Like many professional certifications and designations, CISSP requires that certification holders complete a minimum number of continuous professional education (CPE) hours each year. This requirement makes sense to me, as the information security profession is still changing at a high rate. Were it not for this continuing education requirement, many who earn the CISSP and other certifications would quickly fall behind, and those who had earned the certifications would become irrelevant.
Today, (ISC)² requires CISSP holders to earn 120 CPEs in each three-year cycle and no fewer than 20 CPEs in any individual year. So this is an average of 40 CPEs, or forty hours of training, annually.
Many of us are fortunate enough to attend one or two conferences each year, and alone this would effectively satisfy the 40-hour requirement. But not all of us are so lucky: the rest of us have to earn our CPEs an hour at a time.
In earlier years (before 2005, in my estimation), this was a challenge, but no more. Today, each year, there are scores of opportunities to attend vendor product demos and free instructional sessions from (ISC)², ISACA, and other associations. There are so many that you can pick and choose those that are of greatest interest to you.
The dark side to CPEs, if there is one, is that we are required to keep precise records of our CPEs. I suggest you create a spreadsheet that lists, line by line, each CPE event that you attend. More than that: (ISC)², ISACA, and others require that you retain evidence of your training. Some events will email you a certificate of completion, and others will provide a certificate download capability at the conclusion of an event. Some do not provide anything at all, so I make it a point to take a few screenshots of the event.
(ISC)², ISACA, and other associations will randomly audit members’ CPE records to see whether they are truthful in their claims. I was audited by ISACA many years ago, and while I had a good listing of events that I attended, I did a poor job of retaining evidence. Still, I passed the audit because I did have evidence for at least some of the events I attended. The audit put the fear of God in me, and ever since that time, I meticulously obtain and retain evidence for every event I attend. As the published author of several security and privacy-related exam guides in which I stress the importance of good CPE recordkeeping, I doubt that (ISC)², ISACA, or any other organization would cut me any slack at all. And so it should be.
In Part 7: paying it forward.
Peter H. Gregory 
Pingback: My CISSP Journey, Part 7: Mentoring Others | Peter H. Gregory