CramKit
Get started
All articles
ISACACertification 6 min

ISACA Certification Renewal: CPE Requirements for CISA, CISM, and CRISC

How to keep your CISA, CISM, or CRISC active — the annual and three-year CPE (continuing professional education) requirements, maintenance fees, reporting, and how to avoid losing your certification.

Earning a CISA, CISM, or CRISC is a milestone, but the credential is not permanent on its own — ISACA certifications must be maintained through continuing professional education (CPE) and annual fees. The good news is that the requirements are consistent across these credentials, so once you understand the model for one, you understand it for all of them. Always confirm the current numbers and policy on the official ISACA site, as they are periodically updated.

The CPE model (the same for CISA, CISM, and CRISC)

ISACA uses a rolling continuing-education requirement with two thresholds you must satisfy at the same time:

  • Annual minimum: earn at least 20 CPE hours each year.
  • Three-year total: earn at least 120 CPE hours over every rolling three-year reporting cycle.
  • Both must be met — 120 over three years does not excuse a year below 20, and three strong years of 20 do not reach 120.

One model, multiple certifications

CISA, CISM, and CRISC all use the 20-per-year / 120-per-three-years CPE structure. If you hold more than one, some qualifying activities can count toward multiple certifications, but each credential is tracked and reported separately.

What counts as CPE

CPE is meant to keep your skills current. A wide range of professional development qualifies, typically including:

  • Attending conferences, webinars, training courses, and workshops.
  • ISACA chapter meetings and professional association events.
  • Teaching, presenting, or developing training related to the certification.
  • Publishing articles, papers, or books on relevant topics.
  • Passing other related professional exams or completing university coursework.
  • Contributing to ISACA (volunteering, item writing, committee work).

Fees and reporting

Maintaining a certification involves an annual maintenance fee (ISACA members pay a lower rate than non-members), paid separately for each credential you hold. You are responsible for tracking your CPE hours and reporting them through your ISACA account, and you must retain documentation in case you are selected for audit. ISACA audits a sample of certified professionals each year to verify reported CPE, so keep certificates and records for the activities you claim.

What happens if you fall short

If you miss the CPE requirement or do not pay the maintenance fee, your certification moves toward an inactive or revoked status. The exact remediation path and any grace provisions are set by ISACA policy, but the safest course is simple: do not let it lapse. Re-earning a revoked credential can mean retaking the exam, which is a far larger cost than staying current.

  • Log CPE hours as you earn them, not at year end — it is easy to lose track.
  • Spread activity across the year so you clear the 20-hour annual minimum, not just the three-year total.
  • Pay the maintenance fee on time for each credential.
  • Keep documentation for every activity you claim, in case of audit.

Frequently asked questions

How many CPE hours do I need for CISA, CISM, or CRISC?+

All three use the same model: a minimum of 20 CPE hours per year and at least 120 CPE hours over every rolling three-year cycle. Both thresholds must be met at once. Confirm current figures on the official ISACA site.

Is there a fee to maintain an ISACA certification?+

Yes. Each credential carries an annual maintenance fee, with a lower rate for ISACA members. If you hold multiple certifications, you pay a maintenance fee for each one.

What happens if I do not meet the CPE requirement?+

Missing the CPE requirement or maintenance fee moves your certification toward inactive or revoked status. The safest path is to stay current, because re-earning a revoked credential can require retaking the exam.

Can one activity count toward multiple ISACA certifications?+

Often yes — if an activity is relevant to more than one credential you hold, it can typically count toward each, but you report and track CPE separately for every certification. Check ISACA’s current CPE policy for the specifics.

Find out if you're actually ready.

Take a real adaptive exam and get a readiness score that means something — free.

Start free

Keep reading

ISACA · Exam guide

CRISC Exam Guide: Format, Domains, and How to Pass

Read ISACA · Careers

CRISC Salary: What IT Risk Professionals Earn

Read ISACA · Careers

CISM Salary: What Information Security Managers Earn

Read