Maintaining your CGRC certification: CPE and renewal requirements

Greg Belding
November 16, 2021 by
Greg Belding

The Certified Authorization Professional, or CAP, is a Security Assessment and Authorization certification ISC2. It certifies that the holder has the expertise and advanced skills in Risk Management Framework (RMF), Governance, Risk and Compliance (GRC), and authorizing and maintaining information systems using best practices, policies, and procedures. CAP is valid for three years, and cert holders will have to comply with ISC2’s Continuing Professional Education, or CPE, policy and other renewal requirements to continue being a CAP holder. 

What are the CAP renewal requirements?

The CAP cert is good for three years from the date you earn it. Below is what is required for you to renew your CAP certification:

  • Satisfy the CAP CPE requirement (both the annual requirement (suggested) and three-year requirement)
  • Pay the yearly maintenance CAP fee or AMF

CAP CPE policy overview

One of the CAP renewal requirements is that CAP certification holders satisfy the continuing professional education, or CPE, requirement. To satisfy this requirement, you need to both earn and submit the minimum CPE credits. To make things easier for you in terms of budgeting your time, ISC2 has offered up suggested annual minimum CPE credits. The categories

  • Education (Group A or B)
  • Contributions to the Profession (Group A)
  • Professional Development (Group B)
  • Unique Work Experience (Group A)

Certifications are also not all alike, and there are different levels for how much each certification holder needs to earn to satisfy their CPE requirement. Below are both the annual suggested CPE credit total and the three-year CPE credit total for the CAP certification:

Suggested Annual total Three-year total

Group A 15 45

Group A or B 5 15

Total Required 20 60

The CAP certification has required CPE totals for both Group A and Group B types of CPE. The important thing is not which type of CPE you earn but that you satisfy the required 45 CPE credits from Group A and 15 CPE credits from Group A or B. Please note that only members can earn Group B credits.

Ways to earn CAP CPE credits

Education (Group A or B)

CAP cert holders can earn CPE credits by consuming content found in self-directed learning activities connected to CAP. These activities include:

  • Books, magazines or whitepaper
  • Courses and seminars — other
  • Higher education course
  • ISC2 certification course
  • ISC2 Professional Development Institute (PDI) course
  • Industry conference (in-person or virtual)
  • Online webinars, podcasts, and other online offerings
  • Professional information security chapter meeting
  • Vendor presentation


The maximum number of credits you can earn for the following activities:

  • Books — 5 CPE credits per book with a 250-word description
  • Magazine — 5 CPE credits per magazine issue with a 250-word description
  • Whitepaper — 1 CPE credit per paper with a 250-word description
  • Group A — 1 hour of participation related to the credential domains equals 1 CPE credit
  • Group B — 1 hour of participation related to non-domain related professional development equals 1 CPE credit
  • CPE credits may be reported in 0.25, 0.5, and 0.75 increments
  • The maximum number of CPE credits per entry should not exceed 40
  • Some of these CPE activities are self-reported through the CPE portal and may be audited
  • The documentation required may be a 250-word description of what you learned or any of the following:
    • Course transcripts
    • Awarded diplomas
    • Certificates
    • Receipts of attendance
    • Copies of official meeting minutes
    • Documentation of registration materials

Contributions to the profession (Group A)

You can earn these Group A CPE credits by creating new content and creating new industry knowledge. Qualifying activities include:

  • Writing, researching and publishing
  • Preparation time for a webinar, podcast, or presentation
  • Preparing new or updating existing training seminar or classroom material (excluding ISC2 official training materials)
  • Serving as SME or Subject Matter Expert for a panel discussion
  • Providing volunteer, non-compensated services to a non-employer or non-client customer related to your credential domains
  • Delivering ISC2 Safe and Secure Online (SSO) presentations


  • The maximum number of CPE credits for qualifying activities are:
    • Books — 40 CPE credits per book as author, 20 as co-author and 10 as editor
    • Articles 20 CPE credits per article as an author, 10 as co-author, five as editor
    • White paper — 10 CPE credits as an author, five as co-author, two as editor
    • SSO presentations — 10 CPE credits after completing 2 SSO presentations (one time only). After the first two presentations, members can earn 1 Group A CPE credit per presentation
  • Rules related to hour-credential equivalent, CPE credit increments, and self-reporting remain are the same as above (except there are no credits maximum)
  • Documentation
    • Copies of publications
    • Research/prep notes for speaking or teaching
    • Sample educational materials
    • Course agenda
    • Letter of certification from the organization served
    • Meeting minutes that indicate participation

Unique work experience (Group A)

You can earn up to 10 Group A CPE credits for activities performed during their regular working hours when they are engaged in unique projects, assignments, activities or exercises. This must fall outside your normal, day-to-day job responsibilities or job description.


  • Rules related to hour-credential equivalent, CPE credit increments, and self-reporting remain are the same as above (10 CPE credit maximum)
  • Documentation
    • Proof of unique project or a brief description of 250-words maximum summarizing the project or activity

Professional Development (Group B)

This non-domain-related professional development focuses on enhancing management, project planning, interpersonal communication, team building, etc. It is not related directly to a domain within your credential or information security. Qualifying activities:

  • Chapter formation or management
  • Non-security industry conference
  • Non-security education courses and seminars
  • Non-security government/private sector/charitable organizations committees
  • Preparation for non-security presentation/lecture/training


  • Rules related to hour-credential equivalent, CPE credit increments, and self-reporting domain are the same as above (40 CPE credit maximum)
  • Documentation
    • Letter, certification, or other documentation from the organization served

CAP Annual Maintenance Fees

The other CAP renewal requirement is that the CAP cert holder pays an annual maintenance fee or AMF. The CAP AMF is $125 for members and $50 for associates. The AMF is due on the anniversary of the CAP certification date. Payments can be made:

  • With a credit card or voucher in the member dashboard
  • Mailing a check to ISC2
  • Wire transfer

What happens if my CAP certification is revoked?

If your CAP certification is revoked, you will lose your member status, but you can get it reinstated (and it is easier to do that now than in the past). Previously, suspended members had to reapply for CAP, retake the CAP certification exam, and repay the certification exam cost. To reinstate your membership (and the CAP), you need to pay all past due AMFs, fulfill all CPE requirements, as well as pay a $600 reinstatement fee.

Earn your CGRC, guaranteed!

Earn your CGRC, guaranteed!

Enroll in a CGRC (formerly CAP) Boot Camp and earn one of the industry's most respected certifications — guaranteed.

Earning your CAP certification

Once you earn your CAP certification, your cert holder responsibilities have only just begun. While you will not have to retake the certification if you lose your certificate, you will have to satisfy the CAP CPE requirements of earning 60 CPE credits and pay the CAP annual maintenance fee. This easing of the CAP recertification process will be music to the ears of those who overlooked their certification maintenance requirements.

For more information on the CGRC certification (formerly CAP), check out our CGRC certification hub.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.