How to Renew Your CISM Certification
Your CISM runs on a three-year CPE cycle. To keep it, you report 120 CPE hours — at least 20 every year — and pay a small annual maintenance fee. No re-exam required. Here is exactly how ISACA's CPE model works, the fastest ways to earn hours, and what happens if you let it lapse.
01 The short answer
The trap people fall into is treating renewal as one big push at the end. CISM does not allow that: the 20-hour annual floor means you cannot bank everything into year three and coast through years one and two. The maintenance fee is also due every year by 1 January, independent of where you are in the CPE cycle. Miss either and ISACA can revoke the credential outright.
It helps to think of CISM maintenance as two parallel obligations rather than one. The first is the CPE obligation — demonstrating you have kept your knowledge current through continuing education. The second is the financial obligation — the annual maintenance fee that keeps your record in good standing. Both have to be satisfied; being a CPE high-achiever does not excuse a missed fee, and paying the fee does not buy you out of the education requirement. Plenty of otherwise diligent professionals lose their designation not because they stopped learning, but because a fee invoice slipped past on a changed email address.
02 The CPE requirement, in detail
Unlike some credentials, CISM does not split your hours into technical and general groups. Instead it imposes a total and an annual floor, and it expects every hour to relate to the CISM job practice — information security management. That single rule shapes everything about how you should choose your activities: a hands-on packet-capture lab might be excellent learning, but if you cannot tie it back to security strategy, governance, risk or incident management, it is a weaker fit for CISM than, say, a workshop on building a risk register or chairing a tabletop exercise.
| Requirement | Amount | What it means |
|---|---|---|
| Total CPEs / cycle | 120 over 3 years | The headline figure — roughly 40 hours a year on average |
| Annual minimum | At least 20 / year | A hard floor each calendar year — you cannot skip a year and make it up later |
| What qualifies | Management-relevant | Security strategy, governance, risk management, incident management, programme leadership — activities tied to the CISM job practice |
| Evidence | Keep records | Certificates, agendas and attendance proof, retained in case of audit |
The annual minimum deserves a second look, because it is where most lapses originate. A professional who earns 100 hours in year one, 18 in year two, and 30 in year three has comfortably cleared 120 in total — but is still non-compliant, because year two fell below 20. ISACA treats each year as its own checkpoint. The safest mental model is to forget the 120 figure during the year and simply ask, every December, “have I logged my 20 yet?” If the answer is yes every year, the cycle total takes care of itself.
03 The fastest ways to earn CPE hours
You do not need to spend a fortune to clear 120 hours. A blend of free ISACA resources and activities you already do at work gets you there — just keep them anchored to security management rather than pure tech. The six routes below cover the spectrum from no-cost to premium-rate; most CISM holders use three or four of them in rotation, leaning on the free options for the steady annual baseline and saving a conference or course for the years they want to bank a big batch.
ISACA webinars & on-demand CPE
ISACA members get free webinars, the CPE on-demand library, and Journal quizzes — many auto-post hours straight to your record. The easiest, cheapest baseline.
Chapter events & meetings
Local ISACA chapter meetings, study groups and volunteering count, are usually free or cheap, and keep you networked into the security management community.
Conferences & ISACA events
A multi-day governance, risk or security conference can earn 20–40 CPEs in one go — often the single fastest way to clear most of a year.
Management & security courses
Structured training in risk, governance, leadership or security programme management maps cleanly to CISM. Keep the completion certificate for your file.
Teach, present or write
Delivering training, speaking at an event, mentoring or publishing an article earns CPEs at a premium — and first-time delivery of new material counts for more.
Relevant work projects
Leading a risk assessment, building a security strategy, or running incident response can count when it develops your management capability — document the scope and your role.
04 The renewal cycle, step by step
↻ Repeats every 3 years
Earn CPEs
Accumulate security-management hours year-round from webinars, events, courses and work — never fewer than 20 in a year.
Report them
Log each activity in your ISACA portal and keep certificates and agendas on file in case you are selected for audit.
Pay the fee
Settle the annual maintenance fee by 1 January each year — every year, not just at the end of the cycle.
Stay certified
Hit 120 CPEs by the close of the 3-year cycle and the certification renews — no re-exam, no scramble.
05 What happens if you fall short
CISM is less forgiving than some credentials — there is no group-credit cushion, and two separate things can sink you. Here is the sequence, and why catching a shortfall early matters so much more than fixing it late.
The economics make the case on their own. The annual maintenance fee plus a handful of free ISACA webinars costs you very little each year and a few hours of attention. Re-earning a revoked CISM, by contrast, means the full exam fee, weeks of study to rebuild four domains of knowledge, and potentially re-establishing the work-experience requirement — on top of the professional awkwardness of explaining a lapsed credential. Set two recurring calendar reminders, one in late autumn to check your CPE tally and one in December for the fee, and the entire risk evaporates.
06 FAQ
How many CPE hours does CISM renewal require?
You must earn at least 120 CPE hours over each three-year reporting cycle, about 40 per year. ISACA also enforces a minimum of 20 CPE hours every single year, so you cannot bank everything into one year. The activities must relate to information security management and the CISM job practice.
How much does it cost to maintain a CISM?
ISACA charges an annual maintenance fee for CISM, which is around US$45 for ISACA members and US$85 for non-members, due by 1 January each year. Holding active ISACA membership is recommended because it lowers the fee and unlocks free CPE resources. The maintenance fee is separate from the cost of any activities you use to earn CPE hours.
What happens if my CISM lapses?
If you miss the CPE requirement or fail to pay the annual maintenance fee, ISACA revokes your CISM designation, and because ISACA owns the certification you can no longer claim it on your CV or LinkedIn. Reinstatement is at ISACA's discretion and may require re-earning the credential, so it is far cheaper to stay current with your 20 hours a year and pay the fee on time.
Can I renew CISM without retaking the exam?
Yes. The normal path is recertification by CPE: report 120 CPE hours across three years with at least 20 each year, comply with the CPE policy, and pay the annual maintenance fee, and you never retake the exam. Re-sitting only becomes relevant if you let the certification lapse and have to re-earn it.
