CISM CPE Activities 2026: 20 Ways to Earn Your Hours Without Conferences

What ISACA Requires: The Numbers

Keeping your CISM active means satisfying ISACA's Continuing Professional Education (CPE) program. The core requirement is straightforward:

The 20-hour annual minimum is a hard floor. If you bank 40 hours in year one but only 10 in year two, you are out of compliance in year two regardless of your running total. Plan around the annual requirement first, then think about the 3-year total.

For the full renewal overview -- fees, grace periods, and what happens if your certification lapses -- see the CISM Renewal Requirements guide.

How ISACA's CPE Categories Work

ISACA groups qualifying activities into five broad categories. Most activities fall cleanly into one of them, but a few overlap. Understanding the categories helps you plan your CPE portfolio and avoid surprises during an audit.

All CPE activities must relate to information security -- the closer the tie to CISM's four domains (Governance, Risk Management, Information Security Program, Incident Management), the cleaner the justification during an audit. General project management or business strategy courses typically do not qualify unless they have a clear security governance angle.

Online Learning Activities (Activities 1-7)

Online learning is the highest-ROI CPE source for most working professionals: no travel, no conference registration fee, and the content is available on demand. All of the following fall under Group A (Educational Activities) or Group C (Self-Study), depending on whether they are instructor-led or self-paced.

Activity 1: ISACA Webinars (Free for Members)

ISACA hosts dozens of live webinars per year on topics including governance, risk management, incident response, and emerging technologies. Members attend free; non-members pay $50-$150 per session. Each 60-90 minute webinar generates 1-1.5 CPE hours. ISACA sends a certificate of completion automatically. This is the single lowest-effort CPE source available -- a 30-minute registration and you have a pre-approved, documented activity.

Activity 2: ISACA Online Learning Library

ISACA's online learning portal includes self-paced courses aligned directly to CISM domains. Courses range from 2-8 hours. Completion certificates are generated automatically and the activity is pre-coded to ISACA CPE categories, which simplifies documentation. The library is included in ISACA's CSX (Cybersecurity Nexus) membership tier.

Activity 3: Coursera and edX Security Courses

University-quality courses from institutions like Johns Hopkins, UC San Diego, and NYU are available on Coursera and edX with audit options (free) or graded tracks ($49-$299). A 10-week course at 3-5 hours per week yields 30-50 CPE hours -- more than enough to cover your annual requirement from a single enrollment. Document with the course completion certificate and a description tying the content to CISM domains.

Activity 4: LinkedIn Learning Security Courses

LinkedIn Learning has a solid catalog of information security governance, risk management, and compliance courses. Individual courses run 2-6 hours. A LinkedIn Premium subscription ($40/month) gives unlimited access. Save your completion certificates -- LinkedIn exports them in a format that works well for ISACA audit documentation.

Activity 5: Cybrary Free Courses

Cybrary offers free access to security courses including dedicated CISM prep content. For renewal purposes, any security-aligned course qualifies -- you are not limited to CISM-specific material. Cybrary's free tier is sufficient for CPE purposes; the paid subscription unlocks assessments and structured paths.

Activity 6: SANS Reading Room and Recorded Presentations

SANS publishes free white papers, research reports, and recorded webcasts on a wide range of security topics. Reading a SANS white paper and documenting the time spent counts as self-study CPE (Group C). Recorded SANS webcasts count as Group A. SANS does not issue CPE certificates for free white paper consumption, so maintain your own log with title, date, and time spent.

Activity 7: Pluralsight Security Learning Paths

Pluralsight offers curated learning paths for security governance, risk, and compliance. Paths covering NIST CSF, ISO 27001, or COBIT are directly relevant to CISM's Governance domain. Pluralsight tracks completion time and exports certificates. An annual subscription runs $299-$499; many employers reimburse it under a professional development budget.

Reading and Self-Study Activities (Activities 8-11)

Self-study CPE falls under Group C. ISACA allows up to 10 hours per year from informal reading (no certificate), with no cap on structured self-study programs that produce a completion record.

Activity 8: Reading ISACA Publications

ISACA publishes the ISACA Journal six times per year and a steady stream of white papers, research reports, and framework guidance (COBIT, NIST, ISO). Reading these and logging the time counts toward CPE. Track your reading in a spreadsheet: publication title, date, and time spent. For the informal reading cap, 10 articles at 45-60 minutes each gets you to the 10-hour annual limit.

Activity 9: Security Books and Textbooks

Reading an information security book cover to cover typically generates 8-15 CPE hours of self-study credit. Books with a direct governance, risk, or program management angle are the cleanest fit: think titles covering ISO 27001, enterprise risk management, or security leadership rather than penetration testing. Log reading time as you go, and keep the book (or purchase record) as documentation.

Activity 10: Completing an ISACA Review Manual

Working through the CISM Review Manual -- or the review manual for CISA or CRISC -- counts as self-study CPE even if you are already certified. Some holders complete the manual annually as a refresher and CPE vehicle simultaneously. A full pass through the CISM Review Manual at 3-4 hours per week for 8 weeks yields 24-32 hours.

Activity 11: Recorded Conference Sessions (On Demand)

Many security conferences -- including RSA, InfoSecurity Europe, and ISACA's own GRC Conference -- publish session recordings after the event. Watching recorded sessions from a formal conference qualifies as Group A educational activity, not informal self-study, and is not subject to the 10-hour cap. Retain the session title, conference name, and approximate duration in your log.

Teaching, Presenting, and Publishing (Activities 12-16)

Activities where you produce or deliver security content -- rather than consume it -- fall under Groups D and E. These generate CPE hours at a favorable ratio and also build professional visibility. Note that ISACA credits preparation time as well as delivery time for original presentations and first-time course development.

Activity 12: Presenting at an ISACA Chapter Meeting

Local and virtual ISACA chapter meetings actively recruit speakers. A 45-60 minute presentation on a security governance, risk, or incident management topic earns Group D CPE hours for the delivery time -- plus additional hours for preparation (ISACA allows 2 hours of prep credit for each hour of original first-time presentation). Presenting twice a year at chapter meetings can generate 9-12 CPE hours with minimal cost.

Activity 13: Teaching a Security Course or Workshop

If you teach a security course at a university, community college, or corporate training program, you earn CPE hours for the instruction time. For a 3-credit university course meeting 3 hours per week over 15 weeks, the delivery time alone is 45 hours -- well above the annual minimum. Preparation hours for original content may also be claimed. Repeat teaching of the same course in subsequent years earns only delivery hours, not preparation hours again.

Activity 14: Writing a Security Article or Blog Post

Publishing a security-related article in a journal, trade publication, or recognized security blog qualifies under Group E. ISACA credits the time spent writing and researching, not page count. A 2,000-word technical article typically takes 4-8 hours to research and draft, generating 4-8 CPE hours. Keep your draft notes, final published URL, and time log as documentation.

Activity 15: Contributing to an ISACA White Paper or Framework

ISACA regularly recruits volunteers to contribute to white papers, guidance documents, and framework updates. Contributors earn CPE hours for the time invested, and the work falls under Group E (authoring). Contact your ISACA chapter or the ISACA headquarters volunteer portal to find active projects. This is one of the higher-prestige CPE activities and often leads to additional networking and visibility.

Activity 16: Writing ISACA Exam Items

ISACA recruits subject matter experts to write and review exam questions (items) for the CISM, CISA, CRISC, and other exams. Item writing workshops typically run 2-3 days and generate 16-24 CPE hours. ISACA provides documentation automatically. This activity is by invitation or application through the ISACA volunteer program -- search "Exam Development Volunteer" on the ISACA website.

Volunteer and Professional Activities (Activities 17-20)

ISACA chapter leadership and certain professional activities also qualify. Group B (vendor presentations) is capped at 10 hours per year; professional activity credits vary by type.

Activity 17: ISACA Chapter Leadership and Volunteering

Serving on an ISACA chapter board -- as a director, committee chair, or working group member -- generates CPE hours for time spent on chapter activities. Keep a log of meeting attendance and project hours. Chapter leadership roles typically generate 10-20 CPE hours per year from meetings, planning sessions, and event organization alone.

Activity 18: Vendor Security Briefings and Product Training

Security vendor briefings -- product demos, solution workshops, sponsored webcasts -- qualify as Group B CPE when the content is substantively educational rather than purely commercial. The 10-hour annual cap applies. These are easy to accumulate if you are involved in vendor selection or security tool evaluation; log each session with vendor name, topic, and duration. Most vendors will provide an attendance confirmation on request.

Activity 19: Peer Mentoring (Formal, Documented)

Formally mentoring a colleague pursuing CISM or other security certifications qualifies as Group D activity when the relationship is structured and documented. ISACA recommends maintaining a mentoring agreement or log that records meeting dates, topics discussed, and hours. Informal hallway conversations do not count; a structured 6-month mentoring engagement with documented sessions does.

Activity 20: Security Task Forces and Industry Working Groups

Participation in industry working groups -- such as FS-ISAC (Financial Services), H-ISAC (Healthcare), or ISACs in other sectors -- qualifies as CPE when the work is directly related to information security. Similarly, contributing to NIST comment periods, public standards development bodies, or sector-specific security frameworks earns CPE for documented participation time. These activities often generate CPE naturally if you are already involved in industry organizations.

Tracking and Submitting Your CPE

ISACA requires holders to log CPE hours through the Certification Maintenance System (CMS) on the ISACA website. The workflow is straightforward, but a few practical notes save time:

• Log as you go, not at year-end. Certificates expire, URLs change, and memory fades. Add each activity to your CMS log within a few days of completion.
• Keep backup documentation. ISACA audits a random subset of certificates annually. For each logged activity, save the completion certificate (or a screenshot), the activity title, date, and hours in a personal folder. Certificates from courses, webinars, and conferences are the cleanest evidence.
• For self-study without certificates, maintain a reading log: date, publication title, time spent. This is your audit evidence. ISACA does not require external verification for Group C informal reading -- your own log is sufficient.
• Check your CMS total before December 31. The reporting period closes on December 31. Hours submitted after that date count toward the following year, not the year in which the activity occurred.
• Keep records for three years. ISACA can audit CPE claims up to three years back. Do not delete documentation after you submit it to CMS.

A simple spreadsheet with columns for Date, Activity Title, Category, Hours, and Documentation Reference is all you need for day-to-day tracking. Export the spreadsheet to a PDF once a year and store it with your certificates.

Frequently Asked Questions

Do all CPE activities have to be about CISM specifically?

No. CPE activities must be related to information security broadly -- they do not need to map directly to CISM exam content. Courses covering cloud security, privacy law, zero-trust architecture, or enterprise risk management all qualify, provided they have a clear information security angle. General business, project management, or technology topics without a security tie-in do not qualify.

Can I claim CPE for passing a new certification?

Yes, with nuance. ISACA allows CPE credit for the study time invested in passing a new certification, not for the act of passing it. You need to estimate and document your preparation hours (study time, practice exams, course work) and log those under the appropriate CPE category. There is no automatic credit for the credential itself.

Can I earn CPE from my day job?

Rarely, and carefully. Routine job duties do not qualify as CPE -- ISACA explicitly excludes standard work experience from the program. However, certain job-adjacent activities do qualify: presenting at an internal security awareness training, leading a formal tabletop exercise as an instructor (not just as a participant), or contributing to a published security policy or white paper.

What happens if I submit false CPE hours?

Submitting inaccurate or fabricated CPE records is an ISACA Code of Professional Ethics violation. Confirmed falsification results in certification revocation and may be reported to employers. ISACA audits randomly; the documentation burden is low enough that fabrication is both unnecessary and significantly riskier than just completing legitimate activities.

How many CPE hours do ISACA webinars generate per year if I attend all of them?

ISACA typically hosts 40-60 webinars per year across its certification programs. At 1-1.5 hours each, attending all of them would generate 40-90 CPE hours annually -- well above the 20-hour minimum. In practice, most holders attend 5-15 webinars per year, generating 8-20 hours, and fill the remainder with online courses or self-study.

Do CPE hours transfer between ISACA certifications?

If you hold multiple ISACA certifications (for example, CISM and CISA), you can apply the same CPE activity toward both certifications in the same reporting period, provided the content is relevant to both. Log the activity once in CMS and apply it to each applicable certification. You do not need to complete double the hours to maintain two ISACA credentials simultaneously.

What is the fastest way to earn 20 CPE hours in one month?

The most efficient path: complete a 10-12 hour online course (Coursera, edX, or ISACA Online Learning), attend 3-4 ISACA webinars (4-6 hours), and read two SANS or ISACA publications (2-3 hours). That combination hits 20 hours in under four weeks without any travel or significant expense -- especially if you are an ISACA member with free webinar access.

Related Guides