Yes, the Certified Information Security Manager (CISM) expires every 3 years. ISACA requires 120 Continuing Professional Education (CPE) hours over the cycle (minimum 20 per year) plus an annual maintenance fee of $45 (ISACA members) or $85 (non-members). CISM is one of the most respected information security management certifications, and its maintenance requirements ensure holders stay current with evolving security leadership practices.
CPE hours should cover topics related to CISM's four domains. While ISACA doesn't require a specific number per domain, well-rounded coverage strengthens your expertise:
| Domain | Weight | Suggested CPE Topics |
|---|---|---|
| 1. Information Security Governance | 17% | Board reporting, security strategy, frameworks |
| 2. Information Security Risk Management | 20% | Risk assessment, threat modeling, third-party risk |
| 3. Information Security Program | 33% | Security architecture, awareness training, metrics |
| 4. Incident Management | 30% | Incident response, BCP/DRP, forensics |
At 40 CPE hours per year average, here are the most efficient and cost-effective sources:
Both are top-tier security certifications, but their maintenance costs differ significantly:
| Factor | CISM (ISACA) | CISSP ((ISC)²) |
|---|---|---|
| CPEs/CPEs (3 years) | 120 | 120 |
| Annual Minimum | 20 | 40 |
| Annual Fee | $45 | $125 |
| 3-Year Fee Total | $135 | $375 |
| CPE Overlap with CISA | Yes | N/A |
If you hold multiple ISACA certifications (CISM + CISA, CISM + CRISC), CPE hours count toward all certifications simultaneously. This is a significant advantage:
Yes. CISM expires every 3 years. You need 120 CPE hours (minimum 20/year) and must pay the annual maintenance fee ($45 members, $85 non-members).
120 CPE hours over 3 years, with at least 20 hours each year. Topics must relate to information security management.
$45/year for ISACA members, $85/year for non-members. Significantly less than CISSP's $125/year AMF.
Yes. CPE hours count toward all ISACA certifications simultaneously. The same 120 hours can satisfy CISM, CISA, CRISC, and CGEIT.
CISSP costs $375 in fees over 3 years vs CISM's $135. Both require similar CPE volumes (120), but CISSP has a higher annual minimum (40 vs 20).
ISACA suspends then fully expires your certification. You must retake the exam ($575-$760) and resubmit work experience documentation to recertify.
Practice with adaptive CISM questions covering all 4 domains.
Start Free CISM Practice Test →