ISACA uses 50-minute hours. ISC2 uses 60-minute hours. Yes, it's confusing.
This guide covers the CPE requirements for both certification bodies, based on the official ISC2 CPE Handbook 2023 and the ISACA CISM CPE Policy.
The Basics
CPEs (Continuing Professional Education credits) are how certification bodies verify you're still learning. It's the deal you make when you get certified: you prove ongoing education, they let you keep the letters after your name.
Both ISACA and ISC2 take this seriously. Miss your requirements, and you lose your certification. I've seen it happen to people who simply forgot to track their credits.
CPE Rules for ISACA CISM
To maintain your ISACA CISM certification, you need to meet the following requirements:
- Annual Requirement: Earn and report a minimum of 20 CPE hours each year. Please note that 40 CPE hours is recommended annually.
- Three-Year Requirement: Earn and report a minimum of 120 CPE hours over three years.
- Documentation: Keep proof of your activities, such as attendance certificates or signed verification forms, for at least 12 months after the reporting cycle.
How to Calculate ISACA CPEs
ISACA uses a straightforward formula to calculate CPE hours:
- 1 CPE hour = 50 minutes of active participation in a qualifying educational activity.
- CPE hours can be rounded to the nearest quarter-hour.
Example Calculation #1:
If you attend a one-day seminar lasting 8 hours (480 minutes), deduct 1 hour (60 minutes) for lunch and two 15-minute breaks:
- Eligible Time = 480 minutes - 90 minutes (breaks) = 390 minutes
- CPE Hours = 390 ÷ 50 = 7.8 (rounded to 7.75 CPEs)
Example Calculation #2:
If you attend a 45-minute webinar:
- CPE Hours = 45 ÷ 50 = 0.9 (rounded to 0.75 CPEs)
Example Calculation #3:
If you participate in an 85-minute webinar:
- CPE Hours = 85 ÷ 50 = 1.7 (rounded to 1.75 CPEs)
For detailed information, refer to the "Calculating CPE Hours" section in the ISACA CISM policy document.
CPE Rules for ISC2 Certifications
For ISC2 certifications, like CISSP or CCSP, the requirements vary slightly:
- Three-Year Requirement: The total number of CPEs required depends on your specific certification. For example:
- CISSP: 120 CPEs in three years.
- CCSP: 90 CPEs in three years.
- Group A vs. Group B Credits:
- Group A credits: Relate directly to the domains of your certification (e.g., cybersecurity).
- Group B credits: Focus on general professional development (e.g., leadership skills).
- Annual Maintenance Fee (AMF): Ensure you pay your AMF each year to keep your certification in good standing.
How to Calculate ISC2 CPEs
ISC2 also uses a simple calculation:
- 1 CPE credit = 1 hour of time spent on a qualifying activity.
- Credits can be reported in increments of 0.25, 0.50, or 0.75.
Example Calculation #1:
If you complete a 3-hour webinar:
- CPE Hours = 3.0 hours (no rounding needed)
Example Calculation #2:
If you attend a 45-minute webinar:
- CPE Hours = 45 ÷ 60 = 0.75
Example Calculation #3:
If you participate in an 85-minute webinar:
- CPE Hours = 85 ÷ 60 = 1.4167
- Rounded to the nearest 0.25 increment = 1.5
Special Note:
You can earn up to 40 CPEs for a single activity. For multi-day events, use the end date to determine the applicable certification cycle.
For more details, check the "Calculating CPE Credits" section in the CPE Handbook 2023.
Pro Tips for Beginners
- Track Early and Often: Use the online portals provided by ISACA and ISC2 to log your CPEs as you complete them. Both organizations offer tools to help manage your credits.
- Understand Qualifying Activities:
- For ISACA: Activities like attending ISACA events, university courses, and writing articles can qualify.
- For ISC2: Domain-related webinars, conferences, and professional development courses count.
- Explore CPE Resources:
- BrightTALK - Webinars on cybersecurity and governance, often offering CPEs.
- ISACA eLearning - ISACA's training hub with webinars and on-demand content.
- ISC2 Professional Development Institute - Free and premium courses tailored for ISC2 certifications.
- Cybrary - Cybersecurity and IT management training courses.
- SANS Webcasts - High-quality webcasts with CPE opportunities.
- ITProTV - IT and cybersecurity training videos.
- LinkedIn Learning - Courses on cybersecurity and professional development.
- Black Hat Events - Cybersecurity conferences and webinars.
- ISC2 Webinars - Domain-specific webinars for ISC2 certifications.
- Retain Documentation: In case of an audit, you'll need proof like certificates of completion or detailed descriptions of your activities.
- Don't Forget Deadlines:
- ISACA requires CPE submissions by 15 January annually.
- ISC2 allows for a 90-day grace period at the end of your cycle.
The Real Frustration
Here's what nobody tells you about CPEs: tracking them is genuinely tedious. Different organizations have different portals, different calculation methods, and different reporting deadlines. If you hold certifications from both ISACA and ISC2, you're managing two separate systems with two separate sets of rules.
Certification holders spend more time than they'd like digging through old emails looking for webinar certificates or trying to remember whether a 45-minute session counted as 0.75 or 0.9 CPEs for a particular certification.
The organizations provide tracking portals, but they only track what you manually enter. The burden is on you.
A Practical Approach
Here's what works:
- Log CPEs immediately. The moment a webinar or course finishes, log it. Waiting means forgetting.
- Keep all certificates in one place. A dedicated folder in cloud storage. Every certificate of completion goes there.
- Front-load the year. Don't wait until December to scramble for credits. Try to have the minimum covered by September.
- Look for double-dipping opportunities. Many activities qualify for both ISACA and ISC2 credits. Same learning, twice the credit.
Tracking CPEs across multiple certifications is exactly the kind of administrative burden that adds up over time. That's one of the problems we're solving with TL;CR Portal—automated CPE tracking that works across certification bodies. Learn more.
