ISACA_logo_RGB
Home / Credentialing / CISA / Maintain CISA Certification

MAINTAIN CISA CERTIFICATION

You've Got it, Now Keep it

The goal of the continuing professional education (CPE) policy is to ensure that all CISAs maintain an adequate level of current knowledge and proficiency in the field of information systems audit, control and security.

monitor with CISA logo

CISA Maintenance Requirements

The CISA CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISAs must comply with the following requirements to retain certification: 

  • Earn and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISA’s knowledge or ability to perform CISA-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
  • Earn and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting cycle period.
  • Pay the CISA annual maintenance fee
  • Comply with the annual CPE audit if selected
  • Comply with ISACA’s Code of Professional Ethics 
  • Abide by ISACA's IT auditing standards 

Failure to comply with these certification requirements will result in the revocation of an individual’s CISA designation. In addition, as all certificates are owned by ISACA, if revoked, the certificate must be destroyed immediately.

The goal of the continuing professional education (CPE) policy is to ensure that all CISAs maintain an adequate level of current knowledge and proficiency in the field of information systems audit, control and security. CISAs who successfully comply with the CPE policy will be better trained to assess information systems and technology and provide leadership and value to their organization.

CISA CPE Policy: English | Chinese Simplified | Chinese Traditional | Dutch | French | German | Hebrew | Italian | Japanese | Korean | Polish | Spanish 

laptop displaying briefcase on screen

Continuing Professional Education (CPE)

To maintain your CISA, you must earn and report a minimum of 120 CPE hours every 3-year reporting cycle and at least 20 hours annually. CPE reporting is due by the end of each calendar year and is required to renew through the following year. For example, to renew through the end of the current year, the CPE requirements of the previous year must be met.

For newly certified CISAs, CPE requirements begin the calendar year after becoming certified. Earning CPE hours during the year of becoming certified is not required. However, hours earned between the date of certification and 31 December of that year can be reported and will automatically apply towards the following year.

How to Earn CPEs   Report CPEs 

dollar bills

Payment of Annual Maintenance Fee

To maintain your CISA, you must complete payment of the annual maintenance fee. This payment is due annually by 1 January and is required to renew through the upcoming calendar year. For example, to renew through the end of the current year, the current year's maintenance fee must be paid by 1 January of the current year.

Invoice notifications are sent both via email and through the post beginning in September for the following year. A payment button will be available within your Certification Dashboard any time that fees are due.

View Certification Dashboard

laptop with magnifying glass

Audit of Continuing Professional Education Hours

Those randomly selected for a CPE audit must provide supporting documentation of all reported activities from a specific calendar year. Those individuals who do not comply with the audit will have their CISA certification revoked.

Recordkeeping
Documentation should be retained for 12 months following the end of each 3-year reporting cycle. Documentation should be in the form of a letter, certificate of completion, attendance roster, Verification of Attendance form or other independent attestation of completion. At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date, and the number of CPE hours awarded or claimed.

Currently being Audited by ISACA? Learn More

Non-Practicing and Retired Status

ISACA offers a Non-Practicing and a Retired status for individuals who qualify. To learn more information regarding who qualifies, how to apply and other requirements, please visit the Certification Status Options page.


Use of CISA Logo

Individual use of the CISA logo (on items such as business cards, web sites, marketing or promotional materials) is not permitted because it can imply endorsement or affiliation on ISACA’s behalf of that person’s products or services. Individuals can use the CISA acronym after their name (e.g., John Q. Customer, CISA in lieu of the logo).


Revocation

Certified individuals who fail to comply with the CPE Policy will have their credential revoked, will no longer be allowed to present themselves as a certified individual, and will be reported as such on requests for confirmation of certification.


Reconsideration and Appeal

Individuals whose certification has been revoked due to non-compliance with the CPE policy may appeal to be reinstated by written notification to the CISA Working Group. The appeal must include a detailed explanation for the reinstatement request as well as the CPE documentation from the cycle period from revocation to current year. Please submit your appeal to the Customer Experience Center.

If the appeal is approved, the individual must pay any outstanding CISA maintenance fees before being reinstated. Additionally, if the appeal was made more than 60 days after revocation, a $50 Reinstatement Fee will be incurred.

If the appeal is not approved, to return to active will require re-taking and re-passing the exam. The individual must also re-apply for certification with the appropriate experience.

Appeals Policy