CISSP-ISSMPISC2 certification

How ISSMP renewal works

Same-pool rule: a security-management CPE counts toward both the ISSMP's 60 and the CISSP's 120. You maintain 120 total, at least 60 of which qualify as management CPEs. One ISC2 annual maintenance fee per member covers the CISSP and the concentration (verify the current amount and structure).

Because it's a management cert, its CPE sources look more like ISACA's CISM than the technical CISSP's — governance, program management, leadership, and risk.

What counts as a management CPE

ISSMP's domains cover leadership and business management, security-program lifecycle management, risk management, threat intelligence and incident management, and contingency management (BCP/DR), plus law, ethics, and compliance.

High-leverage sources: the SANS management track (the MGT courses), CISO and security-leadership peer groups (IANS, Evanta, Gartner Security & Risk), governance/risk/compliance conferences, and ISC2 / ISACA management webinars. Management-focused content that ties to an ISSMP domain qualifies.

1 CPE = 1 hour tied to an ISSMP domain; the same audit and documentation regime as the base CISSP applies.

The overlap, and the CISM comparison

The same-pool mechanic means a practicing security manager earns ISSMP CPEs as a byproduct — and each counts toward the CISSP too. If you're already doing governance, program, and risk work, the concentration's 60 are mostly CPEs you'd log anyway.

Many ISSMP holders also hold (or consider) ISACA's CISM, which covers similar management ground. A single management activity — a governance webinar, a CISO-summit session — can often be claimed toward CISSP, ISSMP, and CISM at once, as long as it ties to each one's domains. That cross-credit is the efficient play for multi-cert managers.

The constraint appears only if your CPEs skew technical: you'll need to steer about 20/year into management content to keep the ISSMP's qualifying subset filled.

Common pitfalls (and how to avoid them)

Pitfall 1: Base-cert lapse — the ISSMP can't outlive the CISSP. Maintain the CISSP first.

Pitfall 2: Submitting technical CPEs to a management concentration. A hands-on SIEM or pentest course counts toward the CISSP but not the ISSMP — the concentration audit wants management-domain content. It's the same trap CISM holders hit.

Pitfall 3: Treating the concentration as a separate ledger. It shares the CISSP's fee, cycle, and portal — one deadline, one fee. Verify the bundling so nothing slips.