In pursuit of CPEs


You know as an ISC2 member you need to renew every 3 years and this requires collection of Continuing Education Credits (CPEs).
I’m in the process of renewing my CISSP and CCSP credentials, so I figured that now was a great time to address what these mean and how you can collect them.
The requirements
As per the official CPE Handbook, you need to earn X CPE credits in 3 years.
This can be found at the official ISC2 site.
Different certifications have different CPE requirements.
For example, the CISSP certification requires a member to earn 120 group A or B CPE credits over a 3-year period.
This translates to roughly 40 hours of continuing education per year. CCSP and CCSLP certifications only require 90 CPEs in the same period, or 30 hours of continuing education per year.
*Associates of ISC2 need to submit CPEs annually, not every 3 years.
The CPE groups
Group A CPEs are known as “Domain-Related Activities” credits.
These are the heart of ISC2 recertification. When submitting these types of CPEs, you need to map them to one or more of the applicable domains for your certification.
There’s no need to make up a mapping. Just think through how this activity you’re listing applies to the various domains at a high-level.
Group B CPEs are known as “Professional Development” credits.
I can’t even remember the last time I submitted a Group B credit. These CPEs are for continuing credits outside of any of the domains for which you are certified.
Did you take an underwater basket weaving course at a local college? This is an example of a Group B credit.
There is a maximum of 30 Group B CPEs that you can submit in any 3-year cycle for the CISSP or CCSP. These can also be replaced by Group A CPEs.
CPE double-dip
Here’s a cool fact: You can double-dip on CPE credits if you have multiple ISC2 certifications (such as having both a CISSP and a CCSP).
This opportunity isn’t surprising given the content of all ISC2 certifications are IT security, right?
Sure, some may be infrastructure centric and others may be focused on secure software, but the core concepts such as secure architecture and design, testing and supply chains are addressed by most, if not all ISC2 certifications.
The scramble
Annual credit requirements were removed years ago. As an ISC member, you need to earn and submit CPE credits on a 3-year cycle*.
Of course, this brings you to not even think about CPEs until you get an email from the ISC saying your AMF and CPEs are due in a couple of months.
Now you’re scrambling to remember the conferences and presentations over the past three years. I don’t know about you, but I struggle to remember what I had for breakfast this morning.
Pro Tip: Check your emails for webinar and training keywords. This will likely jog your memory of any webcasts and other CPE opportunities you may be forgetting about.
Making it up
Don’t do it! The ISC2 can (and do) flag any CPEs they determine as suspicious.
When this happens, they will not count the credits and you have to defend your submission. If you can’t, they will invalidate them.
In fact, the ISC2 reserves the right to go back 12 months as part of their CPE audit process. If requested, you must provide proof of eligibility. Make sure you keep your records.
Honestly, the fear of being audited and caught faking their CPEs should stop anyone from trying to game the system.
Ever had your taxes audited? It’s amazing how one audit leads to multiple audits in later years. It’s almost like they don’t trust you anymore so they verify every little submission.
Roll-overs
A really important note about roll-over credits – although they can be rolled over a year, they CANNOT be rolled over from one cycle to another. We have experienced this first-hand, and the ISC2 is very strict about this rule.
Letting your certification retire
Are you nuts? I have been a CISSP since 2003.
The number of certifications I have let be retired over this time is numerous. I’ve been an MCT and MCSE, all my certifications backing up these designations are now retired. Cisco? Same. Fortinet, Symantec, BigFix, SANS, CISA?
All the same. I’ll renew my AWS Architect certification soon, I swear. I’m just really busy.
Bottom line, I’ll never let my ISC2 credentials lapse.
CPE opportunities
There are multiple ways to earn Group A or B CPE credits. The following categories are all open for CPE credits:
Education credits
Reading books, articles and magazines all qualify for CPE credits, but there’s a huge catch: You have to write a 250 word review for every CPE you’re trying to claim.
Books and magazines both qualify for 5 CPEs, but for the CISSP that requires 120 CPEs, this means you’re writing 24 reviews that are at least 250 word each
Conferences count for CPEs at a clip of 1 CPE per hour of attendance (this may be broken down to .25 hour increments).
Take the RSA conference for example. After attending this conference, I had 32.25 CPE submitted for me automatically.
How sweet is that?
Webcasts (related to cybersecurity) count as Group A credits. These are 1 CPE per hour of webcast. This category includes vendor presentations.
Training (live or on-demand) is also 1 CPE per hour of training.
Given this, a standard 5-day course (at 8 hours of education per day) is 40 CPEs. This satisfies a full year of CPE requirements for the CISSP.
I think we have the ultimate CPE solution if you are looking to add cloud security under your belt as far as certification goes.
We call it our CCSK/CCSP Bootcamp.
It includes 80 CPE credits – That’s 2 years worth of CPEs (as well as 2 certifications).
How?
Let me break it down for you:
Intrinsec Security’s CCSK/CCSP Bootcamp Course Structure:
- Days 1-3: Official CCSK Plus Training (3 days @ 8hrs/day = 24 CPEs). Includes all the knowledge needed to pass the CCSK exam.
- Days 4-5: Official CCSP Bridge Training (2 days @ 8hrs/day = 16CPEs). Addresses all the material found in the Official CCSP curriculum in a rapid-fire 2-day session. The goal here is to understand what the CCSP offers on top of the CCSK.
After passing your CCSK exam (recommended), you take the official ISC2 CCSP On-Demand Training included with your package. This is another 40 CPEs issued by ISC2.
Total CPEs: 24+16+40=80 CPEs
Other than the above education CPE opportunities, the ISC2 has a myriad of ways to collect CPEs.
These include free on-demand training sessions for members (if you haven’t checked these out yet you should! Not many holders even know these free courses exist), the ISC2 Infosec Magazine (with quiz), ISC2 Webinars, Surveys and more.
Giving back to the profession through writing is a great way to earn CPEs.
Writing cyber security related books through blogs all qualify for CPE credits.
Want to create a training session? That qualifies as well. Another area that may be a source of these CPEs is volunteering, such as volunteering for your local ISC2 chapter.
Finally, we have the Unique Work Experience category. Be careful with this one!
Your day-to-day work activities DO NOT count!
As stated in the official ISC2 CPE guide: “The unique project, assignment, activity or exercise must fall outside of their normal (or day-to-day) job responsibilities or job description.”
Submission process
Once you remember your CPEs, log on to the ISC2 website.
Your CPEs should be listed on your student page. You enter the CPEs in the ISC2 “Add new CPE” site.
Once you click submit, you take a deep breath and hope it shows the CPEs as accepted.
As an ISC2 trusted CPE partner, Intrinsec Security can submit CPEs on your behalf for any of our training solutions or events.
We just take your name and ISC2 member number and submit on your behalf. You don’t risk missing the submission window, forgetting about them or scrambling at the very last minute to enter them.
Be warned though, either through us, or another trusted CPE partner, there may be a 6-week delay before the ISC2 adds them to your account.
Conclusion
The CPE submission process is a pain that all members experience.
Speaking of which, I just got another reminder from the ISC2 about missing CPEs that have to be submitted by the end of this month.
Time to get back to them.