CERTIFIED INFORMATION SYSTEMS AUDITOR (CISA)

As a Certified Information Systems Auditor (CISA), you're tasked with tremendous responsibility: they audit, control and provide security of information systems for a multitude of industries throughout the business and IT sectors.

In order to call yourself a CISA, you must earn the credential through ISACA, formerly known as the Information Systems Audit and Control Association. Formed in 1967, the association now claims over 170,000 members worldwide in over 220 chapters.

As an educational resource, ISACA publishes a regular journal and maintains databases of research and other documents to help cyber security professionals stay at the front of the industry—and their specialty. They also offer several cyber certification programs, one of which is the CISA.

What is a CISA?

The CISA certification is a popular mid-career credential for IT professionals. According to their exam candidate guide, the CISA credential is designed for, "IT/IS auditors, control, assurance and information security professionals." If this sounds like you, you may want to consider adding this esteemed certification to your resume. 

"Current CISA holders have shared their involvement in areas other than audit," wrote Robin Lyons, the IT Audit Professional Practices Principal at ISACA. "In addition to conducting audits, these IT auditors are involved in risk, governance and cyber security. Their involvement in cyber security from an audit perspective gives them knowledge of IT risks, operations, and insight into best practices, all of which provide a foundation in cyber security that can lead to roles specializing as a cyber security auditor or branching out into IT operations."

Benefits of becoming a CISA

Certifications like CISA are tremendously important in the IT industry.

"IT certifications are an objective demonstration of knowledge and capabilities and benefit both individual and the market," Lyons said. "IT certifications allow individuals to benchmark their career achievements with those of their peers. On the flip side, certification programs developed and accredited by ISO 17024 provide an attestation for employers or future employers to align skillsets with position expectations."

Many employers require their cyber security positions to have a particular certification, but the CISA certification could provide numerous other benefits even if it's not an employer requirement, such as:

• Increased recognition of your skills and credibility as a cyber security auditor
• Expanded career and job opportunities available to you
• Increased earning potential (see our cyber security salary guide for comparisons)

"Looking at other certifications, CISA stands apart because of its two-pronged coverage of audit technique (for example, audit planning and audit project management) as well as topical areas that are so relevant for auditors such as information systems operations and resilience," Lyons said.

---

---

CISA certification requirements

In order to earn the CISA certification, you must complete two primary steps: fulfill the experience requirement and pass an exam. The experience requirement consists of having five or more years of experience in IS/IT auditing, control, assurance or security, though waivers are available in some cases for up to a maximum of three years. What's unusual about the certification is that you do not need to complete the experience requirement before sitting for the exam—you can complete these steps in any order.

"Skills and knowledge in performing assessments and conducting IT audits from planning through fieldwork to reporting provide a strong foundation for exam candidates. So, mid-career practitioners may most readily leverage the CISA certification to demonstrate that proficiency," Lyons said. "The ability to complete the CISA certification's requisite work experience either before or after passing the exam, however, positions CISA to meet candidates at any point of their career journeys."

After you pass the test and complete the experience requirement, you must submit an application for the credential and pay the applicable fee. The application includes an experience verification form that must be signed by your managers/supervisors attesting to the experience requirement.

In addition, all CISA applicants must do the following as part of the application process:

• Adhere to the ISACA code of professional ethics
• Adhere to the continuing professional education (CPE) policy, which ensures that you continue to develop as a professional
• Comply with the auditing standards of ISACA and of all CISA holders

CISA certification exam

The CISA certification exam is four hours (240 minutes) long and consists of 150 multiple-choice questions. It is a computer-based exam that can be taken at an authorized testing center or as a remotely proctored exam.

The CISA exam tests applicants on the following five core domains:

Section	% of Exam	What It Will Test
Information systems auditing process	21%	Your credibility to offer conclusions on the state of an organization's IS/IT security, risk and control solutions.
Governance and management of information technology	17%	Your ability to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.
Information systems acquisition, development and implementation	12%	Your competency in IT controls and your understanding of how IT relates to business, specifically with IS acquisition, development and implementation.
Information systems operations and business resilience	23%	Your competency in IT controls and your understanding of how IT relates to business, specifically with IS operations and business resilience.
Protection of information assets	27%	Your understanding of the principles, best practices and pitfalls of cyber security.

Preparing for the exam

ISACA has numerous study materials available for purchase to help applicants prep for the exam, including study manuals, self-paced review courses and practice questions.

"I am a big proponent for candidates identifying what works for them," Lyons said. "To get to that, candidates should first acknowledge what study approach works best. If a candidate is more productive with self-study, leverage that and approach the exam that way. For those candidates who work well in a group environment, an in-person approach may work best for them. In addition to self-study versus group, candidates should be honest and select an approach that works with their levels of discipline. A procrastinator may not fare as well using self-study just because structured study may be needed to stay on track."

When it comes time to take the exam, consider these test-taking tips to increase your chances of success:

1. Study in small bursts leading up to the exam: Studies show that studying in smaller, more frequent increments leads to greater long-term retention when compared to cramming (studying nonstop in the day or two before an exam).
2. Answer what you know first: It's a good idea to skip questions that you aren't sure about and then go back and address them once you've answered everything you know.
3. Don't leave any questions unanswered: On the CISA exam, you are not penalized for wrong answers. You are scored solely on the number of questions answered correctly. Therefore, you should not leave any questions unanswered.
4. Budget your time: You have about one and a half minutes to answer each question within the time allotted. Keep this in mind as you take the test and budget your time accordingly.

Exam scoring and retake policy

ISACA exams are scored on a scale of 200 (lowest score) to 800 (highest score). You must receive a score of at least 450 to pass.

If you don't pass on your first attempt, you can retake the test up to three more times within one year of the first attempt. You must pay the exam fee each time you retake the test.

CISA certification renewal

Once you've earned your CISA certification, you must follow the CISA continuing professional education (CPE) requirements to maintain your certification:

• You must complete at least 20 CPE hours each year and report these hours when you renew your certification annually. You must pay an annual CPE maintenance fee as well.
• Every three years, you must complete and report at least 120 total CPE hours for the three-year reporting period.
• You must respond and submit required documentation of CPE activities if selected for an annual audit.
• Certificate holders must comply with ISACA's code of professional ethics.

If you fail to comply with these requirements, your CISA certification may be revoked.

CISA certification cost

The cost to take the CISA certification exam depends on whether you are a member of ISACA. The registration fee is $575 USD for members and $760 for nonmembers. If you decide to utilize any of ISACA's study materials to prepare for the test, these items must be purchased as well. 

Salary and job opportunities for CISA professionals

A CISA certification can be applied to numerous different jobs in the fields of IS/IT, cyber security and beyond. Here are just some jobs that you may qualify for with a CISA certification, or that could benefit from a CISA certification if you don't already have one:

Ready to get started?

If you currently work in the field as an IS auditor, or are envisioning IS auditing as a career, consider taking the CISA exam and enhancing your career with this potent credential. Every resume in the IT/IS field needs to reflect continual growth in terms of learning and knowledge, and the CISA certification provides assurance that your work adheres to high standards. Consult ISACA's website today and start on the road to the next level of your career.