Maintain Your CISM 


The goal of the CISM Continuing Professional Education Policy is to ensure that all CISMs maintain an adequate level of current knowledge and proficiency in the field of information systems security management.

Changes to the ISACA certification CPE policies have been made in the following area: Passing related professional examinations (no limit). Effective for CPE earned on and after 1 January 2014, two (2) times the number of CPE hours are earned for each examination hour when a passing score is achieved on a related professional examination This change went into effect 1 January 2014 and has been approved by the Credentialing and Career Management Board. The change is universal and applies equally to all ISACA certifications. Translated version of the CPE policies are currently in process and will be posted once available.

The Goal
Certification Requirements
Audits of Continuing Education Hours
Revocation, Reconsideration and Appeal
Retired and Non-Practicing CISM
Qualifying Educational Activities
Calculating CPE Hours

The Goal

CISMs who successfully comply with the CISM Continuing Professional Education Policy will be better equipped to manage, design, oversee and assess an enterprise’s information security.

The responsibility for setting the continuing professional education requirements rests with the CISM Certification Board. The Board oversees the continuing professional education process and requirements to ensure their applicability.

  How to Earn CPE

  CPE for Mentoring

  Verification of Attendance Form

Annual Maintenance Fee
ISACA members: US $45
ISACA nonmembers: US $85

Individuals who are renewing 3 or more ISACA certifications will receive a discount on the 3rd and 4th renewal fees. For 2014 renewal the discount is $20 for members and $35 for nonmembers.


Certification Requirements

The CISM CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISMs must comply with the following requirements to retain certification:

  • Attain and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISM’s knowledge or ability to perform CISM-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
  • Submit annual CPE maintenance fees to ISACA International Headquarters in full.
  • Attain and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting period.
  • Submit required documentation of CPE activities if selected for the annual audit.
  • Comply with ISACA’s Code of Professional Ethics.

Failure to comply with these certification requirements will result in the revocation of an individual’s CISM designation. In addition, as all certificates are owned by ISACA, if revoked, the certificate must be destroyed immediately.

Annual and Three-Year Certification Period

The annual reporting period begins on 1 January of each year. The three-year certification period varies and is indicated on each annual invoice and on the letter confirming annual compliance.

For newly certified CISMs, the annual and three-year certification period begins on 1 January of the year succeeding certification. Reporting CPE hours attained during the year of certification is not required. However, hours attained between the date of certification and 31 December of that year can be used and reported as hours earned in the initial reporting period.

Payment of CISM Maintenance Fee and Reporting of CPE Hours

To renew the CISM certification requires payment of the maintenance fee and reporting of CPE hours. Invoice notification is sent both via email and hard copy invoice in the third quarter of each calendar year by ISACA to all CISMs.

Payment of the annual maintenance fee can be done online at CPE can be recorded as they are earned in the >MyISACA > MyCertification > Manage My CPE page of the web site. Certifieds can also renew by submitting the information on the annual renewal invoice. Payment and reporting of CPE hours is due by 1 January to retain certification.

Notification of Annual Compliance

CISMs who report the required number of CPE hours and submit maintenance fees, in full, in a timely manner will receive a confirmation from ISACA international headquarters. This confirmation will include the number of CPE hours accepted for the annual reporting period, hours reported for past years within the three-year certification period and the number of hours required to qualify for the fixed three-year certification period. It is the responsibility of each CISM to notify ISACA international headquarters promptly of any errors or omissions in this confirmation.

Use of CISM Logo

Individual use of the CISM logo (on items such as business cards, web sites, marketing or promotional materials) is not permitted because it can imply endorsement or affiliation on ISACA’s behalf of that person’s products or services. Individuals can use the CISM acronym after their name (e.g., John Q. Customer, CISM in lieu of the logo).

Audits of Continuing Education Hours

A random sample of CISMs is selected each year for audit. Those chosen for an audit must provide written evidence of previously reported activities that meet the criteria described in the Qualifying Professional Education Activities. Please send copies of supporting documentation, since documents will not be returned. The CISM Certification Committee will determine the acceptance of hours for specific professional educational activities. Those individuals who do not comply with the audit will have their CISM certification revoked.


Documentation should be retained for 12 months following the end of each 3-year reporting cycle. Documentation should be in the form of a letter, certificate of completion, attendance roster, Verification of Attendance form or other independent attestation of completion. At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date, and the number of CPE hours awarded or claimed.

Revocation, Reconsideration and Appeal


Certified individuals who fail to comply with the CPE Policy will have their credential revoked, will no longer be allowed to present themselves as a certified individual, and will be reported as such on requests for confirmation of certification.

Reconsideration and Appeal

Individuals whose certification has been revoked due to non-compliance with the CPE policy may appeal to be reinstated by written notification to the Certification Working Group. The appeal must include a detailed explanation for the reinstatement request as well as the CPE documentation from the cycle period since revocation to current year. Please submit your appeal to the Customer Experience Center at

If the appeal is approved, the individual must pay any back or current certification maintenance fees needed to bring the certified individual in compliance with the CPE policy before being reinstated. Additionally, if the appeal was made more than 60 days after revocation, a $50 Reinstatement Fee will be incurred.

If the appeal is not approved, in order to return to active individuals who, have their certification revoked will be required to re-take and re-pass the exam. They will also need to re-apply for certification with the appropriate experience.

Retired and Nonpracticing CISM Status

Information on Retired and Non-practicing status is available on the Certification Status Options page.

Qualifying Educational Activities

Activities that qualify for CPE include technical and managerial training. This training must be directly applicable to the management, design or assessment of an enterprise’s information security or the improvement of those skills ( to ensure a proper balance of professional development is attained. CPE hours related to management skills must be relevant to the management of information security.

CPE hours are not accepted for on-the-job activities unless they fall into a specific qualifying professional education activity. Training in basic office productivity software, such as Microsoft Word or Excel, does not qualify as CPE. Specific activities have annual CPE hour limits. CPE can be reported in quarter hour increments.

The following categories of qualifying activities and limits have been approved by the CISM Certification Committee and are acceptable for CPE:

  • ISACA professional education activities and meetings (no limit): These activities include ISACA conferences, seminars, workshops, chapter programs, and meetings and related activities. CISMs earn CPE hours according to the number of hours of active participation. (See Calculating CPE Hours section). Participation in ISACA chapter meetings will earn a minimum of one credit hour regardless of actual duration. Please note that chapter programs and meetings are not all currently reported to the ISACA database. Please retain proof of attendance.
  • Non-ISACA professional education activities and meetings (no limit): These activities include in-house corporate training, university courses, conferences, seminars, workshops, and professional meetings and related activities not sponsored by ISACA. In addition, CPE hours can be earned from certification review courses if such courses advance the CISM’s information security or managerial knowledge or skills. CISMs earn CPE hours according to the number of hours of active participation. (See Calculating CPE Hours section). However, successfully completed university courses in related fields, including university online courses, earn 15 CPE hours per semester credit hour and 10 CPE hours per quarter credit hour (semester = 15 weeks of class; quarter = 10 weeks of class).
  • Self-study courses (no limit): These activities include structured courses designed for self-study that offer CPE credits. These courses will only be accepted if the course provider issues a certificate of completion and the certificate contains the number of CPE hours earned for the course. One CPE hour can also be earned when a passing score is achieved on an ISACA Journal quiz. Additional CPE can be earned by ISACA members when participating in an online eLearning presentation event sponsored by ISACA (for example: Virtual Trade Shows, Webinars, etc.) For an updated listing of eLearning events, please visit Please note that the ISACA Journal quiz and ISACA eLearning activities can be counted (more than once) toward each ISACA designation that is held.
  • Vendor sales/marketing presentations (10-hour annual limitation): These activities include vendor product or system specific sales presentations related to the management, design or assessment of an enterprise's information security.
  • Teaching/lecturing/presenting (no limit): These activities include the development and delivery of professional educational presentations and the development of self-study/distance education courses related to the management, design or assessment of an enterprise's information security. For presentations and courses (all types), CPE hours are earned at five times the presentation time or time estimated to take the course for the first delivery (e.g.: two hour presentation earns ten CPE hours) and at the actual presentation time for the second delivery. CPE hours cannot be earned for subsequent presentations of the same material unless the content is substantially modified. For self-study/distance education courses, one CPE hour is earned for each hour spent upgrading/maintaining the course limited to twice the estimated time to take the course.
  • Publication of articles, monographs and books (no limit): These activities include the publication and/or review of material directly related to the management of information security. Submissions must appear in a formal publication or website and a copy of the article or the website address must be available, if requested. For books and monographs, the table of contents and title page must be available. CPE hours are earned for the actual number of hours taken to complete or review the material.
  • Exam question development and review (no limit): This activity pertains to the development or review of items for the CISM exam or review materials. Two CPE hours are earned for each question accepted by an ISACA CISM item review committee. Such hours can be multi-counted for all ISACA certifications. Actual hours will be given for the formal item review process.
  • Passing related professional examinations (no limit): This activity pertains to the pursuit of other related professional examinations. Two CPE hours are earned for each examination hour when a passing score is achieved.
  • Working on ISACA Boards/Committees/Chapters (20-hour annual limitation per ISACA certification): These activities include active participation on an ISACA Board, committee, sub-committee, task force or active participation as an officer of an ISACA chapter. One CPE hour is earned for each hour of active participation. Active participation includes, but is not limited to, the development, implementation, and/or maintenance of a chapter website. Such activities can be counted more than once toward each ISACA designation that is held.
  • Contributions to the information security profession (20-hour annual limitation in total for all related activity for CISM reported hours): These activities include work performed for ISACA and other bodies that contribute to the information security profession (i.e. research development, certification review manual development, Knowledge Centre Contributor).
  • Mentoring (10-hour annual limitation): Certifieds are able to receive up to 10 CPEs annually for mentoring. Activities include mentoring efforts directly related to coaching, reviewing or assisting with CISM exam preparation or providing career guidance through the credentialing process either at the organizational, chapter or individual level. The mentoring activity must be an activity supporting a specific person in preparation for their ISACA exam or certification career decisions. One CPE hour is earned for each hour of assistance.

Calculating CPE Hours

One CPE hour is earned for each fifty (50) minutes of active participation (excluding lunches and breaks) for qualifying ISACA and non-ISACA professional educational activities and meetings. CPE hours can be earned in quarter hour increments and can also be reported in quarter hours (rounded to the nearest quarter hour). For example, a CISM who attends an 8-hour presentation (480 minutes) with 90 minutes of breaks will earn 7.75 continuing professional education hours.

Educational Activity Schedule

Actual Hours


9:00 am - 5:00 pm 8.0 480
Less: Two 15-minute breaks .50 30
Less: Lunch - 1 hour 1 60
Total hours of professional education activity 6.5 390

Sample Calculation

390 minutes divided by 50 minutes = 7.8 or 7.75 CPE hours (rounded to the nearest quarter hour)

Contact Information

ISACA Certification Department
1700 E. Golf Road, Suite 400
Schaumburg, Illinois 60173, USA

Telephone: +1.847.660.5660
Fax: +1.847.253.1755