Renewal requirements for the CISSP certification
The ISC2 Certified Information Systems Security Professional (CISSP) certification is considered the gold standard in information security credentials. A person with this designation is deemed to have sufficient technical knowledge and skills to develop or enhance a security program.
There are stringent requirements that must be met to become recognized as a CISSP:
- Have five years of cumulative, paid work experience in two or more of the eight domains of the ISC2 CISSP common body of knowledge (CBK).
- Pass a three-hour CISSP exam consisting of 100 to 150 questions for the computerized adaptive testing (CAT). Alternatively, answer 250 questions in a six-hour testing window if taking the linear, fixed-form test administered in all other languages.
- Get endorsed by an ISC2-certified professional who is currently an active member. This endorsement must happen no later than nine months after the date of the exam; otherwise, retaking the exam is required.
- Recertify every three years to maintain your CISSP-certified status.
Here are some frequently asked questions about CISSP recertification and renewal requirements.
Want to know how much other CISSP holders earn? Download your free Cybersecurity salary guide to find out.
Earn your CISSP, guaranteed!
How long is the CISSP certification good for?
Your CISSP certification is valid for three years, but you can maintain it indefinitely by following certain requirements. As per ISC2’s member policies, you must earn a minimum amount of continuing professional education (CPE) credits for each of your three-year certification cycles and pay an annual maintenance fee (AMF).
Note: ISC2 allows certified members and associates a 90-day grace period to fulfill the AMF and CPE requirements on time.
What are CISSP CPEs?
Part of the renewal requirements for those holding the CISSP is meeting a certain amount of CPE credits over the course of your three-year certification cycle. Failure to comply will result in the revocation of an individual’s CISSP designation, which means they’d have to retake the exam to get recertified.
To satisfy the CISSP CPE requirements, beginning the calendar year after becoming certified, members need to engage in activities that directly relate to the domains of the certification (which earn you “Group A” credits) or that are outside the domains but still part of the general professional development (which give you “Group B” credits).
What are CISSP AMFs?
ISC2-certified members pay a single AMF of $135 (regardless of how many certifications they earn). This is due each year upon the anniversary of your certification date. Associates of ISC2 pay an AMF of $50, which is also due each year.
Failure to pay within 90 days will result in certification suspension. The reinstatement fee is $600, in addition to the application fee of $100 and your AMF costs. This has to be paid before you can register for an exam by creating an account with Pearson VUE.
What is the code of ethics?
The Code of Ethics, or “The Code,” must be adhered to by all information security professionals recognized and certified by ISC2, not just CISSPs. The Code is composed of four mandatory canons:
- Protect society, the common good, necessary public trust and confidence and the infrastructure
- Act honorably, honestly, justly, responsibly and legally
- Provide diligent and competent service to principles
- Advance and protect the profession
Members who violate any clause of The Code, whether knowingly or unknowingly, will be subject to action, which can result in the cancellation of their certification.
What are the CISSP CPE maintenance requirements?
Certified members have to earn and submit the following CPE credits: 40 per year (recommended) and 120 by the end of the three-year cycle (required).
CISSP CPE activities must be completed during the three years and no later than the expiration date stated in the certification. You can submit your CISSP CPE credits after the expiration date (but not more than 90 days after). However, those credits must have been earned before the expiration date.
What are the various CISSP CPE activities?
Work completed as part of the regular job of a CISSP does not qualify for CPE credits. Instead, you earn credits by attending training sessions, conferences, seminars and similar activities, where you can gain a high level of knowledge or skill.
The activities are divided into Group A (directly related to the domain) and Group B credits (professional development skills, education, knowledge or competency outside the domain). Here are some examples of the CISSP CPEs for which a member can earn credits:
Group A credits:
- Attending a conference (in-person or virtual), educational course, seminar or presentation in communication and network security
- Publishing a book, whitepaper or article on security operations
- Serving as a subject matter expert (SME) for a panel discussion on asset security
Group B credits:
- Technical skill sets not in information security, such as programming languages
- Management-oriented events that promote development in skills like communication and teamwork
- Project planning activities that expand their knowledge base to perform well at the tasks given
These are just examples, and many other activities can be claimed as CPE credits.
Members in “good standing” need not fret about CPE activities, as ISC2 has made them simple for members to access.
How are CPE credits calculated?
The CPE credits are weighed by the CPE activities you attend or participate in. In general, you earn one CPE credit per hour spent on an educational activity, although some are worth more credits. Here are a few examples of CPE opportunities:
- Attendance at conferences (both groups): Attendees in conferences related to cybersecurity will qualify for one Group A credit per hour, while other educational conferences (not related to the domains) receive one Group B credit per hour.
- Attendance at vendor presentations (Group A only): Group A credit is awarded for attending vendor presentations, as long as the presentation is educational and related to a CISSP domain.
- Completion of self-study, computer-based training (CBT) and podcasts (both groups): Attendance and completion of any of these activities will award one credit per hour for the member. Members should keep attendance records at any of these to provide details if they get audited.
- Volunteering for government and charitable organizations (Group A only): Each hour of volunteer work will earn you one CPE credit. The volunteer work must be related to the member’s credential since they earn you Group A credits.
- Reading information security books (Group A only): One completed book equals five CISSP CPE credits. Only one book per year is allowed in this instance. After completing the book, you must submit a summary of the information gained from the book.
What will happen if I don't meet the requirements for renewal?
Should a member fail to meet any of the requirements stated above, they will have the CISSP certification canceled or revoked. Also, if a member allows their certification to expire without renewing it prior to the expiration date, the certification is considered canceled. However, membership can be regained even after the certification has been canceled by retaking the exam.
There are two ways to regain membership if the certification is revoked:
Retaking the exam or by appeal
- Appeal: The ISC2 board hears appeals. To formally file an appeal, you have to put it in writing and submit it to the board within 90 days of any event (such as denial of CPE credits or certification expiration). The board will convene on a decision and send out a formal written response. This decision is considered final.
- Retaking the exam: A member can retake the exam to re-obtain their certification. The member will have to go through the same process they did the first time regarding scheduling the exam, paying for the examination fee and taking and successfully passing the test. If a prior member successfully passes the exam, they will have to contact the member services department to reactivate their certification.
Earn your CISSP, guaranteed!
Renewing your CISSP certification
CPEs are a crucial part of staying a certified information security professional and continuing to learn in an ever-changing industry. Earning CPE credits not only helps individuals maintain their certification but also helps them grow as professionals.
The steps for obtaining and maintaining a CISSP certificate may be tedious, but it’s a necessity in order to keep up with the ever-evolving world of information. This helps the ISC2 ensure the highest standards when it comes to the cybersecurity professionals it certifies.
Considering taking the exam for the first time? You may find these resources helpful:
In this Series
- Renewal requirements for the CISSP certification
- CISSP domains overview: Your complete preparation guide
- What is the ISC2 ISSMP (Information Systems Security Management Professional) certification?
- What is the ISC2 ISSEP (Information Systems Security Engineering Professional) certification?
- What is the ISC2 ISSAP (Information Systems Security Architecture Professional) certification?
- CISSP experience waiver: What you need to know
- CISSP concentrations: How ISSAP, ISSMP & ISSEP have changed
- Mitigating access control attacks in the CISSP exam
- CISSP DoD 8140: What changed from DoD 8570?
- CISSP jobs in 2025: Cybersecurity manager outlook and career opportunities
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring
- CISSP interview prep: 10 common questions and answers
- CISSP resources: Free books, videos, practice exams and other study tools
- CISSP certification cost and requirements (2025): Your complete preparation guide
- Perimeter defenses: What you need to know for the CISSP exam
- Understanding control frameworks and the CISSP
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- Due care vs. due diligence: What you need to know for the CISSP exam
- The ISC2 code of ethics: A binding requirement for certification
- Security governance principles: What you need to know for the CISSP exam
- Understanding access control: A CISSP certification guide
- Secure communication channels: What you need to know for the CISSP exam
- Risk management concepts and the CISSP
- CISSP: Business continuity planning and exercises
- Data and system ownership in the CISSP exam
- Information and asset classification in the CISSP exam
- Incident management and the CISSP exam: What you need to know
- CISSP prep: Security policies, standards, procedures and guidelines
- Earning CPE credits to maintain the CISSP
- Data security controls and the CISSP exam
- CISSP: Disaster recovery processes and plans
- Vulnerability and patch management in the CISSP exam
- Secure system design principles: CISSP exam concepts and frameworks
- Certification and accreditation: What’s on the CISSP exam?
- Change management and the CISSP
- Threat modeling and the CISSP
- CISSP exam questions: 5 drag & drop and hotspot questions
- CISSP certification salary: A comprehensive 2025 salary guide
- 8 tips for CISSP exam success in 2025
- Environmental controls and the CISSP
