- How CISSP Renewal Works: The 3-Year Cycle Explained
- What Is the CISSP Renewal Grace Period?
- What Actually Happens When You Miss the Deadline
- CPE Requirements: What Counts and What Doesn't
- Reinstatement vs. Sitting the Exam Again
- Domain-Focused CPE Planning to Avoid the Crunch
- The Annual Maintenance Fee You Cannot Skip
- Frequently Asked Questions
- CISSP certification is valid for 3 years; you must earn 120 CPEs per cycle and pay annual maintenance fees to renew.
- ISC2 provides a grace period after your certification anniversary date, but missing it triggers suspension, not immediate revocation.
- A suspended CISSP cannot use the credential and must resolve the deficiency before the revocation deadline or face full reinstatement procedures.
- Reinstatement after revocation typically requires paying back fees and demonstrating CPE compliance - not automatically re-taking the $749 exam.
How CISSP Renewal Works: The 3-Year Cycle Explained
Earning the CISSP from ISC2 is a significant achievement, but the credential does not sustain itself. Every CISSP certification is valid for exactly three years from the date you were certified. To maintain it, you must satisfy two parallel obligations during each three-year cycle: earn 120 Continuing Professional Education (CPE) credits and pay the annual maintenance fee (AMF) every year of that cycle.
These two requirements are independent of each other. Completing all 120 CPEs does not excuse an unpaid AMF, and paying every AMF on time does not cover a CPE shortfall. Both must be satisfied for ISC2 to mark your certification as renewed and in good standing.
CPEs are logged in the ISC2 member portal. ISC2 may audit your submissions at any time, meaning you should retain documentation - certificates of completion, conference agendas, receipts - for every CPE you claim. Fabricating or inflating CPE credits is treated as an ethics violation under the ISC2 Code of Ethics, which carries consequences as serious as revocation.
Understanding this structure is the foundation for understanding what goes wrong when a renewal deadline is missed. Before we get into the consequences, it helps to know exactly where the grace period sits in this timeline.
What Is the CISSP Renewal Grace Period?
ISC2 does not immediately revoke your credential the moment your three-year anniversary date passes with outstanding obligations. There is an administrative window - commonly called the grace period - during which you can still resolve a CPE shortfall or an unpaid AMF without your certification status changing to revoked.
During this window your certification is placed in a suspended state. Suspension is not revocation, but it is not benign either. A suspended CISSP:
- Cannot legally use the CISSP credential after their name or on professional profiles
- Is removed from the ISC2 public verification directory, meaning employers doing credential checks will not find an active listing
- Continues to accrue AMF obligations for each additional year the certification remains unrenewed
The practical consequence is that a suspension can quietly damage your professional reputation - especially if an employer or client verifies your credentials during that window and finds no active listing. This is why understanding the grace period mechanics matters far more than simply knowing that one exists.
Key Takeaway
Suspension is not a soft landing. While the grace period prevents immediate revocation, a suspended CISSP is invisible in ISC2's public directory. Employers and clients who run verification checks during this period will not see an active credential.
ISC2 communicates renewal deadlines through the member portal and by email. If your contact information in the portal is outdated, you may miss these notices entirely - making it critical to keep your ISC2 profile current, not just your CPE log.
What Actually Happens When You Miss the Deadline
The sequence of events after a missed renewal deadline follows a predictable pattern, though the exact dates of each stage depend on your individual anniversary date and ISC2's current administrative processes.
- Certification expires: At the end of your three-year certification period, ISC2 marks the credential as expired if CPEs are insufficient or an AMF is unpaid.
- Suspension notice: ISC2 issues a notice of suspension. You retain the credential on paper but cannot use it professionally.
- Grace period window: You have a defined period to cure the deficiency - logging outstanding CPEs, uploading documentation, and/or paying overdue AMFs.
- Revocation: If the deficiency is not cured within the grace period, ISC2 revokes the certification. At this point you are no longer a CISSP and cannot represent yourself as one.
What many CISSPs do not realize is that ISC2 tracks the ethics dimension of renewal failures. Falsifying CPE records to avoid a shortfall, or misrepresenting your credential status during a suspension, can lead to a permanent bar from ISC2 certifications. The organization takes the Code of Ethics seriously across all its credentials, including the CISSP.
CPE Requirements: What Counts and What Doesn't
Not every professional activity qualifies as a CPE credit under ISC2 rules. Understanding what counts - and what does not - helps you plan ahead rather than discover a shortfall when you go to submit renewal documentation.
ISC2 divides CPEs into two groups:
- Group A (domain-relevant): Activities directly related to the eight CISSP domains. This is where the bulk of your 120 CPEs must come from.
- Group B (professional development): Broader professional activities such as management training, leadership courses, or general IT education that do not map directly to the CISSP domains.
Group A activities include security conferences, domain-specific training courses, published security research, teaching or presenting on security topics, and passing additional ISC2 or related certifications. Group B activities are capped - you cannot fill your entire 120-CPE requirement with general management courses.
Which CISSP Domains Generate the Most CPE Opportunities?
All eight domains are eligible for Group A CPEs, but some generate far more training content than others given industry focus areas.
- Domain 1 - Security and Risk Management (16%): Risk frameworks, compliance training, policy development courses - abundant CPE content
- Domain 3 - Security Architecture and Engineering (13%): Cloud security certifications, cryptography courses, design pattern workshops
- Domain 5 - Identity and Access Management (13%): Zero-trust architecture training, IAM platform certifications, vendor webinars
- Domain 6 - Security Assessment and Testing (12%): Penetration testing courses, vulnerability management platforms with CE credits
- Domain 7 - Security Operations (13%): SOC training, incident response tabletops, threat intelligence programs
CPE activities that typically do not count include general business skills with no security connection, non-security IT help-desk activities, and routine job duties that do not involve learning new security knowledge. When in doubt, document everything and let ISC2 decide during an audit rather than self-excluding activities that might qualify.
Reinstatement vs. Sitting the Exam Again
A common fear among lapsed CISSPs is that missing the renewal deadline means sitting through the full exam process again - including the $749 exam fee, a Pearson VUE test center appointment, and the 100-to-150-question Computer Adaptive Test with a 3-hour time limit. In most cases, this fear is unfounded.
ISC2's reinstatement pathway exists specifically to allow lapsed CISSPs to restore their credential without reexamination, provided they can demonstrate that the lapse was due to an administrative shortfall rather than a fundamental loss of competency. The reinstatement process typically requires:
- Paying all overdue annual maintenance fees for the period of lapse
- Demonstrating CPE compliance for the lapsed period or completing a defined CPE remediation
- Submitting a formal reinstatement application to ISC2
- Agreeing to re-affirm the ISC2 Code of Ethics
However, reinstatement is not guaranteed. ISC2 retains discretion to require reexamination in cases involving ethics violations, extended periods of lapse, or circumstances where professional competency is in question. If your credential has been revoked for a substantial period, the organization may determine that the only appropriate path is to re-sit the full exam under the current April 15, 2024 exam outline - which means re-meeting the prerequisite of five years of cumulative paid work experience in at least two CISSP domains.
For those who originally entered through the Associate of ISC2 route and had not yet completed their experience requirements, the calculus is more complex. If the associate pathway credential also lapses, there is no shortcut back.
If you are approaching your renewal date and have questions about scheduling or exam logistics for any reason, the CISSP Exam Scheduling Guide: Book Your Test 2026 covers the current Pearson VUE process in detail.
Domain-Focused CPE Planning to Avoid the Crunch
The most reliable way to avoid the grace period scenario entirely is to treat CPE accumulation as an ongoing professional habit rather than a compliance task you address in Year 3. A simple but effective approach is to map your CPE activities to the CISSP domain structure intentionally, ensuring you maintain both quantity and relevance throughout the cycle.
Build the Foundation - Heaviest Domains First
- Target CPEs in Domain 1 (Security and Risk Management, 16%) through risk framework training or compliance coursework
- Attend one major security conference - qualifies for multiple CPEs in Domains 3, 4, and 7
- Aim for 40+ CPEs this year to create buffer room
Technical Depth - Mid-Weight Domains
- Focus on Domains 5 (Identity and Access Management) and 6 (Security Assessment and Testing) via hands-on labs or platform certifications
- Publish a security article, present at a local chapter meeting, or mentor - these generate CPEs while building visibility
- Log all activities immediately; don't batch-log at year end
Close the Gap - Software and Asset Focus
- Address Domains 2 (Asset Security) and 8 (Software Development Security) with targeted coursework
- Verify total CPE count in the ISC2 portal at least 90 days before your anniversary date
- Pay AMF immediately when invoiced - do not let this slip while focused on CPEs
This domain-anchored planning approach also protects you during an ISC2 audit. When your CPE log shows deliberate coverage across Security Architecture and Engineering, Communication and Network Security, Software Development Security, and other domains - rather than 120 credits from one vendor's webinar series - the audit risk diminishes substantially.
Practicing domain-level knowledge regularly is also a good way to identify CPE gaps. Working through CISSP practice tests that mirror the CAT format can surface areas where your knowledge has drifted, pointing you toward the CPE activities that will be most professionally relevant.
The Annual Maintenance Fee You Cannot Skip
The CPE requirement gets most of the attention in renewal conversations, but the annual maintenance fee is equally non-negotiable. ISC2 invoices the AMF each year of your certification cycle. Missing the payment initiates the same suspension-and-revocation sequence as a CPE shortfall.
| Renewal Obligation | Frequency | Consequence of Non-Compliance |
|---|---|---|
| 120 CPE Credits | Per 3-year cycle | Suspension, then revocation if not cured |
| Annual Maintenance Fee (AMF) | Every year | Suspension, then revocation if not cured |
| CPE Documentation | On-demand (audit-triggered) | CPE credits removed; potential ethics review |
| Code of Ethics Re-affirmation | Periodic / reinstatement | Required for reinstatement after revocation |
ISC2 sends AMF invoices to the email address on your member account. If you change employers, switch to a personal email, or simply stop monitoring the inbox associated with your ISC2 profile, you may miss the invoice entirely. Set a recurring annual calendar reminder tied to your certification anniversary date as a backstop regardless of whether ISC2's email reaches you.
For those currently preparing for the initial CISSP exam and planning ahead, it is worth factoring renewal costs and obligations into your decision before the $749 exam fee. The CISSP Renewal Grace Period: What Happens If You Miss resource exists precisely to help you understand the full lifecycle commitment of the credential - not just the exam day.
Staying on top of both CPEs and the AMF is much easier when you remain engaged with security topics year-round. Revisiting your domain knowledge through CISSP practice questions is one practical way to stay current while reinforcing the competency that renewal is meant to verify.
Frequently Asked Questions
No. Once ISC2 places your certification in a suspended state, you are no longer permitted to use the CISSP credential professionally. This includes email signatures, LinkedIn profiles, resumes, and any client-facing materials. Using the credential during suspension is an ethics violation that can complicate reinstatement.
Not automatically. ISC2 has a reinstatement pathway that allows lapsed CISSPs to restore their credential by paying overdue AMFs and demonstrating CPE compliance, without reexamination. However, ISC2 retains discretion to require reexamination in cases involving extended lapses or ethics concerns. The sooner you address a lapse, the more likely reinstatement without reexamination becomes.
ISC2 measures CPEs against the full three-year cycle, not annually. You need 120 CPEs total over three years. There is no mandatory annual minimum, though most practitioners aim for approximately 40 per year to avoid a Year 3 crunch. Some years naturally produce more CPE opportunities than others depending on your role and the conferences available.
Multi-day security conferences typically generate the highest single-activity CPE count, often covering several CISSP domains simultaneously. Teaching a security course, publishing research, and completing advanced domain-specific certifications also yield substantial credits. Vendor webinars and online courses are convenient but tend to generate smaller credit amounts per activity, so relying solely on them requires more volume.
Immediately. ISC2's invoicing timeline means an unpaid AMF can trigger a suspension notice within weeks of the due date. If your employer's payment lapses - due to a job change, budget cut, or administrative oversight - pay the AMF personally and seek reimbursement rather than waiting for the billing situation to resolve itself. The cost of suspension and potential reinstatement fees far exceeds a single year's AMF.