Maintaining your CSSLP: CPE and renewal requirements

Greg Belding
August 17, 2021 by
Greg Belding

The Certified Secure Software Lifecycle Professional (CSSLP) certifies that the holder has the expertise to add secure software practices into the software development lifecycle. An important factor for CSSLP holders to consider is that to hold the cert for more than three years is that they will have to comply with ISC2’s continuing professional education (CPE) policy and other renewal requirements to continue being a CSSLP holder. This article will explore the CSSLP CPE and renewal requirements, the CSSLP CPE policy overview, ways to earn CSSLP CPE credits, CSSLP maintenance fees and what happens if your CSSLP certification is revoked.

What are the CSSLP renewal requirements?

The CSSLP cert is good for three years from the date you earn it. Below is what is required for you to renew your CSSLP certification:

  • Satisfy the CSSLP CPE requirement (both the annual requirement (suggested) and three-year requirement)
  • Pay the CSSLP annual maintenance fee or AMF

CSSLP CPE policy overview

One of the CSSLP renewal requirements is that CSSLP certification holders satisfy the CPE requirement. To satisfy this requirement, you need to both earn and submit the minimum CPE credits. To make things easier for you in terms of budgeting your time, ISC2 has offered up suggested annual minimum CPE credits. The categories

  • Education (group A or B)
  • Contributions to the profession (group A)
  • Professional development (group B)
  • Unique work experience (group A)

Certifications are also not all alike and there are different levels for how much each certification holder needs to earn to satisfy their CPE requirement. Below are both the annual suggested CPE credit total and the three-year CPE credit total for the CSSLP certification:

Suggested annual total Three-year total

CSSLP Group A 20 60

Group A or B 10 30

Total Required 30 90

As you can see above, the CSSLP certification has required CPE totals for both group A and group B types of CPE. The important thing is not which type of CPE you earn but that you satisfy the required 60 CPE credits from group A and 30 CPE credits from group A or B. Please note that only members can earn group B credits.

Ways to earn CSSLP CPE credits

Education (group A or B)

CSSLP cert holders can earn CPE credits by consuming content found in self-directed learning activities the connect back to CSSLP. These activities include:

  • Books, magazines or whitepaper
  • Courses and seminarsHigher education course
  • ISC2 certification course
  • ISC2 professional development institute (PDI) course
  • Industry conference (in-person or virtual)
  • Online webinars, podcasts and other online offerings
  • Professional information security chapter meeting
  • Vendor presentation


  • The maximum number of credits you can earn for the following activities are:
    • Books: five CPE credits per book with a 250-word description
    • Magazine: five CPE credits per magazine issue with a 250-word description
    • Whitepaper: one CPE credit per paper with a 250-word description
  • Group A: one hour of participation related to the credential domains equals one CPE credit
  • Group B: one hour of participation related to non-domain related professional development equals one CPE credit
  • CPE credits may be reported in 0.25, 0.5, and 0.75 increments
  • The maximum number CPE credits per entry should not exceed 40
  • Some of these CPE activities are self-reported through the CPE portal and may be audited
  • The documentation required may be a 250-word description of what you learned or any of the following:
    • Course transcripts
    • Awarded diplomas
    • Certificates
    • Receipts of attendance
    • Copies of official meeting minutes
    • Rosters
    • Documentation of registration materials

Contributions to the profession (group A)

You can earn these group A CPE credits by creating new content, also known as creating new industry knowledge. Qualifying activities include:

  • Writing, researching and publishing
  • Preparation time for a webinar, podcast or presentation
  • Preparing new or updating existing training seminar or classroom material (excluding ISC2 official training materials)
  • Serving as SME, or subject matter expert for a panel discussion
  • Providing volunteer, non-compensated services to a non-employer or non-client customer related to your credential domains
  • Delivering ISC2 safe and secure online (SSO) presentations


  • The maximum number of CPE credits for qualifying activities are:
    • Books: 40 CPE credits per book as author, 20 as co-author and 10 as editor
    • Articles: 20 CPE credits per article as an author, 10 as co-author and five as editor
    • White paper: 10 CPE credits as an author, five as co-author and two as editor
    • SSO presentations: 10 CPE credits after completing two SSO presentations (one time only). After the first 2 presentations, members can earn one group A CPE credit per presentation
  • Rules related to hour-credential equivalent, CPE credit increments and self-reporting remain are the same as above (except there are no credits maximum)
  • Documentation
    • Copies of publications
    • Research/prep notes for speaking or teaching
    • Sample educational materials
    • Course agenda
    • Letter or certification from the organization served
    • Meeting minutes that indicate participation

Unique work experience (group A)

You can earn up to 10 group A CPE credits for activities performed during their regular working hours when they are engaged in unique projects, assignments, activities or exercises. This must fall outside your normal, day-to-day job responsibilities or job description.


  • Rules related to hour-credential equivalent, CPE credit increments and self-reporting remain are the same as above (10 CPE credit maximum)
  • Documentation
    • Proof of unique project or a brief description of 250-words maximum summarizing the project or activity

Professional development (group B)

This non-domain-related professional development focuses on enhancing professional skills such as management, project planning, interpersonal communication, team-building and more, and is not related directly to a domain within your credential and information security. Qualifying activities:

  • Chapter formation or management
  • Non-security industry conference
  • Non-security education courses and seminars
  • Non-security government/private sector/charitable organizations committees
  • Preparation for non-security presentation/lecture/training


  • Rules related to hour-credential equivalent, CPE credit increments and self-reporting remain are the same as above (40 CPE credit maximum)
  • Documentation
    • Letter, certification or other documentation from the organization served

CSSLP annual maintenance fees

Half of the CSSLP renewal requirements is that the CSSLP cert holder needs to pay an annual maintenance fee or AMF. The CSSLP AMF is $125 for members and $50 for associates. The AMF is due on the anniversary of the CSSLP certification date. Payments can be made:

  • With credit card or voucher in the member dashboard
  • Mailing a check to ISC2
  • Wire transfer

What happens if my CSSLP certification is revoked?

If your CSSLP certification is revoked you will lose your member status but the good thing is you can get it reinstated, and it is easier to do that now than in the past. To reinstate your membership (and the CSSLP), you need to pay all past due AMFs, fulfill all CPE requirements and pay a $600 reinstatement fee.

Once you earn your CSSLP certification, your responsibilities as a certification holder have only just begun. While you will not have to retake the certification exam for any reason, you will have to satisfy the CSSLP CPE requirements of earning 90 CPE credits and pay the CSSLP annual maintenance fee. This will probably seem like peanuts when you consider all that the CSSLP certification can do for you.



Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.