Renewal GuideCISAISACA · Professional

How to Renew Your CISA Certification

Your CISA stays valid only while you maintain it. To keep it, you report 120 CPE hours across a three-year cycle, post at least 20 each year, and pay a small annual fee — no re-exam required. Here is exactly how ISACA's CPE model works, the fastest ways to earn hours, and what happens if you let it lapse.

Updated June 20269 min readLevel: MaintenanceBy ExamCert Team

3 yearsReporting cycle

120 CPECredits needed

20 / yrAnnual minimum

~$45 / $85Maintenance fee

RandomISACA audits

How to renew your CISA certification with ISACA CPE hours

01 The short answer

CISA is maintained on a rolling three-year cycle. You keep it active by reporting 120 Continuing Professional Education (CPE) hours across those three years, posting a minimum of 20 hours every year, and paying an annual maintenance fee to ISACA. Do all three and you never sit the exam again — the certification simply renews each year.

The mistake people make is treating maintenance as a single end-of-cycle task. It is not. CISA carries two clocks running at once: a three-year total of 120 hours and a hard annual floor of 20 hours. Hit the 120 but miss a single yearly minimum and you can still fall out of compliance. The maintenance fee is also due every year, by 1 January, completely independent of where you sit in the CPE cycle. In other words, there is never a year where you can ignore your CISA entirely — even a quiet year still needs 20 hours posted and the fee paid.

That sounds like a lot of moving parts, but the load is light if you spread it out. Twenty hours a year is roughly two days of training, a couple of conferences' worth of sessions, or a steady drip of free ISACA webinars over the year. The holders who get caught out are almost always the ones who do nothing for two years and then try to cram 120 hours into the final stretch — or, worse, who forget the annual fee and let an admin lapse undo years of good standing. Treat it as a small annual habit rather than a deadline and CISA renewal becomes a non-event.

Membership pays for itself. An ISACA membership lowers your annual maintenance fee and opens up a large library of free, auto-tracked CPE. For most CISA holders the membership cost is offset by the cheaper renewal and the free hours alone — which is why ISACA membership is strongly recommended alongside the certification.

02 The CPE requirement, in detail

The headline number is 120, but ISACA's CPE policy is really a set of rules working together. Miss any one of them and the certification is at risk, so it is worth seeing them laid out side by side before you plan your year.

Requirement	Amount	What counts
Total CPEs / cycle	120 over 3 years	All qualifying activities combined across the reporting period
Annual minimum	At least 20 / year	A hard floor — you must post 20 hours in every year, not just average it out
What qualifies	Relevant hours only	Activities tied to information systems audit, control, assurance or security — the CISA job practice
Audit risk	Random sample	ISACA audits a percentage of holders each year; you must produce evidence for everything claimed

The "what qualifies" line is the one most people get wrong. CISA CPE hours are not a free-for-all — they have to relate to the CISA job practice: information systems audit, control, assurance, or security. A generic leadership webinar or an unrelated industry certification will not count toward your CISA hours, even if it was genuinely useful. When in doubt, ask whether the activity maintains or grows the knowledge a CISA is expected to have. If yes, claim it and keep the evidence; if not, log it elsewhere.

Keep your evidence. CPEs are self-reported in the ISACA portal, but if you are picked for a random audit you must supply documentation — certificates of completion, attendance rosters, or independent attestations — with the activity title, date, sponsor and hours. ISACA advises retaining records for at least 12 months after each cycle ends. Hours you cannot evidence can be struck, which may drop you below the threshold and put your certification in jeopardy.

03 The fastest ways to earn CPE hours

You do not need to spend much to reach 120. A blend of free and paid activities — several of which overlap with your day job — gets you there comfortably across three years. The trick is to mix a few high-volume sources, like a conference, with a steady background of small free hours so you always clear the annual 20 even in a busy year. Below are the six routes most CISA holders lean on, with a rough sense of the value each delivers.

FREE · ~1 CPE / HR

ISACA webinars & free CPE

ISACA members get a steady stream of free, on-demand webinars and the free CPE programme — most auto-track to your record, so the hours post themselves.

FREE/LOW · LOCAL

Chapter events & meetings

Your local ISACA chapter runs talks, seminars and training nights. Attendance earns CPEs and you keep the sign-in or confirmation as evidence.

PAID · BIG BATCH

Conferences

A multi-day ISACA conference or industry event can earn 20–40 CPEs in one go — often the single fastest way to clear most of a cycle.

FREE/PAID · 1 CPE / HR

Courses & training

Structured courses, vendor training, and online labs count when they map to IS audit, control or security. Keep the completion certificate for your file.

PREMIUM RATE

Teach, present or write

Delivering training, speaking at an event, or publishing an article earns CPEs at a premium — preparing new material the first time counts for more.

DOCUMENTED

Relevant work & writing

Some qualifying on-the-job work, contributing to ISACA, or authoring relevant content can count. Document it carefully so it survives an audit.

Pace beats panic: ~3.3 CPEs a month clears 120 over three years, and never drops you below the 20-a-year floor. One free ISACA webinar a fortnight plus one conference per cycle and you are essentially done without thinking about it.

04 The renewal cycle, step by step

↻ Repeats every 3 years

Earn CPEs

Accumulate relevant hours year-round from webinars, chapter events, training and work — never under 20 in a year.

Report them

Log each activity in the ISACA portal and keep your supporting evidence on file in case of a random audit.

Pay the fee

Pay the annual maintenance fee by 1 January — every year, not just at the end of the cycle.

Stay certified

Hit 120 CPEs by the end of the 3-year cycle and the certification renews — no re-exam.

Watch both clocks. The reporting cycle is three years, but the 20-hour minimum and the maintenance fee are annual. Confirm your exact deadlines and balance in the ISACA portal rather than assuming — the fee deadline of 1 January is firm.

05 What happens if your CISA falls short

Falling behind is recoverable if you act, but costly if you ignore it. There are two distinct ways to slip — an annual shortfall and a cycle-or-fee failure — and both lead to the same place if left unaddressed. Knowing which one you are facing tells you how urgently you need to move.

Miss the annual 20-hour minimum: failing to post at least 20 CPE hours in a year puts you out of compliance even if your three-year total looks healthy. ISACA can require you to make up the shortfall to stay in good standing.

Miss the cycle total or the fee: not reaching 120 hours by the end of the cycle, or not paying the annual maintenance fee, results in revocation of your CISA designation. Failing or not complying with a random audit leads to the same outcome.

Re-earning it: once a CISA is revoked you generally have to sit and pass the CISA exam again to get it back — the full exam fee plus weeks of study, far more than staying current ever costs. Acting before a deadline is always cheaper than recovering after one.

The practical takeaway is simple: set two reminders. One for late December, to confirm your annual maintenance fee is paid before the 1 January deadline and that you have cleared at least 20 hours for the year. One for the start of your final cycle year, to check your running total against 120 with enough runway to book a conference or batch of courses if you are short. Two calendar entries a year is all it takes to keep a credential you spent months earning — and to make renewal genuinely automatic rather than a scramble.

06 FAQ

How many CPE hours does CISA renewal require?

You must earn and report at least 120 CPE hours over each three-year reporting cycle to keep your CISA, which works out to about 40 per year. There is also a hard floor: you must report a minimum of 20 CPE hours every single year. The hours must relate to information systems audit, control, assurance or security.

How much does it cost to maintain a CISA?

ISACA charges an annual maintenance fee, due by 1 January each year. It is commonly around US$45 for ISACA members and US$85 for non-members. Keeping an ISACA membership is recommended because it lowers the maintenance fee and unlocks free CPE. Always confirm the current amounts on the ISACA website, as fees can change.

What happens if my CISA expires?

If you do not meet the CPE requirement or pay the maintenance fee, ISACA can revoke your CISA designation. ISACA also audits a random sample of certification holders each year, so you must keep evidence of every activity. A revoked CISA generally has to be re-earned by sitting and passing the CISA exam again, which costs far more than staying current.

Can I renew CISA without retaking the exam?

Yes. The normal path is maintenance by CPE: report 120 CPE hours across three years, meet the 20-hour annual minimum, and pay the annual maintenance fee. Do that and you never retake the exam. Re-sitting the exam is only required if you let the certification lapse and it is revoked.

ExamCert TeamCertified security & cloud pros helping you stay certified.