The most challenging information security certifications, such as CISA®, CISSP®, CISM® require that holders acquire a minimum number of CPEs annually. This is partly to ensure that the certification holder is active and is keeping up-to-date with their field. Unless you conform to CPE policy for your certification, you will almost certainly have it revoked.
This section provides some tips to make it easier to gain & manage your CPEs.
- Valid activities are defined in the CPE policy guidelines for the certification. Always check the latest CPE policy from the organization’s website.
- It is recommended that activities chosen should be auditable, so ensure that any events chosen will provide a certificate of completion or some other means of easily proving that you did the activity at the particular time and that it was a valid activity.
- Some activities have maximums per year; check the CPE policy so that you do not spend too much time on a particular activity.
- CPE activities are submitted for a particular period, so plan the timing of training and other activities carefully.
- CPEs can be used for multiple certifications, so chose activities which cover as many of your certifications as possible.
- Some CPE activities, such as working on the board of a security organization or passing an information security certification exam, may give you a very large number of CPE points. Check out the CPE policy for such events at the start of your certification’s year as it can make life much easier.
- Some CPEs can roll over into the next certification period, so if you do in excess of what you need, it can benefit you later. Check your CPE policy to see if your CPE points can roll over.
- While CPEs usually have an annual minimum, there is also a certification cycle minimum, such as the number of CPEs to be acquired in a three-year period. Bear in mind the average number of CPEs needed per year to meet the certifications period minimum.
- Always do more than the minimum average requirement of CPEs, as some CPEs may be rejected as invalid or may not have adequate proof provided in case of an audit. Do enough CPE activities so that if some are rejected or are questionable you still have enough to meet your requirements.
- Many online CPE events (such as webinars and online conferences) can be done in recorded mode when you have the time. You can therefore plan a do some of these during vacation or on a weekend, rather than doing them live. Doing them recorded can often give better response times than doing live due to slow internet speeds.
- There are many free sources of CPEs, such as ISSA events, BrightTalk webinars, ISC2 events (members only) and ISACA events (members only). Doing only free CPEs can usually satisfy a year’s requirement of CPEs.
- CPE certificates from events state the maximum number of CPE hours that can be claimed. You must submit to your organisation the actual time spent at the event (to the nearest hour).
- You should periodically log into the certification’s organizational website and check where you are in terms of CPEs; especially towards year end.
- Keep an ongoing record of CPE activities, so that when it’s time to enter the CPEs in the organization’s website it will be easy, and you won’t forget any activities. There are also some tools for recording CPEs.
- Sometimes you will find that CPEs have been entered automatically for you in the organization’s website. You should check that the details are correct, and approve the CPEs if necessary.
- Ensure that for each CPE you do you have a record of the following:-
- Start date of event
- Organization/ Instructor putting on event
- Title of event
- Location of event
- Format – classroom, online, live seminar etc
- Number of hours claimed
- Keep a JPEG, BMP or PDF of any certificates or similar documents obtained for CPE purposes. You may need this when submitting the CPEs, or in case you are audited.
To find out more about obtaining CPEs, Click for PDF