Earning the CISM is hard. Keeping it shouldn't be a mystery. Yet every year, certified professionals let their CISM lapse — not because they stopped learning, but because they didn't understand the renewal mechanics until it was too late.
This guide covers everything you need to know about CISM renewal requirements in 2026: how many CPE hours you need, how the three-year cycle works, what ISACA's annual fees are, which activities count toward your CPE total, what happens if you miss a deadline, and the fastest legitimate strategies for earning your 20 hours before December 31st.
📋 Table of Contents
- CISM Renewal at a Glance
- CPE Hour Requirements
- Annual Maintenance Fees (2026)
- CPE Categories: What Counts?
- Reporting Deadlines & Mechanics
- How It Works for Newly Certified CISMs
- What Happens If Your CISM Lapses
- Non-Practicing Status Explained
- 12 Ways to Earn CPE Hours Efficiently
- Frequently Asked Questions
CISM Renewal at a Glance
ISACA uses a rolling three-year certification cycle to maintain the CISM. Unlike some certifications with rigid renewal dates, your CISM cycle is tied to the calendar year — not your exam date. Here's the core summary:
📅 CPE Requirements
- Annual minimum20 CPE hours/year
- 3-year total120 CPE hours
- 1 CPE hour =50 minutes active participation
- Minimum incrementQuarter-hour (15 min)
- Carryover?No — excess hours don't roll over
💳 Annual Maintenance Fee
- ISACA members$45/year
- Non-members$85/year
- 3rd+ cert (members)$25/year
- 3rd+ cert (non-members)$50/year
- Due dateJanuary 1 each year
CPE Hour Requirements
The CISM requires 120 Continuing Professional Education (CPE) hours over a three-year reporting cycle, with a mandatory minimum of 20 CPE hours per year. Both thresholds matter — you can't front-load 60 hours in year one and coast through years two and three.
The Three-Year Cycle
ISACA uses consecutive three-year reporting periods. Your cycle runs on the calendar year — January 1 through December 31. Each period requires 120 total CPE hours, and your annual 20-hour minimum resets every January 1st.
Example Three-Year Cycle (2025–2027)
- Year 1 (2025)Minimum 20 CPE hours reported
- Year 2 (2026)Minimum 20 CPE hours reported
- Year 3 (2027)Minimum 20 CPE hours reported
- 3-Year Total120 CPE hours cumulative
- Excess hoursDo NOT carry over to the next 3-year period
What Counts as One CPE Hour?
One CPE hour is awarded for every 50 minutes of active participation in a qualifying educational activity (breaks are excluded). Hours can be reported in quarter-hour increments — so a 75-minute webinar earns 1.5 CPE hours (90 minutes of scheduled time minus breaks).
The CPE hours must be relevant to CISM knowledge domains: information security governance, risk management and compliance, information security program development, and incident management. Tangentially related topics in general IT management, privacy law, or business continuity typically qualify if they contribute to your ability to perform CISM-related tasks.
Annual Maintenance Fees (2026)
ISACA charges an annual maintenance fee to keep your CISM certification active. This fee is separate from ISACA membership dues — it's a certification-specific charge that goes toward maintaining the CISM program.
| Certification Count | ISACA Member | Non-Member |
|---|---|---|
| 1st or 2nd ISACA certification | $45/year | $85/year |
| 3rd certification and beyond | $25/year | $50/year |
The discount for holding multiple ISACA certifications applies to the third and any subsequent certifications. So if you hold CISM, CISA, and CRISC, your third certification (e.g., CRISC) would cost $25/year instead of $45 if you're a member.
When Is the Fee Due?
The annual maintenance fee is due by January 1st each year for the upcoming calendar year. ISACA begins sending invoice notifications via email (and postal mail) starting in September. You can pay through the ISACA Certification Dashboard at isaca.org.
Is ISACA Membership Worth It for Renewal Savings?
If you hold one CISM, ISACA membership saves you $40/year on the maintenance fee ($85 non-member vs. $45 member). ISACA membership typically costs $135–$185/year, so the math only works if you also value the chapter access, conference discounts, journal subscriptions, and networking benefits — not just the fee differential.
If you hold two or more ISACA certifications and actively use member benefits (especially CPE-earning webinars and conference discounts), membership pays for itself. See our full CISM certification cost breakdown for a detailed total-cost comparison.
CPE Categories: What Counts?
ISACA recognizes several categories of CPE-earning activities. There's no minimum number of hours required in any single category — you can mix and match, or fulfill all 120 hours from one source if you prefer.
Category 1: ISACA Professional Education Activities
Activities sponsored or conducted by ISACA carry no annual limit. This includes:
- ISACA conferences (CISM-related tracks)
- ISACA chapter seminars and workshops
- ISACA chapter meetings (with educational content)
- ISACA online eLearning events and virtual conferences
- ISACA webinars
A single ISACA conference event can award up to 32 CPE credits.
Category 2: Non-ISACA Professional Education Activities
Third-party training with educational content relevant to CISM domains also qualifies, with no annual limit:
- University courses and graduate-level classes (15 CPE per semester credit hour; 10 CPE per quarter credit hour)
- In-house corporate training programs
- Security conferences (RSA, Black Hat, SANS, etc.) with relevant sessions
- Vendor-sponsored training with substantive educational content (not pure sales)
- Certification exam prep courses for complementary certifications
Category 3: Self-Study
Structured self-study programs that provide a certificate of completion earn CPE hours. This is the most flexible category and carries no annual limit:
- ISACA Journal article quizzes (published in the quarterly ISACA Journal)
- Online eLearning courses (Coursera, LinkedIn Learning, SANS, Cybrary, etc.)
- Reading books relevant to CISM domains (with documentation of reading time)
- Participating in relevant online communities and forums (with documented hours)
- Watching educational webinar recordings
Category 4: Teaching, Lecturing, and Publishing
Creating and sharing knowledge earns CPE hours, often at a multiplied rate:
- Instructing a course or workshop on a CISM-relevant topic
- Presenting at a security conference
- Writing security-related articles, whitepapers, or books
- Developing courseware or training materials
Hours are generally calculated at 2 CPE per hour of preparation/presentation time (check ISACA's CPE Policy for current multipliers).
Category 5: Volunteer Work to ISACA
Contributing to the ISACA organization earns CPE credit:
- Serving on ISACA committees or task forces
- Serving as an item writer for ISACA certification exams
- ISACA chapter board service
- Mentoring ISACA certification candidates
Reporting Deadlines & Mechanics
CISM CPE hours are reported through the ISACA Certification Dashboard (my.isaca.org). The reporting period runs January 1 through December 31 each year. Both your annual CPE requirement and your annual maintenance fee follow the calendar year.
Annual Reporting Timeline
📆 Key Dates Each Year
- January 1Annual maintenance fee due; new CPE year begins
- September–NovemberISACA sends renewal invoices via email and mail
- December 31Annual CPE reporting deadline (20-hour minimum)
- End of 3-year cycle120-hour total must be met; no carryover to next cycle
How CPE Hours Are Reported
You log CPE activities directly in the ISACA Certification Dashboard. For each entry, you'll record the activity name, provider, category, date, and number of CPE hours claimed. ISACA doesn't require you to upload documentation at time of entry — but if you're audited, you'll need it on demand.
CPE hours can be entered throughout the year. There's no need to wait until December — logging hours as you earn them is the easiest way to stay on track and avoid the year-end scramble.
How It Works for Newly Certified CISMs
If you pass the CISM exam in 2026, your formal three-year certification cycle begins on January 1, 2027 — not on your exam date. Here's how the transition year works:
- Any CPE hours you earn between your certification date and December 31, 2026 can be applied toward your first reporting period (2027–2029)
- You are not required to meet the 20-hour annual minimum in your initial partial year
- You will owe the annual maintenance fee starting January 1, 2027
- Starting January 1, 2027, you must meet the 20-hour annual minimum every year
What Happens If Your CISM Lapses
Missing either the CPE requirement or the annual maintenance fee payment results in revocation of your CISM designation. Once revoked, you lose the right to use the CISM credential and must take action to reinstate it.
Revocation Process
ISACA doesn't revoke certifications without notice. You'll receive multiple reminders about outstanding fees and CPE shortfalls. However, if you ignore these notices, ISACA will formally revoke the certification.
Reinstatement After Revocation
To reinstate a revoked CISM, you must:
- Pay all outstanding annual maintenance fees (for years missed)
- Pay a $50 reinstatement fee per certification
- Meet the CPE requirements for the periods in question (or submit a compliance plan)
Reinstatement does not require retaking the CISM exam — as long as you meet the financial and CPE obligations. However, if your certification has been revoked for an extended period, ISACA may require additional steps. Contact ISACA Certification directly for guidance specific to your situation.
Non-Practicing Status: An Option for Career Breaks
If you're taking an extended break from information security work — career pivot, parental leave, sabbatical — ISACA offers a Non-Practicing status for CISM holders.
Under Non-Practicing status:
- You are exempt from the CPE hour requirements
- You must still pay the annual maintenance fee ($45 member / $85 non-member)
- You cannot actively use the CISM designation in a professional context
- Returning to active status requires meeting CPE obligations going forward
This is a useful option for professionals transitioning out of security roles who want to preserve their CISM for future use. Contact ISACA to apply for Non-Practicing status — it's not automatic.
12 Ways to Earn CISM CPE Hours Efficiently
Meeting the 20-hour annual minimum doesn't require expensive conferences or weeks away from work. Here are twelve practical strategies to earn CISM CPE hours without breaking the bank:
Free and Low-Cost Options
- ISACA webinars: ISACA hosts regular free webinars for members covering governance, risk, compliance, and security management. Each typically earns 1–2 CPE hours.
- ISACA Journal quizzes: Each quarterly ISACA Journal issue includes a quiz that earns CPE credit for members who complete it — free and accessible online.
- ISACA chapter events: Local ISACA chapter meetings and workshops count toward CPE. Chapters often host monthly events with speaker presentations.
- LinkedIn Learning / Coursera: Courses on information security management, GRC, privacy, and risk management qualify. A 20-hour professional certificate program can satisfy an entire year's requirement.
- Vendor webinars: Security vendor webinars on GRC tools, cloud security governance, and risk management typically qualify when they have substantive educational content.
- Security podcasts (documented listening): Some CISM holders count structured podcast learning toward self-study CPE — document what you listened to, when, and for how long.
Professional Development Options
- SANS courses: Courses like MGT512 (Security Leadership Essentials) are directly aligned to CISM domains and can earn 30+ CPE hours in a single week.
- Complementary certification prep: Studying for CISSP, CISA, or CRISC earns CPE hours if the content overlaps with CISM domains. If you hold CISSP, the CPE you earn for CISSP renewal may partially overlap — check ISACA's policy. For more, see our CISM vs CISSP comparison.
- University courses: A single graduate course in information security management, risk, or privacy earns 15 CPE hours per semester credit — one course can satisfy 40–75% of your annual requirement.
- Write and publish: Writing a security blog post, whitepaper, or article for a professional publication earns CPE hours for both preparation and publication time.
- Present at a conference: Speaking at a security conference — even a local or virtual one — earns CPE hours for preparation and delivery. One presentation can be worth 4–8 CPE hours.
- Mentor a CISM candidate: Volunteering to mentor someone studying for the CISM earns CPE hours for ISACA volunteer service and reinforces your own knowledge.
Frequently Asked Questions
Can I carry excess CPE hours to my next three-year cycle?
No. ISACA does not allow excess CPE hours from one three-year reporting cycle to carry over to the next. If you earn 150 CPE hours in a cycle, only 120 count — the other 30 are forfeit. Plan your CPE activity accordingly in your final year of each cycle.
What if I miss the annual 20-hour minimum but still hit 120 over three years?
Both requirements are independently enforced. Meeting the 120-hour three-year total does not excuse a missed annual minimum. If you earn 10 hours in Year 1 and 110 hours spread over Years 2 and 3, you're technically out of compliance for Year 1 — even if your three-year total is correct. Aim to hit at least 20 hours every calendar year.
Can I use CISSP CPE hours for my CISM renewal?
You earn CPE hours separately for each certification. An activity that qualifies for CISSP CPE (ISC² CPD) can also qualify for CISM CPE if it falls within CISM's relevant subject areas — but you report them independently to each organization. The same activity doesn't automatically satisfy both programs; you need to log it with both ISC² and ISACA separately. See our CISM vs CISSP comparison for more on managing dual certifications.
How does ISACA verify CPE hours?
ISACA uses a random audit system. If selected, you'll be required to provide documentation for all reported CPE activities — certificates of completion, conference agendas, transcripts, or other verifiable records. ISACA does not audit every submission, but false reporting violates the ISACA Code of Professional Ethics and can result in revocation.
What's the difference between the annual maintenance fee and ISACA membership?
The annual maintenance fee ($45/$85) is paid specifically to maintain your CISM certification and is billed by ISACA's Certification team. ISACA membership ($135–$185/year) provides general member benefits like chapter access, journal subscriptions, and conference discounts. You can be an ISACA member without holding a certification, and you can hold a CISM without being an ISACA member — though membership saves $40/year on the maintenance fee.
Is there a grace period if I miss the January 1 fee deadline?
ISACA typically sends multiple reminders before taking action, but there is no formally published grace period. The safest approach is to pay before January 1. If you receive a late notice, contact ISACA directly — they will often work with you before taking formal revocation action, especially for a first-time oversight.
Can I reinstate my CISM if it was revoked years ago?
Yes — reinstatement is possible without retaking the exam, as long as you pay outstanding maintenance fees plus the $50 reinstatement fee per certification and satisfy any outstanding CPE requirements. For long lapses (multiple years), contact ISACA Certification directly to get a specific reinstatement plan.
Ready to Start Preparing?
Practice with thousands of expert-verified CISM and CISSP questions. AI-powered gap analysis tells you exactly where to focus.
Start Free 7-Day Trial →