Home / Credentialing / CISM / Maintain CISM Certification



CISM Maintenance Requirements

The CISM CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISMs must comply with the following requirements to retain certification:

  • Earn and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISM’s knowledge or ability to perform CISM-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
  • Earn and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting cycle period.
  • Pay the CISM annual maintenance fee
  • Comply with the annual CPE audit if selected
  • Comply with ISACA’s Code of Professional Ethics 

Failure to comply with these certification requirements will result in the revocation of an individual’s CISM designation. In addition, as all certificates are owned by ISACA, if revoked, the certificate must be destroyed immediately.

The goal of the continuing professional education (CPE) policy is to ensure that all CISMs maintain an adequate level of current knowledge and proficiency in the field of information systems security management. CISMs who successfully comply with the CPE policy will be better equipped to manage, design, oversee and assess an enterprise’s information security.

CISM CPE Policy: English | Chinese Simplified | Japanese | Korean | Spanish 

laptop displaying briefcase on screen

Continuing Professional Education (CPE)

To maintain your CISM, you must earn and report a minimum of 120 CPE hours every 3-year reporting cycle and at least 20 hours annually. CPE reporting is due by the end of each calendar year and is required to renew through the following year. For example, to renew through the end of the current year, the CPE requirements of the previous year must be met.

For newly certified CISMs, CPE requirements begin the calendar year after becoming certified. Earning CPE hours during the year of becoming certified is not required. However, hours earned between the date of certification and 31 December of that year can be reported and will automatically apply towards the following year.

How to Earn CPEs   Report CPEs

dollar bills

Annual Maintenance Fee

To maintain your CISM, you must complete payment of the annual maintenance fee. This payment is due annually by 1 January and is required to renew through the upcoming calendar year. For example, to renew through the end of the current year, the current year's maintenance fee must be paid by 1 January of the current year.

Invoice notifications are sent both via email and through the post beginning in September for the following year. A payment button will be available within your Certification Dashboard any time that fees are due.

View Certification Dashboard

laptop with magnifying glass

Audit of Continuing Professional Education Hours

Those randomly selected for a CPE audit must provide supporting documentation of all reported activities from a specific calendar year. Those individuals who do not comply with the audit will have their CISM certification revoked.

Documentation should be retained for 12 months following the end of each 3-year reporting cycle. Documentation should be in the form of a letter, certificate of completion, attendance roster, Verification of Attendance form or other independent attestation of completion. At a minimum, each record should include the name of the attendee, name of the sponsoring organization, activity title, activity description, activity date, and the number of CPE hours awarded or claimed.

Currently being Audited by ISACA? Learn More

Non-Practicing and Retired Status

ISACA offers a Non-Practicing and a Retired status for individuals who qualify. To learn more information regarding who qualifies, how to apply and other requirements, please visit the Certification Status Options page.

Use of CISM Logo

Individual use of the CISM logo (on items such as business cards, web sites, marketing or promotional materials) is not permitted because it can imply endorsement or affiliation on ISACA’s behalf of that person’s products or services. Individuals can use the CISM acronym after their name (e.g., John Q. Customer, CISM in lieu of the logo).


Certified individuals who fail to comply with the CPE Policy will have their credential revoked, will no longer be allowed to present themselves as a certified individual, and will be reported as such on requests for confirmation of certification.

Reconsideration and Appeal

Individuals whose certification has been revoked due to non-compliance with the CPE policy may appeal to be reinstated by written notification to the CISM Working Group. The appeal must include a detailed explanation for the reinstatement request as well as the CPE documentation from the cycle period from revocation to current year. Please submit your appeal to the Customer Experience Center.

If the appeal is approved, the individual must pay any outstanding CISM maintenance fees before being reinstated. Additionally, if the appeal was made more than 60 days after revocation, a $50 Reinstatement Fee will be incurred.

If the appeal is not approved, to return to active will require re-taking and re-passing the exam. The individual must also re-apply for certification with the appropriate experience.

Appeals Policy