CERTIFIED INFORMATION SYSTEMS AUDITOR (CISA)
As a Certified Information Systems Auditor (CISA), you're tasked with tremendous responsibility: they audit, control and provide security of information systems for a multitude of industries throughout the business and IT sectors.
In order to call yourself a CISA, you must earn the credential through ISACA, formerly known as the Information Systems Audit and Control Association. Formed in 1967, the association now claims over 170,000 members worldwide in over 220 chapters.
As an educational resource, ISACA publishes a regular journal and maintains databases of research and other documents to help cyber security professionals stay at the front of the industry—and their specialty. They also offer several cyber certification programs, one of which is the CISA.
What is a CISA?
The CISA certification is a popular mid-career credential for IT professionals. According to their exam candidate guide, the CISA credential is designed for, "IT/IS auditors, control, assurance and information security professionals." If this sounds like you, you may want to consider adding this esteemed certification to your resume.
"Current CISA holders have shared their involvement in areas other than audit," wrote Robin Lyons, the IT Audit Professional Practices Principal at ISACA. "In addition to conducting audits, these IT auditors are involved in risk, governance and cyber security. Their involvement in cyber security from an audit perspective gives them knowledge of IT risks, operations, and insight into best practices, all of which provide a foundation in cyber security that can lead to roles specializing as a cyber security auditor or branching out into IT operations."
Benefits of becoming a CISA
Certifications like CISA are tremendously important in the IT industry.
"IT certifications are an objective demonstration of knowledge and capabilities and benefit both individual and the market," Lyons said. "IT certifications allow individuals to benchmark their career achievements with those of their peers. On the flip side, certification programs developed and accredited by ISO 17024 provide an attestation for employers or future employers to align skillsets with position expectations."
Many employers require their cyber security positions to have a particular certification, but the CISA certification could provide numerous other benefits even if it's not an employer requirement, such as:
- Increased recognition of your skills and credibility as a cyber security auditor
- Expanded career and job opportunities available to you
- Increased earning potential (see our cyber security salary guide for comparisons)
"Looking at other certifications, CISA stands apart because of its two-pronged coverage of audit technique (for example, audit planning and audit project management) as well as topical areas that are so relevant for auditors such as information systems operations and resilience," Lyons said.
CISA certification requirements
In order to earn the CISA certification, you must complete two primary steps: fulfill the experience requirement and pass an exam. The experience requirement consists of having five or more years of experience in IS/IT auditing, control, assurance or security, though waivers are available in some cases for up to a maximum of three years. What's unusual about the certification is that you do not need to complete the experience requirement before sitting for the exam—you can complete these steps in any order.
"Skills and knowledge in performing assessments and conducting IT audits from planning through fieldwork to reporting provide a strong foundation for exam candidates. So, mid-career practitioners may most readily leverage the CISA certification to demonstrate that proficiency," Lyons said. "The ability to complete the CISA certification's requisite work experience either before or after passing the exam, however, positions CISA to meet candidates at any point of their career journeys."
After you pass the test and complete the experience requirement, you must submit an application for the credential and pay the applicable fee. The application includes an experience verification form that must be signed by your managers/supervisors attesting to the experience requirement.
In addition, all CISA applicants must do the following as part of the application process:
- Adhere to the ISACA code of professional ethics
- Adhere to the continuing professional education (CPE) policy, which ensures that you continue to develop as a professional
- Comply with the auditing standards of ISACA and of all CISA holders
CISA certification exam
The CISA certification exam is four hours (240 minutes) long and consists of 150 multiple-choice questions. It is a computer-based exam that can be taken at an authorized testing center or as a remotely proctored exam.
The CISA exam tests applicants on the following five core domains:
|Section||% of Exam||What It Will Test|
|Information systems auditing process||21%||Your credibility to offer conclusions on the state of an organization's IS/IT security, risk and control solutions.|
|Governance and management of information technology||17%||Your ability to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.|
|Information systems acquisition, development and implementation||12%||Your competency in IT controls and your understanding of how IT relates to business, specifically with IS acquisition, development and implementation.|
|Information systems operations and business resilience||23%||Your competency in IT controls and your understanding of how IT relates to business, specifically with IS operations and business resilience.|
|Protection of information assets||27%||Your understanding of the principles, best practices and pitfalls of cyber security.|
Preparing for the exam
ISACA has numerous study materials available for purchase to help applicants prep for the exam, including study manuals, self-paced review courses and practice questions.
"I am a big proponent for candidates identifying what works for them," Lyons said. "To get to that, candidates should first acknowledge what study approach works best. If a candidate is more productive with self-study, leverage that and approach the exam that way. For those candidates who work well in a group environment, an in-person approach may work best for them. In addition to self-study versus group, candidates should be honest and select an approach that works with their levels of discipline. A procrastinator may not fare as well using self-study just because structured study may be needed to stay on track."
When it comes time to take the exam, consider these test-taking tips to increase your chances of success:
- Study in small bursts leading up to the exam: Studies show that studying in smaller, more frequent increments leads to greater long-term retention when compared to cramming (studying nonstop in the day or two before an exam).
- Answer what you know first: It's a good idea to skip questions that you aren't sure about and then go back and address them once you've answered everything you know.
- Don't leave any questions unanswered: On the CISA exam, you are not penalized for wrong answers. You are scored solely on the number of questions answered correctly. Therefore, you should not leave any questions unanswered.
- Budget your time: You have about one and a half minutes to answer each question within the time allotted. Keep this in mind as you take the test and budget your time accordingly.
Exam scoring and retake policy
ISACA exams are scored on a scale of 200 (lowest score) to 800 (highest score). You must receive a score of at least 450 to pass.
If you don't pass on your first attempt, you can retake the test up to three more times within one year of the first attempt. You must pay the exam fee each time you retake the test.
CISA certification renewal
Once you've earned your CISA certification, you must follow the CISA continuing professional education (CPE) requirements to maintain your certification:
- You must complete at least 20 CPE hours each year and report these hours when you renew your certification annually. You must pay an annual CPE maintenance fee as well.
- Every three years, you must complete and report at least 120 total CPE hours for the three-year reporting period.
- You must respond and submit required documentation of CPE activities if selected for an annual audit.
- Certificate holders must comply with ISACA's code of professional ethics.
If you fail to comply with these requirements, your CISA certification may be revoked.
CISA certification cost
The cost to take the CISA certification exam depends on whether you are a member of ISACA. The registration fee is $575 USD for members and $760 for nonmembers. If you decide to utilize any of ISACA's study materials to prepare for the test, these items must be purchased as well.
Salary and job opportunities for CISA professionals
A CISA certification can be applied to numerous different jobs in the fields of IS/IT, cyber security and beyond. Here are just some jobs that you may qualify for with a CISA certification, or that could benefit from a CISA certification if you don't already have one:
Cyber security auditor: A cyber security auditor is perhaps the most obvious career path for a CISA certified professional. They design and manage audits, interpret data from audit reports and then make recommendations to improve an organization's security system based on their findings.
Median annual salary for information security analysts: $112,000
Accountants and auditors: Many financial professionals such as accountants can benefit from a CISA certification because they frequently audit businesses. The auditing skills acquired from a CISA certification can be applied to numerous financial auditing positions.
Median annual salary for accountants and auditors: $78,000
Chief information security officer (CISO): As the senior professionals which oversee the security policies and procedures of an organization, CISOs may benefit from a CISA certification. The CISA certification validates a wide breadth of skills relevant to IS/IT security which a CISO may need or already possess.
Median annual salary for information systems managers: $164,070
Compliance officers: This general job title can be found in lots of different fields. Compliance officers make sure that a business or organization is compliant with all relevant laws and regulations, which requires adept auditing skills that may be verified by a CISA certification.
Median annual salary for compliance officers: $71,690
Ready to get started?
If you currently work in the field as an IS auditor, or are envisioning IS auditing as a career, consider taking the CISA exam and enhancing your career with this potent credential. Every resume in the IT/IS field needs to reflect continual growth in terms of learning and knowledge, and the CISA certification provides assurance that your work adheres to high standards. Consult ISACA's website today and start on the road to the next level of your career.