AAISM Recertification Overview
The Advanced in AI Security Management (AAISM) certification from ISACA requires recertification every three years to maintain its validity and ensure practitioners stay current with rapidly evolving AI security technologies and best practices. As a relatively new certification launched on August 19, 2025, the first wave of AAISM professionals will face their initial recertification cycle in 2028, making 2027 a critical preparation year.
Unlike some certifications that rely solely on continuing education units or re-examination, AAISM recertification follows a comprehensive model that combines ongoing professional development, adherence to ethical standards, and maintenance of prerequisite certifications. This approach ensures that certified professionals maintain both technical competency and professional integrity throughout their career.
Since AAISM launched in August 2025, the certification is still in its inaugural phase. The first recertification cycle will begin in 2028, but understanding requirements early helps professionals plan their continuing education strategy effectively.
The recertification process is designed to be manageable for working professionals while ensuring the certification remains valuable and current. With AI security being one of the fastest-growing fields in cybersecurity, the structured approach to continuing education helps professionals stay ahead of emerging threats and technologies.
Eligibility Requirements
To be eligible for AAISM recertification, candidates must meet several ongoing requirements that begin from the moment they achieve their initial certification. These requirements are interconnected and failure to maintain any one component can result in certification lapse.
Active CISM or CISSP Prerequisite
The most critical eligibility requirement is maintaining an active CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional) certification throughout the entire AAISM lifecycle. This prerequisite cannot be allowed to lapse at any point during your AAISM certification period.
CISM certification requires 20 CPE hours annually and renewal every three years, while CISSP requires 120 CPE hours over three years with a minimum of 30 hours per year. These requirements run independently of AAISM requirements, meaning professionals must satisfy both sets of continuing education obligations.
If your CISM or CISSP certification lapses, your AAISM certification automatically becomes invalid. There is no grace period or alternative pathway to maintain AAISM without an active prerequisite certification.
Professional Ethics Compliance
All AAISM holders must adhere to the ISACA Code of Professional Ethics throughout their certification period. This includes maintaining professional integrity, avoiding conflicts of interest, and reporting any violations or disciplinary actions that may affect their professional standing.
The ethics requirement extends beyond simple compliance to include active promotion of ethical practices in AI security management. Professionals are expected to champion responsible AI development and implementation within their organizations and the broader professional community.
Employment and Experience Maintenance
While ISACA doesn't require specific employment status for recertification, maintaining relevant experience in AI security management strengthens your professional standing and makes CPE requirements more meaningful. Many approved CPE activities are tied to practical application of AI security concepts in real-world scenarios.
For professionals who have studied using our comprehensive AAISM study guide, the transition from exam preparation to ongoing professional development should feel natural and aligned with career growth objectives.
CPE Requirements Breakdown
The AAISM continuing professional education (CPE) requirements are specifically tailored to the dynamic nature of AI security management. Unlike general cybersecurity CPE credits, all 30 required hours over the three-year cycle must focus on AI-specialized topics.
Annual Minimum Requirements
AAISM holders must earn a minimum of 10 CPE hours per year in AI-specialized topics. This annual minimum ensures consistent engagement with evolving AI security practices rather than allowing professionals to defer all continuing education until the final year of their certification cycle.
The 10-hour annual minimum can be exceeded, and many professionals find it beneficial to earn 12-15 hours annually to provide a buffer against unexpected circumstances that might prevent CPE completion in any given year.
| Year | Minimum CPE Hours | Recommended CPE Hours | Focus Areas |
|---|---|---|---|
| Year 1 | 10 | 12-15 | Emerging AI threats, new regulations |
| Year 2 | 10 | 12-15 | Advanced controls, industry case studies |
| Year 3 | 10 | 12-15 | Future technologies, strategic planning |
AI-Specialized Topic Requirements
All CPE hours must directly relate to AI security management topics. General cybersecurity, project management, or leadership training does not qualify unless specifically focused on AI applications. This requirement ensures professionals develop deep expertise in their certification domain rather than broad but shallow knowledge.
Acceptable AI-specialized topics align with the three main exam domains:
- AI Governance and Program Management: Strategic planning for AI implementations, compliance frameworks, policy development, and organizational change management for AI adoption
- AI Risk Management: Threat modeling for AI systems, vulnerability assessments, incident response for AI-related breaches, and risk quantification methodologies
- AI Technologies and Controls: Technical security controls for machine learning pipelines, AI system architecture security, monitoring and logging for AI applications, and emerging AI security tools
Consider focusing your CPE hours on areas where you need the most development. If you struggled with Domain 3 during initial certification, dedicating extra CPE hours to AI Technologies and Controls can strengthen your expertise.
Documentation and Reporting
All CPE activities must be properly documented with evidence of completion, learning objectives, and relevance to AI security management. ISACA may audit recertification applications and request supporting documentation for any claimed CPE hours.
Required documentation includes certificates of completion, detailed agendas showing AI-specific content, and personal statements explaining how the activity relates to your role as an AI security management professional. Maintaining organized records throughout the three-year cycle is essential for smooth recertification.
Recertification Costs
Understanding the full cost of maintaining AAISM certification helps professionals budget appropriately and may influence decisions about whether the certification provides sufficient ROI for their career goals.
ISACA Maintenance Fees
The annual maintenance fee structure differs significantly based on ISACA membership status. Members pay $20 per year ($60 over three years) while non-members pay $35 per year ($105 over three years). The membership savings extend beyond AAISM to include discounts on training, conferences, and other ISACA certifications.
For professionals maintaining multiple ISACA certifications, membership becomes increasingly cost-effective. Many AAISM holders also pursue complementary certifications like CISA or COBIT, making the annual membership fee a worthwhile investment.
CPE Activity Expenses
The cost of earning required CPE hours varies dramatically based on chosen activities. Free options include webinars, industry articles, and some online training modules. Premium options include conference attendance, formal training courses, and university programs.
A typical three-year CPE budget might include:
- Free Activities (10-15 hours): Webinars, white papers, industry publications - $0
- Low-Cost Training (10-15 hours): Online courses, professional association events - $200-500
- Premium Activities (5-10 hours): Conference attendance, intensive workshops - $1,000-3,000
Many employers support professional development expenses, particularly for certifications directly related to job responsibilities. The growing importance of AI security makes AAISM recertification costs easier to justify as a business expense.
Prerequisite Certification Costs
Remember that maintaining CISM or CISSP involves separate costs that must be factored into your overall certification budget. CISM annual maintenance fees range from $45-85 depending on membership status, while CISSP annual fees range from $85-125.
Don't forget prerequisite certification costs when budgeting for AAISM maintenance. Failing to maintain your CISM or CISSP due to cost concerns will invalidate your AAISM certification regardless of CPE compliance.
Timeline and Deadlines
Proper timeline management is crucial for successful AAISM recertification. Unlike exam-based recertification where timing is flexible, CPE-based recertification involves specific deadlines that cannot be extended or modified.
Certification Expiration Dates
AAISM certifications expire exactly three years from the date of initial certification. For professionals certified in the inaugural August 2025 launch, certifications will expire in August 2028. There is no grace period - certifications that are not renewed by the expiration date become invalid immediately.
The three-year cycle begins on your certification award date, not the exam date. If you passed the exam in July 2025 but didn't complete the application processing until September 2025, your recertification deadline would be September 2028.
Recertification Application Timeline
ISACA recommends submitting recertification applications 60-90 days before your certification expiration date. This timeline allows for processing delays, potential documentation issues, and any necessary corrections to your application.
The recertification application period opens 120 days before your expiration date. Early submission is encouraged, particularly for professionals who have completed their CPE requirements ahead of schedule.
| Timeline | Action Required | Status |
|---|---|---|
| 120 days before expiration | Application period opens | Optional early submission |
| 90 days before expiration | Recommended application deadline | Strongly recommended |
| 60 days before expiration | Final recommended deadline | Minimum recommended |
| 30 days before expiration | Last-chance submission | High risk |
| Expiration date | Certification becomes invalid | No extensions |
CPE Accumulation Strategy
While the 10-hour annual minimum must be met each year, many professionals find it beneficial to front-load their CPE hours early in the certification cycle. This approach provides flexibility for unexpected career changes, personal circumstances, or shifts in available training opportunities.
A strategic approach might involve earning 15 hours in year one, 12 hours in year two, and 8-10 hours in year three (ensuring you still meet the 10-hour minimum). This schedule allows for reduced pressure during the final year while maintaining consistent professional development.
Approved CPE Sources
ISACA recognizes diverse CPE sources to accommodate different learning styles, schedules, and professional circumstances. Understanding approved sources helps maximize the value of professional development activities while ensuring compliance with recertification requirements.
Formal Education and Training
Structured educational programs offer the highest CPE value and often provide the most comprehensive coverage of AI security topics. These sources include university courses, professional training programs, and vendor-neutral certification courses.
Graduate-level courses in AI, machine learning, or cybersecurity can provide significant CPE hours if they include specific AI security content. A typical 3-credit university course might yield 10-15 CPE hours, potentially satisfying an entire year's requirement through a single activity.
Professional training companies increasingly offer AI security-specific programs designed explicitly for certification maintenance. These programs often align directly with AAISM domains and provide immediately applicable skills alongside CPE credits.
Choose CPE activities that align with your career goals and knowledge gaps. If you're weak in AI risk management concepts, focus CPE hours on Domain 2 topics to strengthen both your certification and professional capabilities.
Conference and Seminar Attendance
Industry conferences represent excellent CPE sources while providing networking opportunities and exposure to cutting-edge AI security research. Major cybersecurity conferences increasingly include dedicated AI security tracks that qualify for AAISM CPE credit.
Key conferences for AI security professionals include RSA Conference, Black Hat, DEF CON AI Village, and ISACA's own conferences. Smaller, specialized events focused on AI ethics, machine learning security, or sector-specific AI implementations also provide valuable CPE opportunities.
Conference attendance typically yields 6-8 CPE hours per day, making multi-day events efficient ways to accumulate significant CPE credits. Additionally, many conferences offer virtual attendance options that reduce travel costs while maintaining educational value.
Self-Study and Research Activities
Independent learning activities provide flexibility for busy professionals but require careful documentation to demonstrate AI security relevance. Acceptable self-study activities include reading industry publications, researching emerging threats, and analyzing case studies.
Professional publications like ISACA Journal, AI Security Research papers, and industry white papers qualify for CPE credit when they focus on AI security management topics. Reading activities typically qualify for 1 CPE hour per hour of documented study time.
Writing activities, including blog posts, research papers, or internal organizational reports on AI security topics, can also qualify for CPE credit. These activities demonstrate practical application of AI security knowledge while contributing to the broader professional community.
Professional Volunteer Activities
Contributing to professional organizations, industry working groups, or standards development committees provides CPE credit while advancing the AI security profession. These activities often yield higher CPE values due to their contribution to the broader professional community.
Volunteer teaching, mentoring, or speaking at professional events demonstrates mastery of AI security concepts while helping develop the next generation of professionals. Speaking engagements typically qualify for 2-4 CPE hours per presentation, depending on preparation time and complexity.
Recertification Application Process
The AAISM recertification application process is conducted entirely online through ISACA's certification management system. Understanding the process steps and required documentation helps ensure smooth application processing without delays or complications.
Online Application Portal
ISACA's certification portal provides a centralized location for managing all aspects of AAISM recertification. The system tracks CPE hours, maintains documentation, and facilitates the recertification application process.
The portal allows continuous CPE tracking throughout the certification cycle, eliminating last-minute scrambles to gather documentation. Regular updates to your CPE record help identify any gaps in required hours or documentation early enough to address them.
Login credentials for the portal are the same as those used for initial AAISM certification. If you've forgotten your credentials or experienced access issues, contact ISACA support well before your recertification deadline to avoid processing delays.
Required Documentation
Each claimed CPE activity must be supported by appropriate documentation that demonstrates completion and relevance to AI security management. Documentation requirements vary by activity type but generally include certificates of completion and detailed activity descriptions.
For formal training programs, required documentation includes course certificates, detailed syllabi showing AI security content, and attendance verification. Self-study activities require more extensive documentation, including reading lists, time logs, and personal learning summaries.
Conference attendance documentation should include registration confirmations, session agendas, and attendance certificates. If claiming CPE credit for specific sessions rather than general attendance, detailed session descriptions demonstrating AI security relevance are required.
Maintain organized records throughout your certification cycle. Create a dedicated folder (digital or physical) for all CPE documentation and update it immediately after completing each activity. This approach prevents last-minute documentation searches and reduces application stress.
Application Review Process
ISACA reviews all recertification applications to verify CPE compliance and documentation completeness. The review process typically takes 2-4 weeks but can extend longer during peak submission periods or if additional documentation is requested.
Applications may be selected for detailed audit, requiring submission of original documentation and detailed explanations of claimed activities. Audit selection is random but may be influenced by unusual CPE patterns or incomplete documentation.
If your application is approved, you'll receive confirmation and your new certification expiration date. If additional documentation or clarification is needed, you'll receive specific instructions for addressing any deficiencies.
Maintaining Prerequisites
The requirement to maintain active CISM or CISSP certification throughout the AAISM lifecycle creates additional complexity that must be carefully managed. Understanding the interaction between these certifications helps prevent inadvertent lapses that would invalidate your AAISM credential.
Certification Cycle Alignment
AAISM, CISM, and CISSP certifications operate on independent three-year cycles with different expiration dates and renewal requirements. Professionals must track multiple deadlines and ensure continuous compliance with all applicable requirements.
Consider creating a master calendar that tracks all certification requirements, deadlines, and CPE accumulation across all held certifications. This approach helps identify potential conflicts or resource constraints that might affect your ability to maintain all certifications simultaneously.
Some CPE activities may qualify for multiple certifications if they cover overlapping topics. AI security management training might qualify for both AAISM and CISSP CPE credits if it includes general cybersecurity principles alongside AI-specific content.
Dual CPE Strategy
Efficient professionals develop CPE strategies that satisfy multiple certification requirements simultaneously. This approach reduces the total time and cost investment required to maintain multiple credentials while ensuring comprehensive professional development.
For example, attending a conference on AI security governance might provide CPE hours for AAISM (AI-specific content), CISM (governance and management focus), and CISSP (security architecture content) if sessions are selected strategically.
However, be cautious about over-relying on dual-purpose activities. Each certification has specific focus areas and learning objectives that may not be fully addressed through shared CPE activities alone.
| Activity Type | AAISM CPE | CISM CPE | CISSP CPE | Efficiency Rating |
|---|---|---|---|---|
| AI Security Conference | High | Medium | Medium | Good |
| General InfoSec Training | None | High | High | Poor for AAISM |
| AI Risk Management Course | High | High | Medium | Excellent |
| Technical AI Security Training | High | Low | Medium | Good |
Emergency Contingency Planning
Develop contingency plans for situations where prerequisite certification might be at risk. If you're struggling to meet CISM or CISSP requirements due to career changes, health issues, or other circumstances, address these challenges before they affect your AAISM status.
Options for maintaining prerequisite certifications include emergency CPE activities, extension requests (where available), or temporary transition to different prerequisite certifications if you hold multiple qualifying credentials.
Remember that AAISM recertification cannot proceed if prerequisite certifications are not current, regardless of your AAISM CPE compliance. Prioritize prerequisite maintenance to protect your AAISM investment.
Consequences of Failed Recertification
Understanding the consequences of failed AAISM recertification helps motivate timely compliance and provides clarity about options if recertification challenges arise. The consequences are immediate and significant, affecting both professional credentials and career opportunities.
Immediate Certification Loss
AAISM certifications that are not renewed by the expiration date become invalid immediately with no grace period or provisional status. You cannot represent yourself as AAISM certified or use the certification in professional communications once it expires.
Employers, clients, and professional organizations may verify certification status through ISACA's online directory. Expired certifications are clearly marked, making it impossible to maintain the pretense of current certification status.
The immediate nature of certification loss means that career opportunities, project assignments, or professional responsibilities that require current AAISM certification become unavailable instantly upon expiration.
Unlike some professional certifications that provide 30-90 day grace periods, ISACA certifications expire exactly on the stated date with no extensions or provisional status available. Plan accordingly to avoid last-minute complications.
Reinstatement Options
ISACA provides limited options for reinstating lapsed AAISM certifications, but these options are restrictive and expensive compared to standard recertification. Reinstatement typically requires meeting all missed requirements plus additional penalties.
The reinstatement window extends for one year following certification expiration. During this period, lapsed certificants can potentially restore their certification by demonstrating compliance with all missed CPE requirements, paying reinstatement fees, and completing additional educational requirements.
After the one-year reinstatement window closes, the only option for regaining AAISM certification is retaking the complete examination process, including meeting current prerequisite requirements and paying full examination fees.
Professional and Financial Impact
The financial impact of failed recertification extends beyond the immediate cost of reinstatement or re-examination. Many professionals experience career disruption, reduced earning potential, and damaged professional reputation.
Organizations that require AAISM certification for specific roles may reassign responsibilities, reduce compensation, or even terminate employment if certification lapses. The significant salary premiums associated with AAISM certification can be lost immediately upon expiration.
Professional reputation damage may persist even after certification is restored. Clients, colleagues, and employers may question the commitment and professionalism of individuals who allow certifications to lapse, particularly in high-stakes fields like AI security management.
Prevention Strategies
The best approach to managing recertification consequences is prevention through systematic planning and early action. Develop personal systems that track requirements, deadlines, and progress throughout the certification cycle.
Set personal deadlines that are 6-12 months ahead of official ISACA deadlines to provide buffer time for addressing unexpected challenges. This approach allows time to resolve documentation issues, complete additional CPE hours, or address prerequisite certification problems.
Consider professional development as an ongoing investment rather than a three-year sprint. Consistent annual progress toward CPE requirements reduces stress and improves the quality of professional development activities.
Your AAISM certification becomes invalid immediately if your prerequisite CISM or CISSP certification expires, regardless of your AAISM CPE compliance status. You must maintain active prerequisite certification throughout the entire AAISM lifecycle.
Yes, CPE activities that cover overlapping topics can often qualify for multiple certifications. However, each certification has specific requirements and focus areas, so ensure activities truly meet the criteria for each certification you're claiming credits toward.
Employer support varies widely, but many organizations support certification maintenance for job-relevant credentials. Given the growing importance of AI security, many employers view AAISM recertification as a worthwhile business investment and may cover CPE activities, conference attendance, or maintenance fees.
AI-specialized content must directly relate to artificial intelligence security management topics. General cybersecurity, project management, or leadership training doesn't qualify unless specifically focused on AI applications. Content should align with AAISM's three domains: AI Governance, AI Risk Management, and AI Technologies and Controls.
ISACA doesn't specify a minimum number of different activities, but obtaining all 30 CPE hours from a single source isn't recommended. Diversifying your professional development through multiple activities, formats, and sources provides better learning outcomes and reduces audit risk.
Yes, you can begin accumulating CPE hours immediately after receiving your AAISM certification. Many professionals start their CPE activities right away to spread the workload evenly across the three-year cycle and provide buffer time for unexpected circumstances.
Ready to Start Practicing?
Whether you're preparing for initial AAISM certification or planning your recertification strategy, consistent practice and preparation are key to success. Our comprehensive practice tests help you master the concepts you'll need throughout your AAISM career.
Start Free Practice Test