How to Maintain Your CISSP: The Complete CPE Credits Guide (2026)

Passing the CISSP felt like finishing a marathon. Six hours of brain-melting questions, weeks of anxious waiting, and then — finally — that beautiful "Congratulations" email from ISC2.

What nobody mentioned was that the marathon never ends. You need to earn CPE credits. Every. Single. Year. For as long as you want those four letters after your name.

I'll be honest: I nearly let my CISSP lapse in my first renewal cycle because I didn't understand the CPE requirements until month 30 of my 36-month cycle. Don't be me. This guide covers everything I wish someone had told me on day one.

CISSP CPE Requirements at a Glance

Let's cut through ISC2's bureaucratic language and make this simple:

Group A vs. Group B — What's the Difference?

Group A credits must relate directly to the CISSP's 8 domains — security and risk management, asset security, security architecture, communications security, identity management, security assessment, security operations, or software development security.

Group B credits are for general professional development. Things like leadership training, project management courses, or public speaking workshops. They're easier to earn but capped at 10 per year.

The Annual Maintenance Fee (AMF)

In addition to CPEs, you owe ISC2 $125 every year. This is non-negotiable — even if you earned 200 CPE credits, missing the AMF payment can suspend your certification.

The AMF is due on your certification anniversary date. ISC2 sends email reminders, but set your own calendar reminder too. Losing your cert because you missed a $125 payment is... not a story you want to tell.

How to Pay

• Log into your ISC2 member portal
• Navigate to My Credentials → Pay AMF
• Pay by credit card or PayPal
• Some employers reimburse this — always ask!

15 Ways to Earn CISSP CPE Credits (Including Free Options)

Here's where people overthink it. Earning 40 CPEs per year sounds daunting, but once you see the options, you'll realize you're probably already doing some of these without tracking them.

Free CPE Sources

1. ISC2 Webinars (1 CPE each) — ISC2 hosts free webinars almost weekly. Attend live or watch the recordings. These auto-submit to your account. Easiest CPEs you'll ever earn.

2. Security Podcasts (1 CPE per hour) — Listening to security-focused podcasts counts. Darknet Diaries, SANS Internet Storm Center, Security Now — your commute can earn you CPEs.

3. Reading Security Books (5 CPEs per book) — Read a security-related book and submit a brief summary. Five books per year = 25 CPEs. Not bad for something you'd probably do anyway.

4. Practice Exam Apps (varies) — Using practice exam tools for CISSP or related certifications qualifies as self-study. Try ExamCert's CISSP practice questions — studying for other security certs can count toward your CPEs.

5. Volunteering (varies) — Mentoring aspiring security professionals, speaking at local meetups, or volunteering with cyber education programs. ISC2 loves volunteer activities.

6. Writing (varies) — Write a blog post, article, or whitepaper on a security topic. A substantial article can earn 2-5 CPEs depending on depth and length.

Paid CPE Sources

7. Conferences (up to 40 CPEs) — RSA Conference, Black Hat, DEF CON, BSides events. A multi-day conference can knock out an entire year's CPE requirement in one shot.

8. Training Courses (varies) — SANS courses, Coursera specializations, LinkedIn Learning security courses. Anything security-related with a defined hour count.

9. College Courses (40 CPEs per course) — A single security-related college course can give you 40 CPEs. If you're pursuing a degree part-time, this stacks beautifully.

10. Earning Another Certification — Pass the CISM, CCSP, or CEH? That counts for CPE credits. Two birds, one stone.

Often-Overlooked CPE Sources

11. Vendor Training — AWS security training, Azure security courses, GCP security fundamentals. AWS Security Specialty study counts.

12. On-the-Job Learning — New security tool implementation? Incident response exercise? Security audit participation? Document these and submit them as work experience CPEs.

13. Teaching/Mentoring — Teaching a security class or course can earn significant Group A CPEs. Even informal mentoring sessions at work count if you document them.

14. Research Projects — Conducting independent security research, even personal lab work, qualifies as self-study CPEs.

15. Professional Committee Work — Sitting on a security advisory board, participating in standards development, or contributing to open-source security projects.

A Realistic Annual CPE Plan

Here's what a low-effort year looks like — 40+ CPEs without breaking a sweat:

See? That's 43 CPEs and most of it is stuff you'd do as a security professional anyway. The trick is tracking it from day one, not scrambling in month 34.

How to Submit and Track CPE Credits

Submitting Credits

Log into your ISC2 account and navigate to CPE Credits → Submit CPEs. For each activity, you'll need:

• Activity name — what you did
• Group — A or B
• CPE count — hours or predetermined amount
• Date completed
• Supporting info — certificate, URL, description

ISC2 can audit your CPE submissions. Keep proof — certificates, receipts, notes, screenshots — for at least one full cycle beyond when you submit them.

Tracking Tips from Someone Who Almost Blew It

1. Create a spreadsheet on day one — date, activity, group, CPEs, proof location
2. Submit monthly, not annually — don't let 40 activities pile up
3. Set quarterly reminders — "Am I on track for 10 CPEs this quarter?"
4. Save all certificates — in a dedicated folder. You'll thank yourself during an audit

What Happens If You Fall Behind?

It depends on how far behind:

Suspension

If you miss your annual CPE minimum or AMF payment, your certification enters suspension. During suspension, you can't use the CISSP title. But you typically get a grace period (usually 90 days) to catch up on CPEs or pay the AMF.

Revocation

If you don't resolve the suspension within the grace period, your certification is revoked. At that point, you'd need to retake the CISSP exam to get recertified. After what that exam put you through the first time... yeah, stay on top of your CPEs.

CISSP CPE Requirements vs. Other Security Certs

Wondering how CISSP maintenance compares to alternatives? Here's the breakdown:

CISSP is the most demanding maintenance-wise, but that's partly why it carries such weight. Employers know a current CISSP means you're actively learning, not resting on a cert you earned a decade ago.

FAQ: CISSP CPE Credits