How I Keep Up With ISC2 CPE Credits Without Making It a Second Job

I have had the same conversation a bunch of times now.

Someone gets their CISSP, CCSP, SSCP, CSSLP, or another ISC2 certification, the celebration wears off, and then the renewal dashboard starts looking like homework. The question is usually some version of: “How am I supposed to get all these CPE credits?”

The honest answer is that it is not hard. It only feels hard if you wait until the end of the cycle and try to manufacture a pile of credits from scratch.

My current dashboard is a good example. For the cycle shown below, my CISSP is at 112.75 of 120 CPEs, CCSP is at 98.75 of 90, SSCP is at 61.75 of 60, and CSSLP is already at 55.25 of 90. That did not happen because I disappeared into some three-month study bunker. It happened because I started treating CPEs as a side effect of normal professional work: reading, attending webinars, preparing talks, doing real security projects, and saving evidence as I go.

ISC2 CPE progress dashboard showing CISSP, CCSP, SSCP, and CSSLP certification status

The trick is to stop thinking about CPEs as a separate chore. If you work in security, IT, compliance, software, cloud, or risk, you are probably already doing things that count. You just need to recognize them, track them, and submit them while the details are still fresh.

First, Know What ISC2 Is Actually Asking For

ISC2 separates continuing education into Group A and Group B credits. Group A is the important one for most of us because it maps to cybersecurity and the domains of the certification. Webinars on cloud security, secure software, incident response, risk management, AI security, identity, CMMC, vulnerability management, and security operations can all fit here when they line up with the certification domains.

Group B is broader professional development. Leadership training, communication, project management, burnout and resilience, and other non-cybersecurity professional development can help, but only up to the limits ISC2 sets for the certification. ISC2’s own CPE guide also calls out the basic math: one CPE per hour, partial credits in 0.25 increments, and the end date of the activity determines the cycle it applies to.

That last part matters. If you attend something in October, submit it as an October activity. Do not wait six months and try to reconstruct the title, speaker, duration, and domain mapping from memory.

My Pattern Is Boring, Which Is Why It Works

Looking through my CISSP transcript, the credits were not evenly distributed. They looked more like a poll result, which is useful because it shows where I naturally picked up credits and where I was lighter.

Courses, online training, and certification prep
40 credits / 35%
Books, study guides, and exam prep reading
25 credits / 22%
Webinars, summits, CISA/SBA/public-sector sessions, and ISC2 events
22.75 credits / 20%
Unique work experience, including CMMC Level 2 work
10 credits / 9%
Vendor presentations
9.5 credits / 8%
Group B professional development
3.5 credits / 3%
Presentation and training preparation
2 credits / 2%

That breakdown is more honest than a generic list. I am heaviest on structured training, certification prep, books, webinars, and public-sector sessions. I am lighter on presentation prep and Group B professional development. Vendor sessions helped, but they were not the whole strategy. The CMMC work mattered too, but I treat unique work experience as a special category, not something to pad every month.

That mix is the whole point. I do not rely on one source. If I read a serious security book, I log it. If I attend a relevant webinar, I log it. If I prepare a security presentation, I log the preparation. If I do a project that is outside my normal day-to-day responsibilities and maps to the domains, I look at whether it qualifies as unique work experience.

The best part is that some ISC2 activities auto-submit. ISC2 says its webinars can earn CPE credits, and its Knowledge Vault page says members can earn 1 CPE per 45-minute webinar. That makes ISC2 webinars one of the lowest-friction sources because the credit usually lands in your account later. I still keep my own note anyway, because auto-submission can take time and I do not like trusting one system to be my only memory.

The Easy Button: ISC2 Webinars And Shared Credits

If someone wants the lowest-friction starting point, I usually tell them to start with ISC2’s own webinars.

ISC2 runs webinars all the time. Security Briefings, Knowledge Vault, Spotlight events, Think Tank sessions, and vendor showcases all show up throughout the year. The useful part is not only that they are relevant. The useful part is that ISC2 captures the evidence and can automatically submit the CPE activity for you when you register and attend with the right account information.

That removes two of the most annoying parts of the process: saving proof and remembering to file. I still keep my own tracker, but ISC2 webinars are the closest thing to an easy button because the evidence chain is already inside the same ecosystem as the certification.

The other thing people miss is that one CPE activity can help more than one ISC2 certification when it maps to the domains. If a webinar on cloud IAM is relevant to both CISSP and CCSP, or a secure software book maps to CISSP and CSSLP, do not submit it as if it only belongs to one credential. Pick the relevant domains for every certification it honestly applies to.

If you are unsure which domains fit a webinar, book, or training session, this is a good place to use AI as a drafting assistant. Do not let it invent credits, and do not treat it as the authority. Use it to organize the mapping, then check the result against ISC2’s rules before submitting.

CPE Domain Mapping Prompt
I hold CISSP, CCSP, SSCP, and CSSLP. I attended this webinar: "AI-Driven Cloud IAM: Automating Access Decisions Across Multi-Cloud and SaaS." It was 45 minutes long and covered identity governance, access decisions, SaaS authorization, cloud security operations, and risks from over-permissioned accounts. Map this activity to likely ISC2 certification domains. Separate strong matches from weak matches. Do not invent domains. Explain which certifications this could reasonably support and what evidence I should keep before submitting the CPE.
Strong matches may include CISSP Identity and Access Management, CISSP Security Operations, CCSP Cloud Platform and Infrastructure Security, and CCSP Cloud Application Security. CSSLP may be a weaker match unless the webinar covered secure software design or application access controls in enough depth. SSCP may apply if the content focused on operational access control and monitoring. Evidence to keep: webinar title, provider, date, duration, registration or attendance confirmation, agenda or abstract, and a short note explaining the domain mapping. Submit only the certifications and domains that honestly match the content.

CISA Is One Of My Favorite Free Sources

The big one I always tell people about is CISA.

CISA and NICCS publish a lot of cybersecurity training, events, and awareness material. Not every CISA page is going to magically auto-submit to ISC2, so I treat these as manual CPE candidates: attend the webinar, save the registration or completion email, note the title and duration, and map it to the certification domains when I submit it.

That is the distinction that keeps you out of trouble. Free public training can be excellent, but you still need evidence. I usually keep:

  • The event title
  • The event date
  • The duration
  • The registration or completion email
  • A screenshot or agenda if available
  • A one-line note explaining why it maps to a certification domain

For people in government contracting, CMMC, incident response, vulnerability management, critical infrastructure, or security awareness, CISA material is especially useful because it is usually grounded in the exact things we deal with at work.

Start here:

Webinars Are The Easy Mode, But Pick The Right Ones

Webinars are the easiest way to build a steady CPE rhythm. They are also where people get lazy.

Do not just join anything with “cyber” in the title and call it good. Pick sessions that match what you actually do or what you are trying to get better at. My transcript has cloud security, AI application security, IAM, behavioral email security, ransomware, living-off-the-land techniques, vulnerability management, and CMMC. Those are not random topics. They map to work I care about and certifications I hold.

My usual sources:

Vendor webinars can count too, and my transcript has plenty of them. The filter I use is simple: did I learn something security-relevant, was it more than a product pitch, and can I explain the domain mapping if audited? If the answer is yes, I save the evidence and submit it. If the answer is no, I do not try to force it.

Books Still Count, And They Are Underrated

Books are one of the most overlooked CPE sources. ISC2’s CPE guide explicitly includes reading books, magazines, and white papers as self-directed learning when the topic maps to the certification domains.

I used this heavily while working through SSCP and CSSLP material. My transcript includes the Official ISC2 Guide to the CSSLP CBK, Essential CSSLP Exam Guide, All In One CSSLP, the SSCP Official Study Guide, and SSCP Official Practice Tests. Those were not just exam prep resources. They also counted as professional learning because they were tied directly to security domains.

For 2026, I would think about books in three buckets.

First, certification-aligned books. If you recently passed CISSP but are moving into CCSP, CSSLP, or SSCP, keep reading domain-specific material. It sharpens your work and gives you clean Group A evidence.

Second, practitioner books. For security engineering and software security, I still like Building Secure & Reliable Systems because it connects security with reliability and production operations. For developers moving into security, Web Security for Developers is approachable and concrete. For application security, Alice and Bob Learn Application Security is still a good recommendation if you want something practical instead of theory-heavy.

Third, strategy and architecture books. If you are trying to think more like a security leader, Cybersecurity First Principles is worth looking at because it organizes security around enduring ideas instead of tool churn.

The evidence habit is the same: title, author, date completed, rough time spent, and a short note about the domains. Do not submit “read a book” with no context.

Presenting And Teaching Counts More Than People Realize

One thing I like about the CPE model is that it recognizes contribution, not just consumption.

My transcript includes preparation credits for “Introduction to Log Management” and “Create your own AI Agent.” Those are good examples because preparing to teach or present forces you to organize the topic, check your assumptions, and explain it clearly. That can be more valuable than passively watching another webinar.

If you run an internal lunch-and-learn, prepare security awareness material, present to a client, build training for your team, write a technical article, contribute to a security group, or help with exam or content development, check the ISC2 rules before ignoring that work. You may already be doing CPE-worthy activity.

The catch is evidence. Keep the slide deck, agenda, meeting invite, outline, article link, or prep notes. If you ever get audited, you want to show what you did without scrambling.

Unique Work Experience Is Real, But Do Not Abuse It

My transcript also includes unique work experience for a CMMC Level 2 project. That is a real category, but I would be careful with it.

ISC2 describes unique work experience as work performed during working hours when it relates to a unique project or assignment outside your day-to-day responsibilities. That phrase matters. Your normal job is not automatically a CPE farm. But a special project, migration, assessment, implementation, audit, or security initiative may qualify when it is meaningfully outside the ordinary routine and maps to the domains.

For this category, I would keep better notes than usual:

  • What the project was
  • Why it was outside normal duties
  • Which domains it mapped to
  • Start and end dates
  • Approximate hours
  • Non-sensitive evidence, such as a sanitized project plan or completion note

Do not upload client confidential material or anything sensitive just to prove a CPE. Save enough to show the nature of the work without creating a data handling problem.

My Simple System

The system I recommend is almost embarrassingly simple.

Keep one running note or spreadsheet with these columns:

Date | Title | Source | Type | Hours | Group A/B | Cert domains | Evidence saved? | Submitted?

When you register for a webinar, add it. When you finish a book, add it. When you prepare a presentation, add it. When the CPE is submitted, mark it. When ISC2 auto-submits something, still reconcile it against your list.

I also try to submit credits while the activity is fresh. ISC2’s CPE guide recommends keeping a log and not delaying submissions, and that matches my experience. The longer you wait, the more annoying the process gets.

The other habit that helps if you hold multiple ISC2 certifications is selecting all relevant domains during submission. ISC2 notes that CPE activities can count toward multiple certifications when the activity maps to the relevant domains. That is how one strong webinar on cloud IAM or secure software can help across CISSP, CCSP, and CSSLP when the mapping is legitimate.

The Part Nobody Wants To Hear

You still have to do the work.

There is no shortcut where you click through a bunch of random videos at the end of the cycle and somehow become a better security professional. But there is a much easier way than panic-submitting credits near the deadline. Make learning part of the week. Pick topics that connect to your actual work. Save evidence as you go. Submit while the details are fresh.

That is how I got my dashboard into a comfortable place without making CPEs a second job.

If you just passed your exam, enjoy that win. Then set up the tracker now, register for a couple of ISC2 or CISA sessions, pick one book you actually want to read, and start banking credits before the renewal clock turns into stress.

Sources

AI Usage Transparency Report

AI Era · Written during widespread use of AI tools

AI Signal Composition

List Instr
Repetition: 0%
Tone: 0%
Structure: 0%
List: 16%
Instructional: 18%
Emoji: 0%

Score: 0.1 · Low AI Influence

Summary

Keeping up with ISC2 CPE credits is easier when you treat it like a normal professional habit instead of a renewal emergency. Here is the system I use across CISSP, CCSP, SSCP, and CSSLP, with free and low-friction sources for webinars, books, training, and work-based credits.

Related Posts

Setting up Ollama on macOS

Recently, after some bad experiences with OpenAI's ChatGPT and CODEX, I decided to look into and learn more about running local AI models. On its face it was intimidating, but I had seen a lot of people in the MacAdmins community posting examples of macOS setups, which really helped lower the bar for me both in terms of approachability and just making me more aware of the local AI community that exists out there today.

Read more

AI Agent Constraints and Security

I really feel like in this era of AI it's essential to write about and share experiences for others who are leveraging AI, especially now that AI usage seems almost ubiquitous. Specifically, when it comes to AI in development and the rapid growth of AI-driven automations in the IT landscape, I believe there's a need for open discussion and exploration.

Read more

Vibe Coding with Codex: From Fun to Frustration

So there I was, a typically day, a typical weekend. As a ChatGPT customer, I had heard good things about Codex and had not yet tried the platform. To date my experience with agentic coding was simply snippit based support with ChatGPT and Gemeni where I would ask questions, get explanations and support with squashing bugs in a few apps that I work on, for fun, on the side. There were a few core features in one of the apps I built that I wanted to try implementing but the...

Read more

Turn Jamf Compliance Output into Real Audit Evidence

Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.

Read more

Secure Software, Secure Career: How I Passed the CSSLP

After passing the CISSP earlier this year, I decided to follow it up with the **Certified Secure Software Lifecycle Professional (CSSLP)** certification. For those unfamiliar, CSSLP is an ISC2 certification that focuses specifically on secure software development practices across the full SDLC—from requirements and design to coding, testing, deployment, and maintenance. My goal in pursuing this certification was to further develop my skills in ensuring the security of software throughout its entire lifecycle.

Read more