CISSP Continuing Education Requirements
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
You need CPEs? This article is here for you. This article discusses CPEs, those continuing education credits required by so many certifications. We talk about who needs them, how many and how to get them, and especially how to get CPEs in a way that best suits your needs.
What are CPEs and Who Needs Them?
Let’s safely assume you already know that CPE stands for “continuing professional education,” and 1 CPE equals 1 unit of education. You know that once you get your certification, you’ll need to collect and record these CPEs to keep your cert current. So, in effect, as you get the certification, you hear “Congratulations, you got it! Now, keep learning and let us know what you do.”
Several IT certifications, principally security-related ones, require you to continually be exposed to material in order to maintain the certification. However, the information technology sector is neither the pioneer nor the sole promoter of CPEs. There are accountants, orthodontists, real estate planners or, like in the case of my wife, even geologists that need CPEs.
But we’re not here to talk about those other careers[md]we’re talking about yours and your certification.
CPE Demands on CISSP and Other Certifications
Different certifications have different CPE requirements, but let’s use the CISSP as an example. If you’re a CISSP, you need 120 CPEs over a period of 3 years. Further, for each of the 3 years, you need a minimum of 20 (so don’t think you can grab all 120 in one day).
The general measuring stick is 1 CPE for 1 hour. Exceptions come to how intensive your effort is. For example, preparing a two-hour long security presentation to your local police department can provide 8 CPEs, while passively reading an entire book will grant you 5 CPEs. Creating the presentation is more brain-intensive, so you (deservedly) get more CPEs.
Isn’t All This CPE Business Just a Scam?
Short answer: no. I have to pose this question because some people do feel this way.
The process of collecting and recording CPEs is a proven method for educators and certifying bodies to promote continued learning as well as keep the cert holders’ minds open. As far as cost goes, there are so many ways we can get CPEs for free, it’s shameful to think it’s a scam. (Look for some detailed suggestions below.)
Personally, I feel CPEs are a good enough method to separate “paper-CISSPs” from those more seriously minded. However, don’t get me started about the $85 annual fee. I’ve been a CISSP for over 10 years; you do the math.
Quest for The Best CPEs
There are opportunities galore for earning CPEs. Some cost and are more fun (e.g., the Blackhat conference in Las Vegas). But unless your boss is willing to send you out on training to Sin City, you have lots of free options.
Let’s assume you want all your CPEs to be for free AND relatively “high value” for the effort involved. If you’re like me, you’re lazy. Brilliant, sure, but lazy. I am always looking for “better” ways to get my CPEs. So what options are out there?
CPEs in Print
Books and magazines will get you CPEs. Provided it’s related to information security (naturally), if you read a book, that is 5 CPEs. Reading an infosec magazine will award you between 3-5 CPEs (it’s up to the publisher). Personally, I believe these are no-brainer ways to get CPEs. So does (ISC)2, and that’s why they limit it to one book and one magazine a year for up to 10 CPEs. In fact, here is a free security magazine that automatically forwards 5 CPEs to (ISC)2.
You can also write an article or a review of a book. Writing an article under five pages will get you 5 CPEs. Writing an article with five or more pages will award you 10 CPEs. Again, do the math: 10 for a five page article equals roughly 1 CPE per 150 words. How much e-mail will you type today? It’s too easy to pass up. As for writing book reviews, be careful the review doesn’t already exist on the (ISC)2 website, or else they may not publish it, thus no CPEs.
Lastly there is the super-ambitious project of writing a book. For publication of a book you will receive 40 CPEs. Ah, but is it so ambitious? Have you heard of “CreateSpace” with Amazon? CreateSpace[md]as well as other self-publishing companies[md]makes it much easier to become a published author[md]not to mention getting your 40 CPEs.
Podcasts and Webcasts
If you’re not a big reader, you can tune in to a security-related podcast, such as Cyberspeak or GRC Security Now! The latter offers two quality levels of MP3s and transcripts, too.
If you enjoy slides with your audio, check out SANS Webcasts. Click on the “Webcast Archive.” After a rather lengthy registration, you can chose among several webcasts per recent months.
Now, the downsides. Typically podcasts and webcasts give you just 1 CPE for the hour. You need to listen to 20 hours of podcast or watch 20 hours of webcast to get your year’s minimum. Another downside of podcasts is (ISC)2 recommends you keep the podcast file in case you get audited. Archiving all those MP3 files “just in case” could add up on your hard drive. Much better with webcasts to just archive the PDF stating you completed it.
Getting CPEs as an Exam Proctor or Supervisor
Being a proctor for an exam will get you 8 CPEs. That’s 8 CPEs for doing little more than watching people take the exam. Free bonus: depending on the exam venue, you may even have coffee and breakfast available.
Even better news: once you’ve been a proctor at least once, you’re eligible to be the exam supervisor. Supervisors carry considerable more responsibility, and that earns you 16 CPEs over the same period of time spent as the proctors.
How to do this? It depends on where you live and how often exams come to your location. While I lived in Prague, I proctored once and supervised twice. Check out the (ISC)2 member site to sign up as a volunteer in your location.
Case Study: How I Got 44 CPEs in 1 Week
If you’re new to CPEs, you’re thinking “Wow, that’s like 44 hours of material in one week!” Not really.
If you’re accustomed to getting faster CPEs, then let me add this: it took me about 2 hours of work to get those 44 CPEs.
Yes, now you’re all impressed (or skeptical). Let me share how I did it.
First, some background story: Last year, toward the end my 3-year CPE cycle, I was getting messages from (ISC)2, warning me “Your CISSP Certification is near expiry.” Worst of all, I was a full 44 CPEs shy of my 120. I had one week. Panic set in. I browsed around for any local events, or courses to no avail.
Finally I discovered the (ISC)2 e-Symposium webcasts at BrightTALK. Under Recorded Events you will find about 50 events, each providing 3 CPEs. Each event has between 4-6 speakers, and they all have a slideshow of 30-50 minutes. By now you’re doing the math, thinking this doesn’t sound like a good deal. But it is.
Here’s is how: first, launch the 10-question CPE quiz from the bottom of the event speaker list. Then start with the first speaker. Note the quiz tells you which speaker will answer which question. Once you glean the answers you need from Speaker #1, move on to Speaker #2. Better still, you can skip slides, spotting the slide that likely answers the question in front of you. The whole event should take you under 10 minutes. My best so far is under a minute (with some educated guessing). Answering 7 out of 10 questions correctly will award you the 3 CPEs.
A Note about “Type A” and “Type B”
Nearly all the above are applicable to any certification requiring CPEs. But (ISC)2 differentiates CPEs between two types. One type, Type A, must directly relate to information security areas they call domains and the other, Type B, is more professional development. For any of the CPE opportunities mentioned above, those will be Type A, whereas a team-building course or “how to interview” seminar would fall under Type B. For the 120 required, (ISC)2 accepts up to 40 CPEs be Type B.
Good luck with getting your CPEs!