You have earned your CISSP. Now, it’s time to maintain it by earning continuing professional education (CPE) credits. A single (ISC)² CISSP CPE credit is one hour and you can earn them by doing all kinds of things related (and some not related) to security.
How many CPEs do you need to keep the CISSP active? You need 120 credits over a 3 year cycle, with 40 credits annually at a minimum. To see the CPE requirements in great detail, check out their CPE Overview page (requires sign-in).
If you get more than 40 credits in a year, then it rolls over into the following year. Your annual CPE cycle starts the 1st of the month after your endorsement is approved and your AMF is paid.
Ideas for CPEs
Their Earn CPEs page shows a few opportunities to earn CPEs, mostly through their offerings. To get some ideas of what else you can do, read more below.
To get an idea of how many CPEs these activities will earn, check out the (ISC)² CPE Handbook for the most up to date count each activity can earn. There are caps in nearly every category as well.
As you go through each continuing educational opportunity, just keep a running list of activities with the name of the event, the date, and total time. The more receipts the better:
- Screenshots
- Certificates of completion
- Official meeting notes, rosters, attendance, or minutes
- Transcripts or Diplomas
Reading
Be prepared to write a 250 word summary on the topic you read to get credit. Publications with (ISC)² partnerships can make things easier but not required to claim CPEs.
- Books
- Magazines like Information Security magazine
- Whitepapers
Fiction
- CyberStorm: A Novel
- The Mezonic Agenda: Hacking the Presidency
- Stealing the Network (Cyber-Fiction Series)
Engage with the Community
- Volunteer at a local school STEM events.
- Join a local user group.
- Includes local (ISC)² chapter and general information security meetup groups.
- Attend a local security event.
- All other local events like seminars and more.
Attend Conferences
- (ISC)² Security Congress
- I went to SC in 2015 (holy cow, has it been over 4 years already!?). It was great. I’m looking forward to finally making my return as an (ISC)² member.
- Up to 28 CPEs with an additional 2 for town hall meeting.
- Black Hat
- RSA
Education
- Take professional development opportunities in any field.
- A third of your CPEs (40) can be used for non security related topics.
- Have mandatory training requirements at your job? You can add these to your CPE list! Don’t slouch on bootcamps.
- Finish your degree or get that MBA.
- All college courses are eligible.
Online Courses
- Coursera
- Cybrary.it
- EdX
- Udemy
- LinkedIn Learning
Hands On Learning
- Participate in a public bug bounty program.
- Hack the Box Pen-Testing Labs.
Webinars
Webinars are great. You can easily find them on tools you use or topics related to your job. Catch one or a couple a week.
- (ISC)² Webinars
- Infosecurity Magazine Webinars
- Brighttalk Webinars
- These are essentially vendor marketing channels so join these, especially with a full profile, at your own risk.
- On the flip side, your CPEs automatically get submitted to (ISC)².
- SANS Webcasts (free account required)
- ISACA Webinars
- Ultimate IT Security Webinars
- Beyond Trust Webinars
Online Videos
Podcasts
Keep track of what you listen to and provide a brief summary to each episode.
- 7 Minute Security
- Dont Panic from Unit 42 (Palo Alto)
- ISF
- OWASP (recently migrated, here’s old link)
- SANS StormCast
- Software Engineering Institute
- Threatpost
Vendor Events
- Attend an (ISC)² Certification Exam Development Workshop.
- Invite a security vendor or service provider to present at your company or group.
- This is basically a webinar in person.
Create Something
This is great if you already create stuff as I do. However, they appear to be stingy with the CPEs that are rewarded with this type of work.
- Write blog posts
- Write magazine articles
- Author books
- Author online courses
- Give presentations
- Create workshops, curriculum, workbooks, etc.
Conclusion
The amount of CPEs it takes to keep going seems like a lot. It can be if you try to do everything at once, but if you keep track of what you’re already doing, you’ll be fine.
What if you don’t do this? Well, be prepared to take the CISSP exam again if you don’t maintain your status.
Let me know in the comments below which way you prefer to earn your CPEs. My favorite so far is attending conferences. I love connecting with new people and learning new information. Plus it covers nearly an entire year of CPE requirements.
If you want additional information covered on this topic or if anything needs to be corrected above, let me know that as well. Happy learning!
