How to maintain your CISA certification: CPE and renewal requirements
ISACA's Certified Information Systems Auditor (CISA) certification is one of the most recognized credentials for IT auditors worldwide. Organizations across industries look for this certification when hiring professionals in information systems audit, control and security.
Earning your CISA takes serious dedication. You'll need to pass a four-hour exam with 150 questions covering five CISA domains, demonstrate at least five years of experience in information systems (IS) audit, control, assurance or security, and commit to following ISACA's Code of Professional Ethics.
After investing all that time and effort into obtaining your CISA certification, the last thing you want is to lose it because you missed a maintenance deadline. The good news? Maintaining your CISA CPE requirements and keeping your credentials current is much simpler than earning the certification in the first place.
ISACA certifications like CISA are highly valued in the industry and can lead to higher salaries and better career opportunities. Infosec has created a presentation identifying the most lucrative roles and the part that CISA and other certifications can play. Sign up for the free webinar to learn more.

Earn your CISA, guaranteed!
Get your CISA live online or on-site, backed with an Exam Pass Guarantee!
Understanding ISACA's continuing professional education (CPE) policy
The CISA certification maintains its reputation because it ensures IS auditors stay prepared for real-world challenges. That's the foundation of ISACA's continuing professional education (CPE) policy, which requires all CISAs to maintain current knowledge and proficiency in information systems audit, control and security.
According to ISACA, complying with the CPE policy means professionals continuously improve their ability to assess information systems and technology while providing leadership and value to their organizations.
CISA CPE maintenance requirements
Maintaining your CISA certification is straightforward. Here's what you need to do:
- Earn and report a minimum of 20 CPE hours annually
- Obtain and report a minimum of 120 CPE hours over each three-year reporting period
- Submit annual CPE maintenance fees to ISACA international headquarters ($45 for ISACA members and $85 for non-members)
- Be prepared to submit documentation of CPE activities if selected for the annual audit
- Continuously comply with ISACA's Code of Professional Ethics
- Continuously abide by ISACA's IT auditing standards
How long is the CISA certification valid?
A full CISA renewal cycle runs three years. This means paying the maintenance fee annually (three times per cycle) and reporting your CPE earnings every year.
You cannot make a single payment for the entire three-year period or report all 120 required CPE hours at once. Failing to meet these annual requirements may result in revocation of your CISA designation.
How to earn CISA CPE credits
While paying the maintenance fee is simple, earning continuing professional education credits requires completing specific educational activities. These must include technical or managerial training directly applicable to assessing information systems or improving audit, control, security or managerial skills in CISA job practices. The CISA Certification Committee sets and approves all CPE requirements.
You have numerous options for earning CPE credits, including:
- ISACA professional education activities and meetings (no limit)
- Non-ISACA professional education activities and meetings (no limit)
- Self-study courses (no limit)
- Vendor sales/marketing presentations (10-hour annual limitation)
- Teaching, lecturing or presenting (no limit)
- Publication of articles, monographs and books (no limit)
- Exam question development and review (no limit)
- Passing related professional examinations (no limit)
- Working on ISACA boards/committees (20-hour annual limitation per ISACA certification)
- Contributions to the IS audit and control profession (20-hour annual limitation total for all related activities)
- Mentoring (10-hour annual limitation)
You earn one CPE hour for each 50 minutes of active participation (excluding lunches and breaks). For example, if you attend an eight-hour information security training session (480 minutes) with 90 minutes of breaks, you'll earn 7.75 CPE credits.

Earn your CISA, guaranteed!
Get your CISA live online or on-site, backed with an Exam Pass Guarantee!
Remember that every activity must relate to CISA's domains and job practice areas. With the 2024 update to the CISA job practice areas, make sure your CPE activities align with the current domains:
- Information Systems Auditing Process (18%)
- Governance and Management of IT (18%)
- Information Systems Acquisition, Development and Implementation (12%)
- Information Systems Operations and Business Resilience (26%)
- Protection of Information Assets (26%)
How to report your CISA CPEs
Reporting earned CPE credits is simple:
- Log in at www.isaca.org
- Click on MY ISACA
- Click on MY CERTIFICATIONS
- Click on MANAGE MY CPE
- Scroll down and click on ADD CPE button
- Enter CPE activity information and click SAVE
The key requirement is reporting a minimum of 20 CPEs annually while earning a minimum of 120 CPEs during the three-year renewal cycle. For example, you can report 20 CPEs in each of the first two years and 80 CPEs in the final year. However, you cannot report only 15 CPEs for the first two years and 90 CPEs in the last year. Here are acceptable CPE reporting scenarios:
Year 1 | Year 2 | Year 3 | Total CPEs over 3 years |
---|---|---|---|
20 | 20 | 80 | 120 |
20 | 50 | 50 | 120 |
40 | 40 | 40 | 120 |
60 | 20 | 40 | 120 |
80 | 20 | 20 | 120 |
What happens if my CISA certification is revoked?
Not complying with CISA's CPE policy will result in the revocation of your CISA designation, meaning you can no longer present yourself as a CISA. If this happens, don't panic. You may be able to regain your certification.
ISACA accepts appeals from individuals whose certification has been revoked due to CPE policy noncompliance. You'll need to send a written appeal to certification@isaca.org. The appeal must include a detailed explanation of your reinstatement request and CPE documentation from the cycle period since revocation to the current year.
This should be a last resort, as it requires an additional $50 fee and there's no guarantee your appeal will be accepted.

Earn your CISA, guaranteed!
Get your CISA live online or on-site, backed with an Exam Pass Guarantee!
Keep your CISA certification active
Having a valid CISA certification helps you stand out in the IT and IS auditor market. Don't risk losing it by missing simple maintenance requirements. Check your ISACA certifications page regularly to confirm you've reported CPEs and paid your maintenance fee.
With the 2024 update to the CISA job practice areas, staying current with your professional education matters more than ever. The revised domains reflect industry changes, with increased emphasis on Information Systems Operations and Business Resilience (26%) and Protection of Information Assets (26%), showing the growing importance of cybersecurity and business continuity in IT auditing.
Ready to take the next step in your IT audit career? Explore these resources:
- Free ebook: Cybersecurity certification and skills roadmap
- Free ebook: Cybersecurity salary guide
- Free webinar: ISACA career path: The highest paying certifications in the industry
- Certification training: CISA Boot Camp