Info on Professional CPEs

Professional certificates such as CISSP require CPEs (Continuing Professional Education). Typically your employer will help you obtain fulfill some of these requirements by sending you to trainings, conferences, and encourage professional development. But at the end of the day - it is a personal responsibility to complete this requirement in order to keep your certification.

I will focus on CISSP development as this is the certification I have and I definitely recommend it if you want to get a job/career in

  • IT Professional
  • Governance/Risk/Compliance
  • Software Development
  • Professional Hacker (Look for title such as Penetration Testing Engineer)

Even if you aren’t 100% focused on security in your job, this certificate is definitely a differentiator in the field. Warning: you may become the security point of contact for your team.

CISSP CPE requirements list

The CISSP certificate requires you to obtain 120 CPEs in 3 years. If you do some simple math that is 40 per year. 1 CPE is more or less translated into 1 hour of professional development (emphasis on security). Here is the list of CPEs for CISSP. Reference - Copy of CISSP Handbook

For CISSP certification - CPE Requirements

Type Suggested Annual 3-Year Total
Group A 30 90
Group A or B 10 30
Total Required 40 120

From the chart you can see that Group A categories are like gold as they can all be applied to hit that 120 total (As for Group B where you max out at 30). Specific categories are defined below.

Group A or B - Continued Education

Self Directed Learning activities mapping back to credential domains(s) including:

  • Book, magazine or whitepaper
  • Courses and seminars - other
  • Higher education course
  • (ISC)2 Certification Course
  • (ISC)2 Professional Development Institute (PDI) Course
  • Industry conference (in-person or virtual)
  • Online webinars, podcasts and other online and other online offerings
  • Professional information security chapter meeting
  • Vendor presentation

Specific Rules

  • Maximum number of CPEs apply to the following activities:
    • Books – 5 CPEs per book with 250-word description
    • Magazine – 5 CPEs per magazine issue with 250-word description
    • Whitepaper – 1 CPE per paper with 250-word description
  • Group A: 1 hour of participation related to the credential domains equals 1 CPE
  • Group B: 1 hour of participation related to non-domain related professional development equals 1 CPE
  • CPEs may be reported in 0.25, 0.50 and 0.75 increments
  • Maximum number of CPE per entry should not exceed 40
  • Some of these CPE activities are self-reported through the CPE portal and may be audited.

Group A - Contributions to the Profession - Create New Industry Knowledge

  • Writing, researching & publishing
  • Preparation time for a webinar, podcast, or presentation
  • Preparing new or updating existing training seminar or classroom material (this excludes development of (ISC)2 Official Training Materials)
  • Serving as Subject Matter Expert (SME) for a panel discussion

Specific Rules

  • Maximum number of CPEs apply to the following activities:
    • Books – 40 CPEs per book as author, 20 CPEs per book as co-author, 10 CPEs per book as editor
    • Articles – 20 CPEs per article as author, 10 CPEs per article as co-author, 5 CPEs per article as editor
    • Chapter in Book – 20 CPEs per chapter as author, 10 CPEs per chapter as co-author, 5 CPEs per chapter as editor
    • Professional Blog – 10 CPEs per blog as author, 5 CPEs per blog as co-author, 2 CPEs per blog as editor
    • White Paper – 10 CPEs per white paper as author, 5 CPEs per white paper as co-author, 2 CPEs per white paper as editor
    • Preparing existing training - 1-day course equals 2 CPEs, 2-day course equals 5 CPEs, 5-7 days course equals 10 CPEs, semester (12 or more weeks) equals 20 CPEs

Volunteer Service

  • Provide volunteer, non-compensated services to non-employer or non-client customer groups related to your credential domains.
  • Examples:
    • Performing board service for a professional security organization. (This does not include service on chapter boards.)
    • Government, public sector, or other charitable organizations committees or working groups
    • Participation in security standards development for a recognized committee

Specific Rules

  • 1 hour of attendance or participation related to the credential domains equals 1 CPE (may reported in 0.25 increments)
  • Do not exceed 40 CPEs

Group A - Unique Work Experience

  • Earn up to 10 Group A CPE credits for activities performed during their regular working hours when they are engaged in unique projects, assignments, activities or exercises. The unique project, assignment, activity or exercise must fall outside of their normal (or day-to-day) job responsibilities or job description.
  • This can be a specific projects that relates to the security domains

Specific Rules

  • 1 hour of participation related to the credential domains equals 1 CPE with a maximum of 10 CPEs per unique work experience (may reported in 0.25 increments)

Group B - Professional Development

  • Earn CPEs for activities around enhancing professional skills outside of the security domains including management, interpersonal communication, project planning, team building, etc.
  • Examples:
    • Chapter formation or management
    • Non-security industry conference
    • Non-security education courses and seminars
    • Non-Security Government/Private Sector/Charitable Organizations Committees
    • Preparation for non-security presentation/lecture/training

Specific Rules

  • 1 hour of participation equaling 1 CPE for Group B, not exceeding 40 (may report in 0.25 increments)

Word to the Wise

Just remember - that all these CPEs may include an audit. So also pay attention to the documentation required per the website. I haven’t been audited but I always make sure to due diligence to make sure I can attest to any of the work above while submitting my CPEs. Reference - Copy of CISSP Handbook

Quarantine / CPEs

So what do you do when everyone is stuck at home and you are no longer being sent to conferences and able to work on the in-person related work as before? As you can probably tell from skimming above - there is really no requirement to be in-person for any of these CPE requirements. However - conferences/trainings are getting canceled and employers budget is getting moved to cover other expenses. Below are some good ways to get CPEs while in quarantine.

Security Podcasts

This is a big one for me. There are plenty free content online that cover security related material. What I love about podcasts is you can easy multi-task when listening to a podcast versus almost any other training. My favorite quarantine activity is to put on one of these podcasts and do the dishes or go for a walk. Then I am feeling both productive and listening to some really interesting content - AND I am getting CPEs for it.

Big Thanks to @AveMaxima and @MrThomasRayner for opening me up to this idea.

Twitter Podcast post

My personal recommendation for security related podcasts are:

  • Darknet Diaries - created by Jack Rhysider.
    • My favorite episode set to get you hooked is XBox Underground Part 1 and Part 2. They are so good that I guarantee you will be thanking me later for the introduction (if you haven’t heard them already)
  • Security Now - host Steve Gibson and Leo Laporte. Steve is a subject matter expert in security and Leo is a long time technology TV/Radio personality (I remember watching Leo on TechTV back in the day.) Really good topics and conversations here. Add this one to your podcast list.


Who knew I would get CPEs while being asked to like/subscribe to content creators videos. This was surprise number 2 for me. However this opens up just a huge list of free trainings including a lot of great conference material that has gone virtual and free.

Here is one that will keep you busy - Defcon 20 Safe Mode - Defcon material has gone virtual this year and you can watch it online on youtube while collecting your CPEs.

Checkout the Defcon website for more details:

Defcon 20 - Safe Mode

Virtual Conferences

Similar to the last recommendation - a lot of the conferences that usually cost thousands of dollars to attend have gone free this year. This is great news - however this means you have to sign up early as some have a virtual capacity and some will not post content after the show (unlike our friends at defcon above).

Some that I plan to attend:

  • Microsoft Ignite 2020 - 48hr virtual conference - But wait - this is not a security conference. That is true! But remember if there are topics that are for a security discipline such as Business Continuity Disaster Recovery (BCDR), Authentication/Authorization, Security Engineering, etc. these learnings can be part of Group A (otherwise non-security learning can still be part of Group B)
  • BSides Seattle 2020 - This is a good opportunity as traditionally BSide security conferences are the content that barely miss approval or miss timing for DefCon and Blackhat. Presenters are always terrific and it is one of my favorite conferences I look forward to all year. Bsides founder is @nerd_monkey and he is very passionate about making it a great experience for all people interested in security topics. There are also other localized b-sides conferences - which could also be virtual this year. Win-win in my opinion.

In Closing

Hopefully this post sparked your brain for some new ideas on how to get CPEs both in quarantine but also in some ways that boost your overall continued education. Find me on twitter if you think I missed anything that would be helpful for folks in their CPE journey!