The Certified Information Systems Auditor (CISA) certification is a globally-recognized certification focusing on the audit, control, and security of information systems (IS). It is a highly respected certification in the field of IT security, audit, risk management, and governance. And, in order to secure this certification, you must satisfy the CISA requirements. So, use this information to discover these requirements and determine your CISA eligibility.
ISACA, the organization that created the CISA, explains that they will award the certification to individuals with an interest in Information Systems auditing, control, and security once those individuals fulfill the following requirements:
You do not have to pass the CISA exam before you meet the work experience requirements, but most candidates do. And you must have passed the exam and acquired the work experience before you can receive the CISA certification no matter the order in which you accomplish these tasks.
Then, once you have earned the CISA certification, you must do the following to maintain it:
As you can see, the CISA certification requirements are not very complicated. But, as is the case with any certification, meeting them involves time, effort, and money. You can decide if the commitment is worth it by learning more about each of these requirements.
As mentioned, the requirements for earning the CISA certification are passing the CISA exam, accumulating the work experience, and submitting the CISA certification application.
As mentioned, the CISA requirement that most candidates satisfy first is the CISA exam requirement. To meet this requirement, you must pass the CISA exam.
But which requirements must you meet for CISA exam eligibility? Well, though the CISA has requirements like many other certifications, the CISA exam requirements are unique in that you do not have to meet any requirements to take the CISA exam.
Yes, it’s true: ISACA does not have any CISA exam eligibility requirements. All ISACA expects of CISA exam candidates is that they have an interest in IS auditing, control, and security.
However, ISACA has designed the CISA exam to test your knowledge of information systems and information technology audit, control, assurance, and security at a deep level. Therefore, passing the exam requires a significant amount of familiarity with these areas, as the CISA exam syllabus proves.
The purpose of the CISA exam is to test candidates on the same tasks they will perform in professional IT positions. Therefore, the CISA exam divides those tasks between 5 different domains. These domains are:
As you can see, domains 4 and 5 represent more than half of the overall syllabus. For this reason, you must commit a lot of study time to these domains. However, you cannot neglect the other domains, as they are also very important.
The CISA exam consists of 150 multiple-choice questions. Additionally, you have 4 hours (240 minutes) to answer these questions.
You can also take the CISA exam in one of the following languages:
In order to obtain your CISA certificate, ISACA also requires you to have at least 5 years of experience in professional information systems auditing, control, or security. Work experience qualifies if your day-to-day activities involve completing tasks listed under at least 1 CISA job practice domain area. ISACA lists all the CISA certification job practice domains on their website. Furthermore, ISACA updates their job practice analysis periodically to ensure the CISA exam content directly relates to the tasks candidates will do with the CISA certification.
You must accumulate your 5 years of work experience with the 10-year period before you apply for CISA certification or within 5 years of passing the CISA exam. And once you pass the CISA exam, you have 5 years to apply for the certification.
As mentioned, most people obtain their work experience after they pass the CISA exam, but you do not have to do this. If you come to the CISA certification process with IS experience already on your resume, then you’re simply ahead of the game. And you will probably have an easier time passing the CISA exam.
What’s more, you do not have to work at the same job for 5 years to fulfill the CISA work experience requirements. Instead, you can amass your experience in a few different ways because ISACA has implemented some substitutions and waivers for CISA work experience.
To help candidates meet the CISA work experience requirements, ISACA allows candidates to substitute up to 3 years of the CISA work experience requirement’s 5 years with the following substitutions:
Furthermore, you can also use these educational credits to waive 1 year of relevant CISA work experience:
Additionally, you can employ these degrees/programs to waive 2 years of relevant CISA work experience:
Finally, you can use a master’s degree (post-grad degree) in information systems or a related field to waive 3 years of the CISA work experience requirement.
If you have obtained other degrees, qualifications, and credentials with significant IS auditing, control, assurance or security component, you can submit your case to the CISA Certification Committee for consideration.
The final step in fulfilling the CISA work experience requirements is completing the CISA experience verification form. ISACA expects a supervisor or manager with whom you have worked to independently verify your work experience. Your verifier cannot be part of your immediate or extended family nor can they work in the HR department.
Verifiers must fill out the CISA experience verification form and return it to the candidate to include with their CISA certification application.
After you’ve passed the CISA exam and fulfilled the work experience requirements, all you have left to do is complete and submit the CISA application for certification. And, as mentioned, you must submit the CISA application within 5 years of passing the CISA exam.
You’ll find the CISA certification application ISACA’s website. From there, you can save it to your computer to fill it out electronically or print it out and fill it in by hand. Then, you can upload and submit your application, any additional verification forms needed (such as the CISA experience verification form), and any supporting documents online at ISACA’s support website. You will also need to pay the $50 application processing fee at this time. This fee is a one-time, non-refundable payment.
ISACA’s processing of your application can take anywhere from 2-3 weeks. And decisions on applications are not final, as ISACA has established an appeal process for certification application denials. If you would like to learn about the appeal process in the event that ISACA denies your application, you can email email@example.com.
If ISACA does approve your application at the end of the processing period, then they will notify you via email of your application’s approval. They will also send a certification packet to the primary address in your ISACA profile. This packet will contain a letter of approval, a CISA certificate, and a metal CISA pin. And, delivery of this packet could take 4-8 weeks. But once you get it, you’ll officially be a CISA!
Again, after you receive the CISA certification, you must uphold ISACA’s Code of Professional Ethics, meet the Continuing Professional Education program requirements, and follow the Information Systems Auditing Standards.
ISACA members and CISA certification holders must agree to allow the ISACA Code of Professional Ethics to guide their professional and personal conduct. Failure to adhere to the code may lead to an investigation into your conduct and, if necessary, disciplinary action.
ISACA has established the Code of Professional Ethics in order to ensure that the professional and personal conduct of its members and certification holders meets certain ethical standards.
The code states that “Members and ISACA certification holders shall:
Like many professional accounting certification administrators, ISACA expects its CISA certification holders to meet continuing professional education (CPE) requirements on an annual basis in order to maintain their certified status. ISACA explains that the goals of the CPE program include:
Furthermore, ISACA believes that successfully complying with the CPE policy better trains CISA certificate holders to assess information systems and technology and provide leadership and value to the organizations for which they work.
Therefore, in the hopes of fulfilling these goals, ISACA has set the CISA CPE quota at a minimum of 20 contact hours of CPE per year. The CPE hours you earn must help you preserve or advance your knowledge or abilities to carry out CISA-related tasks. Additionally, you can use the same CPE hours to fulfill the CPE requirements of more than one ISACA certification if those CPE hours increase job-related knowledge for each certification.
The annual reporting period for CPE starts on January 1 of each year. And when you report your CPE, you must also pay the annual CPE maintenance fees to ISACA international headquarters. The annual ISACA CPE maintenance fee is $45 for members and $85 for non-members.
What’s more, you must also attain and report a minimum of 120 contact hours of CPE for a 3-year reporting period. You must renew your CISA certification every 3 years, and the dates of your 3-year verification period vary. You will see the dates for your certification period on each annual invoice and on the letter confirming your annual compliance.
However, when you first earn the CISA certification, your annual CPE reporting period and your 3-year certification period will begin on January 1 of the following year. You don’t have to report any CPE hours you acquire during the year of your certification, and if you do earn any CPE during this time (from the date of your certification until December 31), you can report them during your first reporting period.
If you properly report the required number of CPE hours and pay the annual maintenance fees on time, ISACA international headquarters will send you a letter of confirmation. This letter will reveal the number of CPE hours
Consequently, you must check to ensure that these numbers are correct and inform ISACA international headquarters if your letter contains errors or omissions.
If you do not comply with the CISA CPE certification requirements, ISACA will revoke your CISA certification. In that case, you must destroy your CISA certificate immediately.
ISACA has specified that activities that qualify as CISA CPE courses include technical and managerial training applicable to information systems or audit, control, security, or managerial skills. This training does not include training in basic office productivity software such as Microsoft Word or Excel.
These activities and their ISACA-provided definitions include:
ISACA award 1 CPE hour for each 50-minute increment of active participation in a qualifying ISACA and non-ISACA professional educational activity and meeting. These 50 minutes exclude lunches and breaks. However, you can also earn CPE hours in quarter-hour (15-minute) increments rounded to the nearest quarter hour.
Normally, ISACA takes your word for it when you report CPE credit hours. However, ISACA occasionally conducts audits of CISA CPE credits.
So, if ISACA audits you, you must supply written evidence of all the CPE activities you previously reported that meet ISACA’s descriptions of qualifying professional education activities.
For this reason, you should retain documentation of the CPE you earned, such as letters, certificates of completion, attendance rosters, verification of attendance forms, and other independent attestations of completion, for 12 months after the end of each 3-year reporting cycle. Each record should at least include the following:
You must send ISACA copies of the supporting documentation of your CPE. Then, the CISA Certification Committee will decide how many hours to accept for each activity.
If you don’t comply with the audit, ISACA will revoke your CISA certification. In this case, you won’t be able to present yourself as a certified individual. Also, requests for confirmation of your certification will report that ISACA has revoked your CISA certification.
If ISACA revokes your certification due to a failure to comply with the CPE policy, you may appeal ISACA for CISA reinstatement. To do so, you must write a letter to the Certification Working Group. Your appeal must contain a detailed explanation for your reinstatement request and CPE documentation from the cycle period since revocation to the current year. You can then submit your appeal to the Customer Experience Center.
If ISACA approves your appeal, you pay any previous or current certification maintenance fees. And if you made the appeal more than 60 days after the revocation, you must also pay a $50 reinstatement fee.
If ISACA does not approve your appeal and you still want to return to active CISA certification status, you must re-take and re-pass the exam and re-apply for certification.
ISACA adjusts the CISA certification maintenance requirements for certification holders who are not active and are therefore either non-practicing or retired. The definitions of these 2 status options are:
If you are a non-practicing CISA, you must continue to pay the annual maintenance fees in order to sustain this status. However, you don’t need to meet the CPE requirements. You must be non-practicing for at least 1 year, but you can retain this status indefinitely. Your non-practicing status is effective on January 1 of the year for which you’re requesting the change.
If you’d like to return to active status after being non-practicing for less than 2 years, you must submit supporting documentation for 20 CPE credits that you earned within the past calendar year. If you’d like to return to active status after being non-practicing for more than 2 years, then you must submit supporting documentation for 120 CPE credits earned within the past 3 years. You must also report 1 year of work experience and have a manager, supervisor, or colleague sign the Verification of Work Experience Agreement section of the Certification Return-to-Active Application. Then, after returning to active status, you can’t enter non-practicing status again until after a full 3-year CPE reporting cycle is complete.
If ISACA grants you retired CISA status, you don’t have to obtain CPE hours. You also don’t have to pay the annual maintenance fees. However, your retired CISA status is permanent unless you re-take and re-pass the CISA exam and re-apply for certification. Following these steps is the only way to assume an active CISA status again.
Finally, the last item you must address to maintain your CISA certification is the Information Systems Auditing Standards requirement. To meet this requirement, you simply must agree to follow ISACA’s Information Systems Auditing Standards.
Though the CISA requirements are a bit involved, the benefits of the CISA certification make meeting these requirements completely worthwhile. What’s more, passing the CISA exam is one of the biggest CISA requirements, and you don’t have to do that alone. You can use a CISA review course to supplement the CISA review manual and give you the best chance at passing the CISA exam the first time. I’ve reviewed the best CISA courses on the market for you, so finding the right one for you will be easy!
Finally, you can also learn more about how to pass the CISA exam on your first try.
I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.