If you hold the CISA (Certified Information Systems Auditor) credential, continuing education isn't optional — it's the mechanism that keeps your certification active. ISACA's continuing professional education (CPE) requirements exist for practical reasons: information systems auditing evolves quickly, and a credential that doesn't require ongoing learning would quickly become disconnected from the realities of the field.

This guide covers what CISA CPE requirements actually look like, what activities qualify, how the renewal process works, and what happens if you fall behind. Whether you're newly certified or approaching a renewal deadline, understanding the system helps you stay in good standing without scrambling at the last minute.

CISA CPE Requirements: The Basics

ISACA requires CISA holders to complete a minimum of 120 CPE hours over each three-year certification period, with a minimum of 20 CPE hours per year. Both thresholds matter — you can't stockpile 120 hours in one year and skip the next two years. The annual minimum of 20 hours is independently required.

The certification period runs on a calendar-year basis. Your certification is renewed annually by December 31, with CPE hours and fees due by that date. This is different from some certifications that renew based on your initial certification date — ISACA uses a consistent calendar-year cycle for all CISA holders.

The fee structure involves an annual maintenance fee. ISACA members pay a lower maintenance fee than non-members, which is one practical reason to maintain ISACA membership throughout your certification period.

What Activities Qualify for CISA CPE Credit?

ISACA defines qualifying CPE activities broadly. The key requirement is that the activity must be relevant to your professional responsibilities as an information systems auditor. Here are the main categories:

Formal education: College and university courses relevant to IS auditing, control, security, or governance. A graduate course in cybersecurity, IT governance, or information management would typically qualify.

ISACA-sponsored training: ISACA's own training courses, webinars, conferences, and chapter events are pre-approved for CPE credit. The ISACA CISA Review Course and CSX (Cybersecurity Nexus) offerings qualify. Attending ISACA's annual GRC Conference or ISACA's local chapter events earns CPE hours with minimal friction since they're already pre-approved.

Non-ISACA training: Courses, seminars, and conferences from other providers qualify if the content is relevant. Professional development offerings from SANS Institute, AICPA, IIA (Institute of Internal Auditors), (ISC)2, and similar bodies typically qualify. Industry conferences covering technology governance, risk management, and security are generally eligible.

Self-study: Reading and self-study activities can qualify, but typically at a limited rate and with documentation. Reading ISACA's ISACA Journal, COBIT publications, or other relevant professional literature can earn limited CPE hours. ISACA specifies limits for self-study credit — check the current CPE Policy for the exact cap.

Teaching and presenting: Developing and delivering training programs, speaking at professional conferences, or teaching courses relevant to IS auditing can earn CPE credit — often at a higher rate than attending, since preparation time is counted. If you've presented at an ISACA chapter meeting or an industry conference, that time counts.

Writing and research: Authoring articles, white papers, or research publications in relevant professional areas qualifies for CPE credit. ISACA's own Journal welcomes contributions from members, which serve double duty as professional development and CPE credit.

Volunteer work in professional organizations: Serving in governance or committee roles within ISACA, IIA, AICPA, or similar bodies qualifies. Board service, chapter leadership, and committee work all contribute to your CPE total.

How to Document and Submit CPE Hours

Documentation is the other half of CPE compliance. ISACA doesn't just take your word for it — you're required to maintain records of your CPE activities and may be subject to audit.

For each CPE activity, keep:

• The name and description of the activity
• The date(s) completed
• The number of hours claimed
• Evidence of completion (certificate of attendance, transcript, registration confirmation, speaking materials, etc.)

ISACA's certification management system (accessible through your online account) is where you log your CPE hours. You enter activities throughout the year as you complete them rather than waiting until the December renewal deadline. This is the approach that actually works — logging 120 hours at once in late November is stressful and leaves you scrambling to locate documentation.

ISACA audits a percentage of CPE submissions each year. If you're selected for audit, you'll need to provide the supporting documentation for your claimed hours. Audits are straightforward for people who kept records; they're a serious problem for people who inflated their hours or lost their documentation.

The Annual Renewal Process

CISA renewal happens annually by December 31. The process involves:

1. Completing at least 20 CPE hours for the current year (and maintaining the three-year cumulative total on track toward 120)
2. Paying the annual maintenance fee
3. Certifying compliance with ISACA's Code of Professional Ethics

ISACA typically sends renewal reminders in the fall. Don't wait for the reminder — if you have your CPE hours and fee ready, submit early. Processing delays near the deadline are common, and a lapsed certification creates complications.

If you fail to renew by December 31, your certification enters a suspended status. ISACA provides a reinstatement process with an additional fee, but the window isn't indefinite. If suspension extends long enough without reinstatement, the certification is revoked, and you'd need to reapply and potentially retest to earn it back.

CISA CPE in the Context of Other Certifications

Many IS audit professionals hold multiple credentials — CISM, CRISC, CGEIT alongside CISA. Each ISACA certification has its own CPE requirements, but there's an important nuance: CPE hours earned can be applied across multiple ISACA certifications if the content is relevant to each credential.

This cross-certification crediting significantly reduces the total hours burden for multi-certified professionals. An activity on IT risk governance might legitimately count toward both CISA and CISM CPE requirements. ISACA's CPE policy addresses this — review it carefully if you hold multiple credentials.

Non-ISACA certifications also factor in. If you hold CISSP, CIA (Certified Internal Auditor), CPA, or other professional credentials, some of the CPE you earn for those certifications may also qualify for CISA credit if the content overlaps with IS auditing. This requires judgment about content relevance, not automatic crediting.

Strategic Approaches to CISA CPE

Meeting CPE requirements with minimal waste means planning your professional development year rather than accumulating hours reactively. Here's what tends to work well for CISA holders:

Anchor around one major event per year. An ISACA conference, a major industry event like RSA Conference (if security-focused), or a multi-day training can deliver 20-30 CPE hours in a concentrated period. One major event per year plus modest ongoing activity gets you to 120 hours over three years without feeling like a grind.

Stay active in your ISACA chapter. Local chapter events offer regular CPE opportunities throughout the year. Chapter meetings, webinars, and study groups add up. If your chapter is active, attending regularly is an easy source of 10-15 hours annually.

Use webinars strategically. ISACA's virtual training offerings have expanded significantly, and many are free for ISACA members. A one-hour webinar on a relevant topic once or twice a month easily covers 20+ hours annually.

Log hours as you earn them. This is the single most important process tip. The ISACA online portal makes it easy to log hours; the hard part is remembering to do it. A simple habit of logging after each completed activity means you're never searching through old emails for documentation at renewal time.

Read ISACA publications with purpose. The ISACA Journal covers topics directly relevant to IS auditing and earns qualifying self-study CPE. If you're reading it anyway, log it. Same with COBIT publications and relevant technical standards.

Changes to CISA in Recent Years

ISACA periodically updates the CISA exam and certification requirements as the field evolves. The most recent significant update repositioned the CISA around five domains: Information Systems Auditing Process; Governance and Management of IT; Information Systems Acquisition, Development, and Implementation; Information Systems Operations and Business Resilience; and Protection of Information Assets.

The CPE requirements themselves have remained relatively stable, but the types of activities that earn the most relevance have shifted as cloud governance, cybersecurity risk, and digital transformation have become increasingly central to IS auditing work. CPE activities that keep you current on these areas serve your professional development and your certification simultaneously.

ISACA also expanded recognition of alternative credential holders who may qualify for modified CISA application requirements — but the CPE requirements once certified remain consistent regardless of how you qualified.