Does CISM Expire? Yes — 3-Year CPE & Fee Requirements

Yes, the Certified Information Security Manager (CISM) expires every 3 years. ISACA requires 120 Continuing Professional Education (CPE) hours over the cycle (minimum 20 per year) plus an annual maintenance fee of $45 (ISACA members) or $85 (non-members). CISM is one of the most respected information security management certifications, and its maintenance requirements ensure holders stay current with evolving security leadership practices.

Cycle
3 Years
CPEs Required
120
Annual Fee
$45
Min CPEs/Year
20

CISM CPE Requirements by Domain

CPE hours should cover topics related to CISM's four domains. While ISACA doesn't require a specific number per domain, well-rounded coverage strengthens your expertise:

DomainWeightSuggested CPE Topics
1. Information Security Governance17%Board reporting, security strategy, frameworks
2. Information Security Risk Management20%Risk assessment, threat modeling, third-party risk
3. Information Security Program33%Security architecture, awareness training, metrics
4. Incident Management30%Incident response, BCP/DRP, forensics

How to Earn CISM CPE Hours

At 40 CPE hours per year average, here are the most efficient and cost-effective sources:

CISM vs CISSP — Maintenance Cost Comparison

Both are top-tier security certifications, but their maintenance costs differ significantly:

FactorCISM (ISACA)CISSP ((ISC)²)
CPEs/CPEs (3 years)120120
Annual Minimum2040
Annual Fee$45$125
3-Year Fee Total$135$375
CPE Overlap with CISAYesN/A

Multiple ISACA Certifications — CPE Efficiency

If you hold multiple ISACA certifications (CISM + CISA, CISM + CRISC), CPE hours count toward all certifications simultaneously. This is a significant advantage:

What Happens If CISM Expires?

Frequently Asked Questions

Does CISM expire?

Yes. CISM expires every 3 years. You need 120 CPE hours (minimum 20/year) and must pay the annual maintenance fee ($45 members, $85 non-members).

How many CPE hours does CISM need?

120 CPE hours over 3 years, with at least 20 hours each year. Topics must relate to information security management.

What is the CISM maintenance fee?

$45/year for ISACA members, $85/year for non-members. Significantly less than CISSP's $125/year AMF.

Can CISM CPEs count toward CISA?

Yes. CPE hours count toward all ISACA certifications simultaneously. The same 120 hours can satisfy CISM, CISA, CRISC, and CGEIT.

CISM vs CISSP — which costs more to maintain?

CISSP costs $375 in fees over 3 years vs CISM's $135. Both require similar CPE volumes (120), but CISSP has a higher annual minimum (40 vs 20).

What happens if CISM expires?

ISACA suspends then fully expires your certification. You must retake the exam ($575-$760) and resubmit work experience documentation to recertify.

Prepare for CISM Certification

Practice with adaptive CISM questions covering all 4 domains.

Start Free CISM Practice Test →

Related Resources

CISSP vs CISM CISA vs CISM