Does CISA Expire? Yes — 3-Year CPE & Fee Requirements

Yes, the Certified Information Systems Auditor (CISA) expires every 3 years. ISACA requires 120 Continuing Professional Education (CPE) hours over each 3-year cycle with a minimum of 20 CPE hours per year, plus an annual maintenance fee of $45 (ISACA members) or $85 (non-members). CISA is one of the most respected IT audit certifications globally, and maintaining it demonstrates ongoing commitment to the profession.

CISA Renewal Requirements Breakdown

ISACA's Continuing Professional Education (CPE) policy ensures CISA holders stay current with evolving audit standards, control frameworks, and information security practices:

• 120 CPE hours total over the 3-year reporting cycle
• Minimum 20 CPE hours per year — you cannot front-load all 120 into year one
• 1 CPE = 1 hour of learning or professional activity (50-minute contact hour)
• CPE topics must relate to IS auditing, control, assurance, security, governance, or risk management
• Annual maintenance fee: $45 (ISACA members) or $85 (non-members), due each January
• CPE reporting: Log activities through ISACA's online portal throughout the year

How to Earn CISA CPE Hours

At 40 CPE hours per year average, you need roughly 3-4 hours of professional development per month. Here are the most common sources:

CPE Source	Hours Available	Cost
ISACA webinars	1-2 per session	Free (members)
ISACA chapter meetings	1-3 per event	Free-$25
ISACA conferences (NACACS, GRC)	20-40 per event	$500-$2,500
Self-study (books, journals)	Up to 10/year	Free-$50
Teaching/lecturing	1 per hour taught	Free
Publishing articles	5-10 per article	Free
Earning another certification	20-40 per cert	Varies

CISA vs Other ISACA Certifications — Maintenance Comparison

Certification	CPEs (3yr)	Annual Min	Annual Fee (Member)
CISA	120	20	$45
CISM	120	20	$45
CRISC	120	20	$45
CGEIT	120	20	$45

Key benefit: If you hold multiple ISACA certifications (CISA + CISM, for example), CPE hours count toward all certifications simultaneously. You still pay a separate maintenance fee for each certification, but the learning effort overlaps completely.

3-Year Cost of Maintaining CISA

Expense	ISACA Member	Non-Member
Maintenance Fee (3 years)	$135	$255
ISACA Membership (3 years)	$405	$0
CPE Activities (free sources)	$0	$0
Total (minimum)	$540	$255

ISACA's CPE Audit Process

ISACA randomly selects certification holders for CPE audits each year. If selected, you must provide documentation proving your claimed CPE hours. Here's what you need to know:

• Retain documentation for at least 1 year after your reporting cycle ends
• Acceptable proof: Certificates of completion, conference badges, published articles, course transcripts
• Response deadline: Typically 30 days from the audit notification
• Non-compliance: Failure to provide documentation can result in certification suspension or revocation

Frequently Asked Questions

Does CISA expire?

Yes. CISA expires on a 3-year cycle. You must earn 120 CPE hours (minimum 20/year) and pay the annual maintenance fee ($45 members, $85 non-members).

How many CPE hours does CISA require?

120 CPE hours over 3 years with a minimum of 20 per year. Topics must relate to IS auditing, control, assurance, security, or governance.

What is the CISA maintenance fee?

$45/year for ISACA members, $85/year for non-members. This is separate from ISACA membership dues ($135/year).

Can CISA CPEs count toward CISM or CRISC?

Yes. CPE hours count toward all ISACA certifications you hold simultaneously. The topics just need to be relevant to each certification's domain areas.

What happens if CISA expires?

ISACA suspends your certification. After the suspension period, you must retake the full exam ($575 members, $760 non-members) and reapply for certification with work experience verification.

Does ISACA audit CISA CPE claims?

Yes, ISACA conducts random CPE audits annually. Keep certificates of completion, conference records, and other documentation for at least 1 year after your cycle ends.