Certified Information Systems Auditor (CISA) Guide and Licensing

Learn What a Cyber Systems Auditor Does, the Requirements Needed and Job Growth

Certified Information Systems Auditor, or CISA, is one of the most recognized designations for information systems professionals. The certification is designed to help IS and IT auditors and other information security professionals advance their careers. This certification signifies experience and competence within the realm of IS auditing, and as such, candidates must meet specific experience criteria to sit for the exam.

Information systems pros just graduating from a program must first gain hands-on auditing experience before they can realistically pursue the CISA credential. Here, we'll go over what IS pros need to know about becoming CISA-certified from requirements to the exam, ethics code, and more. Read on to see what it takes, how much it costs, and why you might want to pursue this path.

Why Earn the CISA Certificate?

This certification is an internationally recognized designation that meets global security and IT auditing standards. So, naturally, it comes with a certain level of prestige, not unlike attending a top-ranked school or earning an advanced degree.

According to the ISACA website, the CISA credentialing process aims to help professionals develop the skills and best practices that represent the building blocks of success in this field, offering a global standard for measuring proficiency. Being CISA certified also makes it easier for systems auditors to find work. It gives employers assurance that candidates possess the expertise, skills, and knowledge that organizations depend on to keep data safe and secure.

Key benefits of the certification include the following:

  • Validates professional experience and expert knowledge
  • It offers global recognition as an IS audit professional
  • Increased value to an organization
  • Gives job seekers a competitive advantage over non-CISA peers
Read More

Overview of Who Offers CISA Certification?

While this particular credential isn't the only professional certification option for IS/IT auditors, the CISA is the most recognizable designation in the field. Additionally, we should mention that ISACA is the only organization that offers the CISA certification, though they have testing centers all over the world.

ISACA stands for Information Systems Audit and Control Association. It's a global non-profit that offers practical guidance, ongoing education, and other resources to IT professionals looking to advance their careers. The ISACA website also provides a wealth of information to prospective CISA candidates, covering everything from testing, preparation, and prerequisites, to prep courses and interactive training tools.

ISACA members receive benefits, including:

  • Events and training available at 200+ ISACA Chapters
  • Access to IT Audit Leaders and CISO Forums
  • Free webinars
  • Conference registration discounts
  • Career coaching, tools, and access to professional development resources
  • Professional and industry advocacy
  • 25% discounts on CISA, CISM, CRISC, and CGEIT exam registrations
  • 72 hours of free continuing professional education
  • Member discounts on ISACA publications and research

Keep in mind, ISACA also offers CRISC, CISM, and CGEITA certifications. As such, you'll want to make sure you look over your options to see if the CISA is the right fit for your career goals.

How to Get Certified

Getting your CISA certification isn't a decision you should take lightly. You'll need several years of experience, education, and demonstrated competency in the field. You'll also need to pass an exam and, long-term, will need to meet continuing education requirements to maintain your certification. Below, we've outlined what prospective CISAs need to know before they apply for certification.

Work Experience

Before you can take the CISA exam, you'll need to work as an information systems auditor for at least five years. Alternatively, if you have educational experience or related work experience, you may be able to use that experience to waive up to three of those five years.

Here's a quick look at what the ISACA considers adequate experience:

  • Minimum one-year experience as an information systems auditor or one year of working as an auditor outside of the IS field
  • A two- or four-year degree can replace the experience requirement as well, so long as you earned said degree sometime in the past ten years - an associate degree can replace one year of work experience, while a bachelor’s replaces two
  • A Master's degree in Information Technology, Information Security, or a related field, can also replace a year of work experience
  • A minimum of two years' experience working as a professor of accounting, computer science, or information systems may also count toward one year of experience

Keep in mind that, while you'll submit your work requirements after you pass the certification exam, the ISACA recommends fulfilling them before sitting for the exam. However, work experience needs to be earned either within ten years before passing the exam or up to five years after, so there's ample time to tie up any loose ends.

Taking the Exam

The CISA exam is a 150-question exam composed of five sections. Test-takers will have four hours to complete their work, and questions are multiple-choice.

Each of the five sections covers a subsection of what you can expect to do on the job, and per the ISACA website, is broken down as follows:

  • Domain 1 – Information System Auditing Process (21%)
  • Domain 2 – Governance and Management of IT (17%)
  • Domain 3 – Information Systems Acquisition, Development, and Implementation (12%)
  • Domain 4 – Information Systems Operations and Business Resilience (23%)
  • Domain 5 – Protection of Information Assets (27%)

How Do You Sign Up?

To sign up for the exam, head over to the ISACA website and check the exam schedule. Candidates can register here: http://www.isaca.org/examreg

and from there, will be prompted to follow these steps:

  • Fill Out the Application: The registration form does require quite a bit of information, so you’ll need to be prepared to provide your professional history, references, and educational background, much like a job application.
  • Indicate Preferences: Next, you’ll be directed to the registration screen where you’ll indicate any exam preferences such as any disability accommodations, or whether you’d like to authorize the release of information to your ISACA chapter.
  • Review: Confirm all information is correct and add to cart.
  • Pay for the Exam: Members pay $575 while non-members pay $760, and upon checkout you’ll also have the option to pay for membership and purchase study aids to help you prepare. You can opt to either pay now or pay later, but keep in mind, you will not be able to schedule the exam until the organization receives your payment and your 365-day eligibility period begins from the time you register, not the day you make a payment.
  • Next Steps: After making the payment, you’ll receive a confirmation email. If you opt to pay later, you’ll get an email reminder with additional instructions.

To schedule the exam:

  • Log into your MyISACA account and select the Certifications & CPE Management tab from the lower left-hand corner.
  • Click “Schedule Your Exam” and you’ll be taken to the PSI scheduling platform, where you’ll again click “Schedule Exam.”
  • Choose your language preferences and location to view available dates and times.
  • Book an exam, review details, and select “continue.”
  • You should see a success pop-up that confirms your registration—click close and view your schedule details. You’ll have the option to reschedule or print confirmation details

How is the CISA exam proctored?

ISACA works with a partner organization, PSI, that administers exams to CISA candidates from all over the world. Test-takers will have the choice to take the exam in a testing center or at a remote kiosk. You can compare the two experiences here,

but the breakdown is as follows:

  • Testing Center - Exams are administered live in a computer lab setting where proctors monitor multiple candidates.
  • Remote Kiosk - A self-service option where test-takers sit at an individual workstation to take the exam. Remote proctors verify candidates' identities and monitor the process via three digital cameras, chat, and a microphone that allows testers to ask questions.

How Do You Prepare for the Exam?

The exam is four-hours long and is structured as follows:

  • All questions are designed with one best answer
  • Every question has a stem (question) and four options (answer choices)
  • Choose the correct or best answer from the options
  • Stems might come in the form of a question or a fragment
  • In some cases, you'll be presented with a scenario, which includes a description of the situation and several questions you'll answer based on the information provided

The ISACA offers preparation courses, as well as study guides and prep materials you can use to prepare on your own. Additionally, CISA candidates may be able to enroll in a local prep course through a university or another professional association.

Code of Professional Conduct/Ethics

According to the ISACA website, all certified professionals must adhere to a professional code of conduct, which lays out the ethical responsibilities the organization expects from those carrying the CISA certification.

Here is a quick rundown of what that entails:

  • Demonstrate competence in managing enterprise information systems, running audits, and implementing control, security, and risk management best practices
  • CISA holders must be objective, thorough, and professional as they carry out their duties
  • Auditors must operate with the interests of their employers or clients in mind, maintaining the high character and conduct standards while on the job
  • Protect the privacy of clients and employee privacy and confidentiality of information obtained on the job, unless required by law
  • Auditors cannot use data for personal gain or release information to unauthorized third-parties
  • Participate in ongoing education to maintain competency and expertise in their field
  • CISA must be transparent about all work performed in the field, audit results, and other key findings
  • They must also commit to ongoing professional development to keep pace with the latest industry standards

Those CISA’s who fail to follow the organization's Code of Professional Ethics may become the subject of an investigation, and if necessary, risk disciplinary action or loss of certification.

Continuing Professional Education

Beyond gaining the required work experience and passing the exam, CISA-certified professionals must also complete a minimum of 20 hours per year of continuing education. According to the ISCA, the goal of continuing education is to ensure that CISAs will keep pace with changes in the IS and IT landscape, provide leadership to their team, and add value to their organization.

To maintain certification, you'll also need to pay an annual renewal fee on January 1st of each year. Alternatively, CISAs have the option to renew for three years up front.

Advantages to CISA Certification

The main reason that information systems auditors choose to get this certification is that it improves job prospects. CISA certification signals competence and expertise to employers, many of which will only work with IS pros that have the credential. For auditors, the certification allows them to further develop their skills, both in preparing for the exam, and in the long-term, as the ISACA requires CISAs to participate in continuous training.

Key advantages:

  • Improves information auditing skills
  • Opens the door to more career opportunities
  • Demonstrates expertise
  • Globally recognized credential

The CISA represents a global standard of IT competence and professionalism that can help professionals communicate their expertise by adding a few extra letters to their email signature.

Typical CISA Responsibilities & Duties

The CISA credential recognizes individuals who are skilled in auditing, control, and assurance of enterprise IT systems. What that means in terms of daily tasks is IT auditors collect and analyze data to prevent fraud, rogue spending, and non-compliance. Auditors report findings to the organization's leaders and make recommendations for action.

Critical skills for CISA pros:

  • Gather data, compile information, and prepare reports
  • Perform audits and quality reviews on systems, databases, data management, programming workflows, and development processes
  • Implement and maintain controls, governance, and security best practices.

Careers and Salaries for CISA Certified Professionals

According to Payscale, the average CISA earns about $100,000 annually, though compensation varies considerably based on where you work, how much experience you have, and other factors. That said, many IT/IS jobs hover around the $60-65k range, so earning the credential can help you bring home higher paychecks than you would without the designation. Keep in mind that CISA certification isn't just for auditors.

Here are some additional roles where earning the credential can serve you well:

  • Internal Auditor
  • Public Accounting Auditor
  • IS Analyst
  • IT Audit Manager
  • IT Project Manager
  • IT Security Officer
  • Network Operation Security Engineer
  • Cybersecurity Professional
  • IT Consultant
  • IT Risk and Assurance Manager
  • Privacy Officer
  • Chief Information Officer

With security breaches and cyber-attacks on the rise, the need for competent auditors is growing. According to the United States Department of Labor, IS analysts and similar professionals are high in demand, and they predict that this trend will continue over the long-term.

For those pursuing IS/IT careers, it's worth mentioning one last time, CISA-certified auditors have an advantage over candidates without the credential. Bottom line: CISAs stand to set themselves on the path for a stable, well-paid career if they're willing to do the work.

Cyber Security Careers and Jobs

Chief Information Security Officer (CISO)

These executives oversee information systems and company-wide information security, as well as all departments associated with these systems.

Chief Security Officer (CSO)

These executives deal with information and physical security systems, controlling database and facility entry and all departments that deal with security and surrounding policies.

Chief Technology Officer (CTO)

This executive deals with technology development and implementation. They receive company-wide reports on the use and effectiveness of technology.

Computer Forensics Investigator

Analyze computers or web-based applications in the search for forensic evidence of a crime. This is done in support of the law after commission of a crime, or in efforts to support a company by assessing network vulnerabilities.

Cryptographer

Cryptographers are responsible for deciphering encrypted data. They might do after the commission of a crime. They also work to create better encryption to create stronger networks and safer data storage.

Incident Responder

Incident responders work with companies or governments to respond quickly after a possible threat has been detected. They find the source of the issue, determine if it’s a real threat, and discover how the incursion occurred.

Penetration Tester

Penetration testers seek to create an incursion. By doing so, they reveal the weak points of a security system so that these points can be secured better in the future.

Risk Analyst

Risk analysts spend their time looking for systems, procedures, or malware which could cause unintended negative occurrences, such as system crashes or slowdowns. They help create procedures to fix these problems quickly if they do occur.

Security Administrator

Administrators are responsible for dealing with all security and safety issues. They may create procedures or policies in order to maintain security company-wide.

Security Analyst

Security analysts maintain company networks and fix issues that come up during normal operation. They may also identify threats and neutralizing them as quickly as possible.

Security Architect

This position requires you to choose or design security elements, whether physical parts that will become a part of the system or the virtual system that will provide access to all the company’s data.

Security Auditor

These specialists may be kept on retainer or brought in after changes are made to a system. They provide a system-wide audit to make sure there are no chinks in the armor of the network or system.

Security Consultant

Security consultants devise plans for a company should they experience an incursion or help companies that are just getting started set up their security system from the ground up.

Security Director

The director of security helps create and review all policies and procedures related to security. They also ensure compliance with local or federal laws related to security concerns, such as the safety of patient data.

Security Engineer

A security engineer is responsible for creating computing systems which increase their company’s security and they solve any issues turned up by a security audit or incursion incident.

Security Manager

These managers oversee security staff on a day-to-day basis, making sure staffing is steady and all issues are dealt with and reported to the highest-level security professional in the company.

Security Software Developer

Specializing in security software solutions, they create software for individuals to use on home computers or advanced solutions meant for multi-billion-dollar industries or even government agencies.

Security Specialist

This is an entry-level position in which a specialist may monitor or troubleshoot system or network issues. They may perform basic test procedures, reporting all activity and feedback to their manager.

Vulnerability Assessor

These specialists test systems for vulnerabilities, much in the same way penetration testers do. Instead of performing penetration testing, they look through applications or software for possible weaknesses.

Leaders in Cyber Security Education: Find Your Career Today

Get started today on your path to advance your career!