CISSP Recertification Overview
Earning your CISSP certification is just the beginning of your cybersecurity journey. To maintain your credential's validity and demonstrate continued professional growth, you must complete the CISSP recertification process every three years. This ongoing commitment ensures that CISSP holders stay current with evolving security threats, technologies, and industry best practices.
The CISSP recertification process, managed by (ISC)², requires two main components: earning Continuing Professional Education (CPE) credits and paying annual maintenance fees. This system ensures that certified professionals maintain their expertise across all eight CISSP domains while staying engaged with the cybersecurity community.
Your three-year recertification cycle begins on the date your CISSP certification was awarded, not when you passed the exam. Mark this date carefully, as missing the deadline can result in certification suspension.
Unlike some certifications that require retaking exams, CISSP recertification focuses on demonstrating continued learning and professional development. This approach recognizes that experienced security professionals contribute to the field through various activities beyond traditional classroom learning.
CPE Requirements Breakdown
The cornerstone of CISSP recertification is earning 120 Continuing Professional Education (CPE) credits over your three-year certification cycle. These credits must be distributed across the eight CISSP domains, ensuring comprehensive knowledge maintenance across all areas of information security.
Domain Distribution Requirements
Your 120 CPEs must span all eight CISSP domains, reflecting the broad scope of knowledge required for effective cybersecurity leadership:
| Domain | Percentage | Recommended CPEs |
|---|---|---|
| Security and Risk Management | 16% | 19-20 CPEs |
| Asset Security | 10% | 12 CPEs |
| Security Architecture and Engineering | 13% | 15-16 CPEs |
| Communication and Network Security | 13% | 15-16 CPEs |
| Identity and Access Management | 13% | 15-16 CPEs |
| Security Assessment and Testing | 12% | 14-15 CPEs |
| Security Operations | 13% | 15-16 CPEs |
| Software Development Security | 10% | 12 CPEs |
CPE Categories and Values
(ISC)² recognizes various professional activities as valid sources of CPEs. Understanding these categories helps you plan your continuing education strategy effectively:
Group A Activities (Professional Development): These include attending conferences, workshops, webinars, formal training courses, and earning additional certifications. Most Group A activities award 1 CPE per hour of participation, with some exceptions for intensive programs.
Group B Activities (Giving Back to the Profession): This category covers teaching, writing articles, speaking at conferences, participating in professional organizations, and volunteer work in cybersecurity. Group B activities often provide higher CPE values due to their contribution to the broader security community.
While you need 120 CPEs total, (ISC)² sets maximum limits for certain activity types. For example, self-study activities are capped at 20 CPEs per cycle, and some Group B activities have specific limits to ensure a balanced continuing education portfolio.
Annual Maintenance Fees
In addition to CPE requirements, maintaining your CISSP certification requires paying annual maintenance fees to (ISC)². These fees support the organization's ongoing efforts to develop certification programs, maintain exam quality, and provide resources to the certified community.
Current Fee Structure
The annual maintenance fee for CISSP certification is $85 USD. This fee is due each year on the anniversary of your certification award date. Late payments may result in additional fees or certification suspension.
When compared to the initial CISSP certification cost of $749 for the exam, the maintenance fees represent a modest ongoing investment in your professional credentials. Many employers reimburse certification maintenance costs, recognizing the value that certified professionals bring to their organizations.
Payment Methods and Timing
(ISC)² provides multiple payment options through their member portal, including credit cards and electronic transfers. You'll receive reminders before your payment due date, but it's important to maintain current contact information to ensure you receive these notifications.
Failing to pay maintenance fees on time can result in certification suspension. While (ISC)² typically provides a grace period, suspended certifications require additional reinstatement fees and may impact your professional standing.
Recertification Timeline
Understanding the CISSP recertification timeline is crucial for maintaining your certification without interruption. The three-year cycle requires careful planning to ensure you accumulate sufficient CPEs across all domains while meeting payment obligations.
Key Timeline Milestones
Year 1 (Months 1-12): Focus on establishing your CPE earning routine. Aim to earn 30-40 CPEs during your first year, concentrating on areas where you need the most development. This is an excellent time to attend major conferences or pursue additional certifications.
Year 2 (Months 13-24): Continue steady CPE accumulation while assessing your progress across all eight domains. You should have 60-80 CPEs by the end of year two. Consider contributing to Group B activities during this period to diversify your CPE portfolio.
Year 3 (Months 25-36): Complete your remaining CPEs and prepare for submission. Review your domain distribution to ensure compliance with requirements. Submit your recertification application at least 60 days before your deadline to allow for processing time.
| Timeline | Recommended CPEs | Key Activities | Important Notes |
|---|---|---|---|
| Year 1 | 30-40 CPEs | Major conferences, foundational training | Establish learning routine |
| Year 2 | 60-80 CPEs (cumulative) | Specialized training, Group B activities | Assess domain coverage |
| Year 3 | 120 CPEs (complete) | Final CPEs, application submission | Submit 60 days early |
How to Earn CPEs
CISSP professionals have numerous options for earning CPEs, ranging from formal training programs to self-directed learning activities. The key is selecting activities that genuinely enhance your knowledge and contribute to your professional development.
Formal Education and Training
Traditional classroom training, online courses, and degree programs offer structured learning opportunities that typically provide clear CPE credits. Universities, training companies, and professional organizations offer courses specifically designed for security professionals.
Vendor training programs from companies like Cisco, Microsoft, Amazon Web Services, and others provide both technical knowledge and CPE credits. These programs often align well with specific CISSP domains and offer hands-on experience with current technologies.
Professional Conferences and Events
Industry conferences represent one of the most efficient ways to earn multiple CPEs while networking with peers and learning about emerging threats and technologies. Major events like RSA Conference, Black Hat, DEF CON, and regional ISACA or (ISC)² chapter meetings provide significant CPE opportunities.
When attending conferences, document your participation carefully. Save confirmation emails, certificates of attendance, and session agendas. Many conferences provide official CPE tracking to simplify your record-keeping.
Plan your conference attendance strategically across your three-year cycle. Attending one major conference per year can provide 20-30 CPEs, significantly contributing to your 120-credit requirement while providing valuable networking opportunities.
Self-Directed Learning
Self-study activities, including reading security publications, researching new technologies, and completing online tutorials, can contribute up to 20 CPEs per recertification cycle. While limited, these activities provide flexibility for busy professionals.
Popular self-study options include security podcasts, whitepapers from vendors and research organizations, and online documentation for new security tools and frameworks. The key is demonstrating clear learning objectives and outcomes.
Contributing to the Profession
Group B activities offer high CPE values while giving back to the cybersecurity community. Writing articles for security publications, speaking at conferences, teaching courses, or volunteering for professional organizations can provide substantial CPE credits.
Mentoring other security professionals, participating in standards development, or contributing to open-source security projects also qualify for Group B CPEs. These activities often provide personal satisfaction while advancing the broader profession.
CPE Tracking and Submission
Effective CPE tracking throughout your certification cycle simplifies the recertification process and ensures compliance with (ISC)² requirements. Maintaining detailed records protects you during audits and demonstrates your commitment to continuous learning.
Documentation Requirements
For each CPE-eligible activity, maintain comprehensive documentation including dates, duration, learning objectives, and completion certificates. (ISC)² may audit your submissions, requiring proof of participation and learning outcomes.
Essential documentation includes:
- Certificates of completion or attendance
- Course syllabi or agendas showing relevant content
- Receipts or registration confirmations
- Detailed descriptions of learning objectives and outcomes
- Evidence of time spent on self-study activities
Online Submission Process
The (ISC)² member portal provides tools for tracking and submitting CPEs throughout your certification cycle. Regular updates to your CPE record help identify gaps in domain coverage and ensure you're on track for timely recertification.
The submission process requires:
- Activity description and learning objectives
- Domain mapping for each CPE claimed
- Supporting documentation upload
- Verification of activity completion
- Final recertification application submission
(ISC)² conducts random audits of recertification submissions. Maintain organized records throughout your cycle, including digital copies of all documentation. Well-documented submissions demonstrate professionalism and simplify the audit process if selected.
Consequences of Non-Compliance
Understanding the consequences of failing to meet recertification requirements emphasizes the importance of staying current with your obligations. (ISC)² takes certification maintenance seriously, as it directly impacts the credibility and value of CISSP credentials.
Certification Suspension
Failure to complete recertification requirements by your deadline results in automatic certification suspension. Suspended certifications cannot be used on resumes, business cards, or in professional communications. Many employers require immediate notification if your certification status changes.
During suspension, you lose access to (ISC)² member benefits, including resources, networking opportunities, and professional recognition. The suspension also appears in the (ISC)² member directory, potentially impacting your professional reputation.
Reinstatement Process
Reinstating a suspended CISSP certification requires:
- Completing all outstanding CPE requirements
- Paying all overdue maintenance fees
- Submitting a reinstatement application
- Paying additional reinstatement fees
The reinstatement process can take several weeks, during which your certification remains invalid. For many professionals, this gap can impact job applications, contract eligibility, and career advancement opportunities.
Extended non-compliance can result in certification revocation, requiring you to retake the entire CISSP exam. Given the challenging nature of the CISSP exam, maintaining compliance is far preferable to starting over.
Tips for Successful Recertification
Successful CISSP recertification requires strategic planning, consistent effort, and attention to detail. These proven strategies help ensure smooth recertification while maximizing your professional development.
Create a Learning Plan
Develop a three-year learning plan that aligns with your career goals and addresses knowledge gaps across all eight CISSP domains. Consider your current role, desired career progression, and emerging technology trends when planning your CPE activities.
Your learning plan should include a mix of formal training, conferences, self-study, and professional contribution activities. This diversity ensures comprehensive knowledge development while meeting (ISC)² requirements for different activity types.
Leverage Employer Support
Many employers recognize the value of CISSP certification and provide support for maintenance activities. This support might include training budgets, conference attendance, paid study time, or reimbursement for fees and expenses.
Present your recertification needs as part of your professional development planning. Demonstrate how specific training or conference attendance will benefit both your skills and your employer's security posture. Many managers are willing to invest in certified employees who show commitment to continuous learning.
Stay Organized Throughout the Cycle
Maintain a dedicated folder or digital system for all recertification documentation. Regular organization prevents last-minute scrambling and ensures you have proper documentation for potential audits.
Consider using spreadsheets or project management tools to track your CPE progress across domains. Regular reviews help identify areas needing attention and ensure balanced coverage across all eight CISSP domains.
To complement your recertification efforts, consider using our practice tests to stay sharp on current CISSP knowledge areas and identify topics requiring additional study.
Network with Other Professionals
Connect with other CISSP holders through local (ISC)² chapters, professional associations, and online communities. Experienced professionals often share valuable insights about efficient CPE earning strategies and high-quality learning opportunities.
Peer networks also provide accountability and motivation for meeting recertification requirements. Consider forming study groups or informal meetups focused on specific domains or emerging security topics.
Many professionals find that teaching others or presenting at local chapter meetings provides Group B CPEs while reinforcing their own knowledge. This approach creates a positive cycle of learning and professional contribution.
Frequently Asked Questions
Yes, your three-year recertification cycle begins on the date your certification is awarded, not when you pass the exam. You can start earning CPEs immediately, though many professionals take a brief break after the intensive exam preparation period.
While (ISC)² doesn't specify minimum CPEs per domain, your 120 total CPEs should reasonably cover all eight domains. During audits, (ISC)² may question significant imbalances. It's best to maintain proportional coverage based on domain percentages.
No, CPEs do not carry over between certification cycles. Each three-year period requires a fresh 120 CPEs. However, activities completed near the end of one cycle may provide knowledge that benefits your next cycle's learning plan.
Plan for approximately 40 hours of CPE-eligible activities per year (120 hours over three years). This includes conference attendance, training courses, self-study, and professional contribution activities. The actual time varies based on your chosen activity mix.
(ISC)² occasionally offers discounts for multi-year payments or special circumstances, but the standard $85 annual fee applies to most members. Check the member portal for any current promotions, and remember that many employers reimburse certification maintenance costs.
Ready to Start Practicing?
Whether you're preparing for initial CISSP certification or staying sharp for recertification, our comprehensive practice tests help you master all eight domains with realistic exam-style questions and detailed explanations.
Start Free Practice Test