification keep pace with a rapidly evolving security landscape.
CPEs are the mechanism by which ISC2 verifies that certified professionals remain competent and engaged. Without meeting CPE obligations, a CISSP certification will lapse - and recertification requires retaking the full exam. Given how demanding the exam is (a 700-out-of-1000 passing score across eight domains covering everything from Security and Risk Management to Software Development Security), allowing a credential to lapse for something as preventable as missed CPE tracking is an avoidable setback.
For professionals considering how certification maintenance fits into the broader credentialing journey, the CISSP Endorsement Process: Steps After Passing the Exam is worth reviewing first - CPE obligations begin only after full endorsement and certification are complete.
Breaking Down the 120-Credit Requirement
Over a three-year certification cycle, CISSP holders must earn a total of 120 CPE credits. ISC2 divides these credits into two groups with distinct rules:
| CPE Group | Credit Requirement | Focus Area | Example Activities |
|---|---|---|---|
| Group A | Minimum 90 credits | Directly related to one or more CISSP domains | Security conferences, domain-specific courses, technical writing on cybersecurity topics |
| Group B | Up to 30 credits | Professional development broadly | Leadership training, project management courses, general professional skills |
The 90-credit floor for Group A is the most important number to internalize early. If you simply accumulate generic professional development hours without tying the majority back to the eight CISSP domains, you may reach 120 credits on paper but still be out of compliance.
ISC2 also sets an annual minimum: at least 15 CPE credits must be earned and reported each year within the three-year cycle. You cannot bank all 120 credits in the final year. This annual distribution requirement forces consistent professional engagement rather than a last-minute sprint.
Key Takeaway
Plan to earn at least 40 CPE credits per year - 30 in Group A activities directly tied to CISSP domains, and up to 10 in Group B. This pacing easily clears the 15-credit annual minimum and keeps you ahead of deadlines.
Earning CPEs Aligned to CISSP Domains
The smartest CPE strategy is one aligned directly to the eight CISSP domains, particularly those you find most challenging or those most relevant to your current role. Here is how each domain maps to practical CPE opportunities:
Domain 1: Security and Risk Management (16%)
The largest domain in the CISSP exam outline. CPEs here include governance frameworks, risk assessment methodologies, compliance training, and ethics courses.
- Attend risk management or GRC (Governance, Risk, Compliance) conferences
- Complete courses on NIST RMF, ISO 27001, or GDPR compliance
- Publish articles on organizational security policy design
Domain 3: Security Architecture and Engineering (13%)
CPEs can come from studying cryptographic systems, security models, hardware security modules, and cloud architecture reviews.
- Lab work with cryptographic implementations
- Webinars on zero-trust architecture design
- Technical review of security evaluation criteria (Common Criteria)
Domain 5: Identity and Access Management (13%)
IAM is a high-growth area. CPEs tied to this domain are plentiful given the proliferation of identity-related tools and standards.
- Training on OAuth 2.0, SAML, and federated identity systems
- Privileged Access Management (PAM) solution courses
- Zero-trust identity webinars from vendors like Microsoft or Okta
Domain 7: Security Operations (13%)
Incident response tabletops, threat hunting exercises, and SOC analyst training all qualify as Group A CPEs under this domain.
- Participate in or lead incident response simulations
- Attend threat intelligence sharing sessions (ISACs, sector groups)
- Complete forensics or malware analysis short courses
You do not need to distribute CPEs evenly across all eight domains. ISC2 requires only that Group A credits are relevant to at least one CISSP domain. In practice, professionals naturally concentrate CPEs in their job-adjacent domains - which is perfectly acceptable.
Approved CPE Activities: What Counts
ISC2 recognizes a broad range of activities for CPE credit. Understanding the full menu helps you identify CPE opportunities in work you are already doing.
- Professional education: College or university courses, vendor training, bootcamps, and online courses with learning objectives tied to security topics.
- Self-study: Reading security books, industry publications, and technical standards. Typically credited at one CPE per hour of documented study.
- Attending security events: Industry conferences (RSA Conference, Black Hat, DEF CON, ISC2 Security Congress), chapter meetings, and webinars.
- Presenting or teaching: Delivering a security presentation, teaching a course, or speaking at a conference. These often earn higher credit multipliers.
- Writing and publishing: Authoring security articles, white papers, books, or blog posts on domain-relevant topics earns Group A credit.
- Exam preparation: Structured study for another ISC2 exam or a closely related certification qualifies for Group A credit.
- Volunteering with ISC2: Chapter leadership, exam development participation, and community service through ISC2 programs all earn CPEs.
- Work experience: A portion of credits can come from documented on-the-job work in security roles, subject to ISC2 limits.
Activities That Do Not Count Toward Your CPE Total
Not every hour spent on professional activity earns CPE credit. Common mistakes include claiming credit for:
- General business meetings with no security learning component
- Regular job duties that are not structured learning or development activities
- Watching entertainment content or general news, even if it mentions cybersecurity
- Activities for which no documentation can be provided
- Duplicate counting - a single activity cannot be claimed under both Group A and Group B
The distinction often comes down to whether the activity had a defined learning objective and a verifiable record. When in doubt, document everything and let ISC2's guidance be the final arbiter.
Tracking and Submitting CPEs in the ISC2 Portal
ISC2 provides an online portal where certified professionals log, categorize, and submit CPE credits. The process is straightforward but requires discipline to maintain throughout the three-year cycle rather than scrambling at renewal time.
How to Log a CPE Activity
- Log into your ISC2 member account and navigate to the CPE portal.
- Click "Add CPE Activity" and select the activity type from the dropdown menu.
- Assign the activity to Group A or Group B and identify the CISSP domain(s) it relates to for Group A submissions.
- Enter the number of CPE credits claimed (usually one per hour of qualifying activity).
- Upload or note supporting documentation - certificates of completion, conference attendance records, published articles, or self-study logs.
- Submit the entry. ISC2 does not approve each entry in real time, but the system tracks your running total.
Front-Load Conference and Training CPEs
- Register for the year's major security conference early (RSA, ISC2 Congress)
- Enroll in one domain-specific online course targeting a weaker CISSP domain
- Log all Q1 activities immediately - do not wait until year-end
Sustain With Self-Study and Writing
- Commit to reading one security book or significant publication per quarter
- Submit a conference talk proposal or write a domain-relevant article
- Attend monthly ISC2 chapter webinars for consistent, easy-to-log credits
Audit Your Progress and Fill Gaps
- Review your CPE portal total - confirm the 15-credit annual minimum is met
- If short, use targeted self-study or a short online course to close the gap
- Verify that 75% or more of your credits are Group A activities
For a broader look at how post-exam steps fit together, the CISSP Endorsement Process: Steps After Passing the Exam walks through the timeline from exam pass to active certification - which is when your CPE clock begins.
The Annual Maintenance Fee Obligation
CPE credits alone are not sufficient to maintain CISSP certification. ISC2 also charges an annual maintenance fee (AMF) every year of the three-year certification cycle. Failure to pay the AMF will result in certification suspension or revocation regardless of your CPE total.
ISC2 publishes current AMF rates on its website, and the amount is separate from and in addition to the original $749 exam fee paid when registering through Pearson VUE. Budget for the AMF as a recurring annual cost of holding the credential. ISC2 typically invoices members annually around their certification anniversary date.
Staying Audit-Ready: Documentation Best Practices
ISC2 reserves the right to audit CPE submissions. An audit requires you to produce evidence supporting every credit claimed. Professionals who log CPEs without retaining documentation risk losing credits retroactively - potentially triggering a compliance shortfall.
What Documentation to Retain
- Certificates of completion from courses, bootcamps, and webinars - download and save these immediately upon completion, as vendor portals sometimes purge old records.
- Conference attendance confirmation - badge receipts, agenda printouts marked with sessions attended, or official attendance letters.
- Self-study logs - a simple spreadsheet noting date, duration, topic, and resources used is sufficient. Cross-reference entries with the CISSP domain they address.
- Publication records - URLs, PDFs, or publication acknowledgment emails for any articles, white papers, or books you authored.
- Speaking engagement confirmations - event organizer emails, slide decks with event branding, or program listings showing your session.
Store documentation in a dedicated folder - cloud storage works well - organized by certification year. Many professionals use a simple naming convention: YYYY-MM-DD_ActivityName_CPEcredits.pdf. When ISC2 requests audit evidence, a well-organized archive makes response straightforward rather than stressful.
Regularly using the CISSP practice test tools as part of your ongoing domain review can also double as structured self-study when logged with appropriate detail - keeping your domain knowledge sharp while building a CPE paper trail.
For further reading on how all parts of the CISSP maintenance cycle connect, the full guide on CISSP CPE Requirements: How to Earn and Track Credits 2026 consolidates the most current ISC2 requirements and provides additional planning resources.
Frequently Asked Questions
ISC2 requires a minimum of 15 CPE credits per year within the three-year certification cycle, with a total of 120 credits required across the full cycle. There is no cap on earning more in a given year, as long as the annual minimum and total cycle requirements are met.
ISC2 allows CPE credits to be applied to multiple ISC2 credentials simultaneously if you hold more than one. A single qualifying activity can satisfy requirements for CISSP and, for example, CCSP if both credentials are active. Check the ISC2 CPE handbook for current cross-credential credit rules.
ISC2 will place the certification in suspension if CPE or AMF requirements are not met by the renewal deadline. During a suspension grace period, the professional cannot represent themselves as CISSP-certified. If requirements are not fulfilled within the grace period, the certification is revoked and the full exam must be retaken.
Yes. ISC2-organized events, chapter meetings, and official webinars are among the most straightforward sources of Group A CPE credits because ISC2 itself verifies their domain relevance. Attending an ISC2 chapter meeting that covers a CISSP domain topic typically earns one CPE credit per hour of qualifying content.
Structured study for another security certification and the passing of that exam can earn Group A CPE credits if the certification is domain-relevant. ISC2 provides guidance on the number of credits awarded for passing specific certifications. Using a resource like the CISSP practice test platform for structured, timed domain review also qualifies as logged self-study hours.