The easy way to CPD success

Every time Riskmonkey attends a gathering of IT auditors, one of the real irritants mentioned is CPD – continuing professional development. This is a nuisance for most professionals, almost all of whom spend far more time actually doing CPD activities than is required by their profession, but almost all of whom find it hard to verify that CPD at the end of the year.

It’s a particular problem for IT auditors though, as very few have just one qualification – true, some have none… but most have several. Not all require CPD – you can have sixteen degrees and do no CPD at all, but just one professional qualification and you can find yourself faced with more hoops to jump through than a prizewinner at a dog show.

Riskmonkey has not exactly sought out qualifications, but a typically varied career creates the need to comply with three separate CPD schemes.

Here’s Riskmonkey’s guide to making it easy.

1. Make a list

If you have to comply with more than one scheme, make a list. What are they, what are the requirements, what evidence is required, and when are the deadlines?

2. Create a folder

Electronic or physical doesn’t matter, but have a central repository for CPD evidence. When you attend a course, do a qualification, or make notes at a seminar – put a copy in the folder, certificates, agendas, training materials, notes

3. Work out the requirements

Most schemes are to some extent complementary – evidence for one is evidence for the other. A three day course on SQL Server security would be relevant to CISSP and CISA, a seminar on project management could be relevant to virtually any business or IT CPD scheme.

4. Make a plan

Different schemes have different requirements. If you aim to meet the most stringent, you should meet the rest. Riskmonkey has an accountancy qualification, along with CISA and CISSP to consider. Requirements vary from 20 hours a year of almost anything that can be evidenced, through to detailed restrictive requirements of 120 hours every 3 years. So, if I aim to verify 40 hours a year within those restrictions, I’ll be home and dry.

5. Look at what you already do

The easiest way to complete CPD requirements is probably a week long training course in a relevant area every year. For most that’s just not realistic, so you need to find enough activity in the relevant categories. To be honest, if you’re not doing enough already, it’s probably time to retire. The question is – what do you do, is it valid, and can you evidence it?

For example:

  • Writing this blog counts as CPD. Depending on the scheme, either the full time spent or subject to a cap.
  • Attending work training courses and seminars. Done a course on leadership? Technical writing? Project management? All these could be relevant. Depending on who the CPD is for, even your company AGM might qualify. Most schemes are a little more restrictive though, but if it’s relevant it will probably qualify. Keep the agenda, and take notes of what was discussed and add it to your folder – with a note of time spent.
  • Mentoring usually counts. This might be formal, but more likely you may help a colleague improve their skills in a particular area, offer advice and support for exams, or provide on the job training for junior colleagues.
  • Run training courses. Are you the inh-ouse expert on secure firewall configuration, application security, or paperclip procurement? Share it with the team, and the time spent creating and giving your presentation may well qualify.
  • Do you attend local industry events? If you attend ISACA seminars, pop along to the odd BCS event, or, say a managers’ forum – this could be valuable CPD.
  • Reading. So you’re not into hefty books and manuals? No problem. DO you spend time reading relevant blogs and web sites, supplier guidance, industry publications, ISO standards, ISACA guidance, IT magazines? keep an eye on what you read, make a note of it. In some cases, such as ISACA’s in house (if rather dry) journal, there’s a quick quiz to complete for CPD points. If you’re going to read it anyway, it’s worth a few minutes of your time.

6. Keep a record

If you keep a record of what you do, when you do it, it will be easy to fill in all those forms at the end of the year. Keep your list up to date, it only takes a moment.

7. Prepare in advance.

A few months before the deadline sit down and make sure you have enough. If you don’t consider what you may have missed before undertaking additional work just for the CPD points.

If you do need more points, you’ll still have time to find some events to go to or a course to attend that will add to your competence as well as finding those points. Don’t forget, if you’re employed your employer should provide the time and support necessary to maintain your qualifications. If they don’t it’s time for a chat with the boss.

8. Challenge it

If after all this you’re still finding it hard to complete your CPD returns, should you really have the qualification? Go back to that list of qualifications, whether its one, two, or ten. Ask yourself – do I really need this piece of paper? What does it do for me?

, , ,


  1. Making sense of the ISACA certification minefield Part 2: Alternatives to ISACA | Palmer on Security - September 28, 2013

    [...] At the end of the day, few employers will value qualifications more than experience, so the main question is what gets you in the door. CISA, CISM and CISSP are generally most sought after in job ads - and most recognised by large companies and government bodies around the world. Unless you’re in public practice and selling your skills afresh on a daily basis to a different client, once you’re employed most certifications gather dust, so it’s worth asking whether you’ll learn something new from studying. Just remember they also gather CPD requirements! [...]

Leave a Reply

Leave your opinion here. Please be nice. Your Email address will be kept private.