Maintaining your CISA certification: Renewal requirements [Updated 2019]

Claudio Dodt
July 11, 2019 by
Claudio Dodt

ISACA’s Certified Information System Auditor (CISA) certification is a high-level IS audit credential that is considered, both by individuals and organizations, the preferred certification program for IT auditors.

As expected, earning this credential is no easy task! Candidates have four hours to excel in a 150-question certification exam that covers five different domains. But that is just the first part! After passing the exam, it is also necessary to provide proof of at least five years of experience in IS audit, control, assurance or security, and to adhere to ISACA’s Code of Professional Ethics.

The point is, becoming a CISA is quite a challenge and once you have accomplished that, it makes no sense to lose such a distinguished credential by simply not following compliance requirements for its maintenance. In truth, compared to what you did so far to obtain the CISA certification, maintaining a valid credential is not hard. Here is an overview on how to do it.

Understanding ISACA’s continuing professional education (CPE) policy

One of the key reasons why the CISA certification is so well respected is the central rationale behind the exam ensures IS auditors are ready to deal with real-world situations. That concept is the core of ISACA’s continuing professional education (CPE) policy, as its main goal is ensuring all CISAs maintain an adequate level of current knowledge and proficiency in the field of information systems audit, control and security.

According to ISACA, by complying with the CPE policy, professionals are continuously trained to better assess information systems and technology and to provide leadership and value to their organization.

What are the CISA CPE maintenance requirements?

Maintaining your certification is quite simple: Per CISA’s CPE policy requirements, it is necessary to comply with the following items to retain certification:

  • Earn and report a minimum of twenty (20) CPE hours per year
  • Obtain and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting period
  • Submit annual CPE maintenance fees to ISACA international headquarters in full ($45 for ISACA members and $85 for non-members)
  • Be ready to respond and submit required documentation of CPE activities, if selected for the annual audit
  • Continuously comply with ISACA’s Code of Professional Ethics
  • Continuously abide by ISACA's IT auditing standards

How long is the CISA certification good for?

A full CISA renewal cycle takes three years. This means paying the maintenance fee three times (once every year), and also reporting on CPEs earning every year. Please note it is not possible to make a single payment for the three-year period or to report the required 120 CPE hours only once. Failing to do so may result in the revocation of an individual’s CISA designation.

How do I earn CISA CPEs?

While paying the maintenance fee is a quite straightforward task, earning continuing professional education (CPE) credits is limited to selected educational activities, including technical and managerial training.

It is important to note educational activities must be directly applicable to the assessment of information systems or the improvement of audit, control, security or managerial skills in CISA job practices, otherwise it will not be qualified by the CISA Certification Committee, the entity responsible for setting the CPE requirements.

There are numerous options for earning CPEs, including the following categories of activities:

  • ISACA professional education activities and meetings (no limit)
  • Non-ISACA professional education activities and meetings (no limit)
  • Self-study courses (no limit)
  • Vendor sales/marketing presentations (10-hour annual limitation)
  • Teaching/lecturing/presenting (no limit)
  • Publication of articles, monographs and books (no limit)
  • Exam question development and review (no limit)
  • Passing related professional examinations (no limit)
  • Working on ISACA boards/committees (20-hour annual limitation per ISACA certification)
  • Contributions to the IS audit and control profession (20-hour annual limitation in total for all related activities for CISA reported hours)
  • Mentoring (10-hour annual limitation)

For these activities, a CPE hour is earned for each fifty (50) minutes of active participation (excluding lunches and breaks). For example, a CISA taking an Information Security training for 8 hours (480 minutes) with of 90 minutes of breaks will earn 7.75 CPEs.

Again, it is important to remember every activity must be related to CISA’s domains/job practice areas, otherwise it will not be accepted.

How do I report my CISA CPEs?

Reporting on earned CPEs is quite simple:

  • Log in at
  • Click on MY ISACA
  • Click on Manage My CPE
  • Scroll down, then click on Add CPE button
  • Enter CPE activity information and click Save

One key point to remember is it is necessary to report a minimum of 20 CPEs per year, and earn a minimum of 120 CPEs during the three-year renewal cycle. For example, while it is acceptable to report 20 CPEs during the first two years, and 80 CPEs in the last year of the renovation cycle, it is not possible to report only 15 CPEs for the first two years and 90 CPEs in the last year of the cycle. The table below could be used as a reference for minimal CPE reporting scenarios:

Can I regain membership if my certification has been terminated?

Not complying with CISA’s CPE policy will lead to revocation of an individual’s CISA designation, meaning you will no longer be allowed to present yourself as a CISA. It that is your case, do not panic! There is still a slight chance of getting back your certification.

ISACA is open to appeals from individuals whose certification has been revoked due to noncompliance with the CPE policy. It is necessary to send a written appeal notification to The appeal must include a detailed explanation of the reinstatement request, as well as CPE documentation from the cycle period since revocation to current year.

This should be considered as a last resort, as it incurs an additional $50 fee and there is no guarantee your appeal will be accepted.


Having a valid CISA certification is a sure way of standing out in the IT/IS auditor market, so the idea of having it revoked by not complying with a few simple requirements should be more than sufficient motivation for checking out your ISACA MY CERTIFICATIONS page to find whether you still need to report CPEs and if the maintenance fee has been duly paid.

For more on the CISA certification, view our CISA certification hub.

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.