CISA CPE Requirements: Everything You Need to Know
To maintain the Certified Information Systems Auditor (CISA) designation, certificants must earn and report at least 20 CPE hours each calendar year and at least 120 CPE hours over each rolling 3-year certification cycle. CISA holders must also pay the annual maintenance fee, comply with ISACA’s Code of Professional Ethics, and respond to the annual CPE audit if selected. ISACA also notes that the annual reporting period begins on January 1 each year, and for newly certified CISAs, the annual and 3-year cycle begins on January 1 of the year after certification.
This page provides general educational information to help CISA holders understand how CISA CPE requirements work, including annual minimums, rolling 3-year requirements, maintenance fees, audit expectations, qualifying CPE activities, and how structured audio learning may fit within the framework.
Important: This content is for general educational purposes only. It does not constitute legal, regulatory, or individualized compliance advice and does not replace official guidance issued by ISACA. Individual requirements may vary based on certification status, whether you are newly certified, and whether you hold multiple ISACA certifications.
CISA CPE Requirements at a Glance
[[CTA1]]
CISA Reporting Period and 3-Year Cycle
CISA uses both an annual requirement and a rolling 3-year cycle. That means certificants must earn and report at least 20 CPE hours every calendar year, while also reaching at least 120 total CPE hours by the end of each 3-year cycle. ISACA explains that the 3-year cycle minimum is 120 hours, and how you reach that total can vary, as long as each individual year still meets the 20-hour minimum.
CISA Continuing Professional Education Requirements
ISACA’s CPE framework for CISA is relatively straightforward. To stay active and in good standing, certificants must:
- earn and report at least 20 CPE hours every calendar year
- earn and report at least 120 CPE hours over each rolling 3-year cycle
- pay the annual maintenance fee
- comply with the Code of Professional Ethics
- comply with the annual CPE audit if selected
Total CPE Hours Required
CISA holders must earn at least 120 CPE hours over each 3-year certification cycle. This rolling cycle works alongside the annual minimum, so a certificant cannot wait until the final year and ignore the yearly requirement.
Annual Minimum Requirement
CISA holders must earn and report at least 20 CPE hours every calendar year. This annual requirement is one of the core conditions for keeping the certification in active status.
Annual Maintenance Fee
ISACA requires an annual maintenance fee to keep a certification active. ISACA support guidance currently states that the annual maintenance fee is $45 for ISACA members and $85 for non-members. ISACA also makes clear that ISACA membership and certification are separate, so membership is not required to maintain the credential, though it affects the fee level.
Code of Professional Ethics
Maintaining a CISA is not only about earning CPE hours. ISACA also requires compliance with its Code of Professional Ethics as part of ongoing certification maintenance.
[[CTA2]]
Newly Certified CISA Holders
For newly certified CISAs, the annual and 3-year certification period begins on January 1 of the year after certification. ISACA says reporting CISA CPE credits during the year you pass the CISA exam and receive certification is not required. However, hours earned between the certification date and December 31 of that year may be reported into the initial reporting period, and this is the only time CPE can be carried forward in that way.
What Counts as CPE for CISA
ISACA allows CPE from a wide range of professional education activities, including ISACA conferences, seminars, workshops, chapter programs, mentoring, meetings, non-ISACA conferences and training, university courses, online training, and other qualifying professional development in information systems auditing. The main test is whether the activity is appropriate to maintaining or advancing knowledge or ability related to the certification, such as specialized IT audit techniques or evolving auditing standards. ISACA also says on-the-job activities do not count unless they fall into a specific qualifying professional education activity.
CPE Credit Calculation
ISACA says CPE can be reported in quarter-hour increments. For many professional education activities, credit is based on hours of active participation. ISACA’s guidance also notes that successfully completed university courses in related fields earn 15 CPE hours per semester credit hour and 10 CPE hours per quarter credit hour.
Reporting and Audit Expectations
CISA holders must report their CPE through ISACA’s certification and CPE management tools. ISACA also conducts an annual CPE audit, and certificants who are selected must respond and submit required documentation. Failure to comply with maintenance requirements can result in revocation of the certification.
Multiple ISACA Certifications
ISACA allows the same professional activity to count toward multiple ISACA certifications when the activity is applicable to the job-related knowledge of each certification. This can be helpful for professionals who hold CISA along with credentials like CISM, CRISC, or CGEIT, which often overlap in areas like risk management and critical infrastructure protection.
CISA CPE Courses: What to Know
For CISA holders, the main planning points are:
- reaching at least 20 CPE hours every calendar year
- staying on pace for 120 total hours over the rolling 3-year cycle
- paying the annual maintenance fee
- keeping records organized in case of audit
- making sure activities support current or advancing knowledge related to the certification
- understanding that newly certified holders begin formal reporting in the year after certification
Audio-Based Learning and LumiQ
LumiQ provides structured, expert-led learning designed to fit professional development into daily life. For CISA holders, the key question is whether the activity qualifies under ISACA’s CPE framework and whether it supports knowledge or skills relevant to the certification. Because ISACA recognizes a broad range of professional education activities and focuses on qualifying professional learning rather than one required delivery format, structured audio-based learning may fit into a CISA CPE plan when it aligns with ISACA’s CPE rules and can be properly documented. CISA holders remain responsible for determining whether a specific activity qualifies. ISACA remains the final authority on compliance.
Upcoming CPE Policy Changes
ISACA’s CPE page notes that a new CPE policy becomes effective on January 1, 2027. ISACA says the current baseline requirement of 20 CPE hours per year and 120 CPE hours per 3-year cycle remains unchanged, but additional alignment rules will apply under the updated policy. If you are planning long-term, it is worth checking ISACA’s upcoming policy updates directly.
[[CTA3]]
Frequently Asked Questions About CISA CPE
How many CPE hours does a CISA need each year?
A CISA needs at least 20 CPE hours each calendar year.
How many CPE hours does a CISA need over 3 years?
A CISA needs at least 120 CPE hours over each 3-year certification cycle.
Is the CISA requirement annual or rolling?
It is both. There is a minimum of 20 CPE hours per calendar year and a minimum of 120 total hours over the rolling 3-year cycle.
Does CISA have an annual maintenance fee?
Yes. ISACA requires an annual maintenance fee, and current support guidance lists it as $45 for members and $85 for non-members.
Do newly certified CISAs need CPE right away?
No. The formal annual and 3-year CPE cycle begins on January 1 of the year after certification. However, qualifying hours earned after certification and before year-end can be applied to the initial period.
Can one activity count toward multiple ISACA certifications?
Yes. ISACA allows one qualifying professional activity to count toward multiple ISACA certifications if it applies to the job-related knowledge of each certification.
Can LumiQ count toward CISA CPE?
It may, where the activity aligns with ISACA’s CPE rules and supports knowledge or skills relevant to the certification. The certificant remains responsible for confirming that a specific activity qualifies.
CISA CPE Compliance
ISACA is the final authority on CISA CPE compliance. CISA holders should rely on ISACA’s maintenance guidance, CPE policy, active status rules, and current certification resources when making decisions about their own obligations.
Sources
Primary sources used for this page include ISACA’s Maintain CISA Certification page, the ISACA CPE Policy, Active Status guidance, and How to Earn CPE guidance.
Reviewed by Danielle Marion, Regulatory Compliance Manager at LumiQ. Danielle has more than 20 years of experience in regulatory compliance and professional education governance, including leadership roles at Deloitte LLP.






