CISA Requirements, Exemptions and Waivers


Are you looking for information on how to fulfill the CISA requirements for certification?

The Certified Information System Auditor (CISA) certification is a globally-recognized certification focusing on the audit, control, and security of information systems (IS). It is a high-respected certification in the field of IT security, audit, risk management, and governance. There are requirements necessary to get this certification.

However, you don’t need any qualifications to be eligible for the CISA exam. However, in order to obtain the CISA certification, you must fulfill the working experience requirements. CISA certification requires you pass the CISA exam AND meet all of the work requirements. As long as all conditions are met, you can apply for CISA certification.

You can take the exam first and accumulate the experience later, but bear in mind that the certification cannot be completed without the work verification. So, let’s look into this a bit more.

Become CISA Certified

First, to become CISA certified, there are four basic steps:

  1. Pass the CISA exam
  2. Complete an application
  3. Have your application reviewed
  4. Get approved

Of course, it’s not quite as easy as that sounds. There are certain CISA requirements that need to be met in order to get your application approved. That’s what we’re going to talk about here in this post. First, let’s look at the exam requirements.

CISA Exam Requirements

The CISA certification itself was launched in 1976. In the last decade alone, the number of ISACA members quadrupled, with more than 27,000 IT professionals taking the exam every year. This shows you that it is growing increasingly in popularity and remains a standard in the industry.

So, what are the CISA exam requirements? As stated above, none. Anyone can take the exam. That’s right, there are no prerequisites for taking the exam.

However, there are CISA requirements to become officially certified and hold that coveted title.

To understand the CISA exam requirements, first, you need an idea of what is on the CISA exam.

What Material CISA Exam Covers

I’m not going into too much detail about what the CISA exam covers because we have several other posts on that topic. However, if you’re new to us via this post only, it can be helpful to know the basics. The idea of the CISA exam is to test candidates on the same tasks they will use in their professional IT positions.

Furthermore, those tasks are broken down into five different categories, called “domains”, based on the types of tasks.

The exam overs these five domains: 

  1. The process of auditing information systems (21%)
  2. Governance and management of IT (16%)
  3. Information systems acquisition, development, and implementation (18%)
  4. Information systems operations, maintenance and support (20%)
  5. Protection of information assets (25%)

Domains 4 and 5 represent more than half of the overall syllabus. There is a lot of information packed into them, so it’s important you know them well. However, you don’t want to neglect the other domains, as they are equally important.

You can learn more about the CISA exam syllabus here. Now, about those CISA requirements for certification…

CISA Requirements Related to Experience

In order to obtain your CISA certificate, ISACA requires at least 5 years of experience in:

  • Professional information systems auditing
  • Control or security

This is in addition to passing the CISA exam. As said above, some people like to get their work experience first, because it can be easier to pass the exam when you have years’ worth of practical experience in the workplace. However, there are no rules that say you cannot take the exam first, then obtain your five years of work experience.

There are also some CISA exemptions and waivers that you should be aware of. It could be very helpful to you if you qualify for one of these.

CISA Exemptions and Waivers

1. The following work experience can substitute 1 year of the above:

  • 1 year in information system work
  • 1 year in non-IS auditing
  • 2 years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing)

2. These education credits can waive 1 year of relevant experience:

  • 60 credit hours (2-year degree) from university
  • Bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula
  • A master’s degree in information security or information technology from an accredited university.

3. These degree/programs can waive 2 years of relevant experience:

  • 120 credit hours (4-year degree) from university
  • ACCA (member status)
  • CIMA full certification

4. Other relevant degrees/programs:

If you have obtained other degrees, qualifications, and credentials with significant IS auditing, control, assurance or security component, you can submit the case to the CISA Certification Committee for consideration.

So, how do these waivers work?

How the Waivers Work

So, if the idea of waivers appeals to you, you’re in luck. It’s important to understand how they work. You may be eligible for waivers to replace some of the five years required, based on your education or current work experience.

However, you can only substitute 1 year of experience with another type of work, and you can waive another 2 years of experience with a 4-year degree.

Therefore, the maximum substitution/waiver you can get is 3 years. CISA requirements still say you have to have at least 2 years of relevant work experience, even after the waivers.

Does Your Education Qualify You for a CISA Waiver?

If you’re wondering if your education qualifies for a waiver, here is information as presented by the ISACA.

CISA Application (see Section C):
  • 1-year waiver for any Associate’s Degree (equivalent to a 2-year degree)
  • 2-year waiver for any Bachelor’s Degree (equivalent to a 4-year degree)
  • 3-year waiver for a Master’s Degree (post-grad degree) in Information Systems or a related field

Does Your Work Qualify You for a CISA Waiver or Requirements?

Work experience qualifies if the applicant’s day-to-day activities involve completing tasks listed under the job practice domain areas for the specific certification you are attempting to achieve. The ISACA lists all the CISA Certification Job Practice requirements on their website. This job practice analysis is done periodically to ensure the things they are testing on the CISA exam directly relate to the tasks candidates will do in a CISA certified job.

If you see your job or job tasks on this list, then you should qualify for a CISA work waiver and you should meet the CISA requirements for certification.

Important Note on CISA Requirements

You must obtain the work experience within 10 years preceding the application, or within 5 years of passing the CISA exam. For most people who are actively working in the industry, this should not be a problem. The only time it might be a potential concern is

Next Step: See what’s to be
Tested in the CISA Exam

What Jobs Can You Get with CISA Certification?

CISA is not just for IT auditors (although it is for them, too). Here are some other jobs you can get with a CISA certification:

  • Internal auditor
  • Public accounting auditor
  • IS analyst
  • Audit manager (IT)
  • Project manager (IT)
  • Security officer (IT)
  • Network operation security engineer
  • Cyber security professional
  • IT consultant
  • IT risk and assurance manager
  • Privacy officer
  • Chief information officer

Potential Salary You Get with CISA Certification

So, how much money do you stand to make if you get your CISA certification? This is another popular question and for good reason. Since there are many CISA requirements and you need to put a lot of time, effort, and even money into meeting them, it’s normal to wonder what you will get from all of this.

While earnings will vary by past experience and location, the average salary for CISA-certified professionals ranges from $52,459 to $122,325 per year. As a result, this is a highly lucrative field to get into and to be certified for.

 IT Audit Salary  General Internal Audit Salary
 Entry level  $63 – $74,000  $52 – $67,000
 Junior  $71 – $100,000  $60 – $87,000
 Senior  $91 – $132,000  $78 – $111,000
 Manager  $108 – $166,000  $92 – $151,000

Source: Robert Half

You may want to check out our comprehensive page on IT audit salary and career path.

Additional Benefits to Becoming CISA Certified

Sure, it sounds like a lot of work (because it is), but don’t let all of those CISA requirements discourage you. Above all, there are some additional benefits that come with all that hard work.

  • Top qualification in your niche – For one, you get to officially hold the top qualification in your niche. CISA is more technical and more specialized than other certifications like CISA or CPA. When you want to prove you have the best experience and expertise in IT auditing, your CISA certification is a great investment.
  • Qualify for specific jobs/roles – When you have your CISA certification, it automatically qualifies you through the first round of many jobs. If you’re on the job hunt, for example, you may find recruiters immediately turn you down for certain jobs because you are not CISA certified. Take the steps to get the certification first and you’ve already crossed that hurdle.
  • Earn a higher salary – As mentioned above, you can earn a higher salary in the IT field when you have your CISA certification.

Here’s a great video that talks about the benefits of being CISA certified: 

CISA Certification Professional Conduct

Candidates and CISA certification holders must agree to abide by the Code of Professional Ethics. Failure to adhere to it may lead to investigation and disciplinary action.

ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders.

Members and ISACA certification holders shall:

  1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
  2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
  3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
  4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge and competence.
  6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
  7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.

Code of Professional Ethics-Frequently Asked Questions

CISA Certification Continuing Education

The ISACA requires certificate holders to keep updated with the latest professional development and ask that they take a minimum number of continuing professional educations.

The CISA certification is renewed every 3 years. Within this reporting period, CISAs must follow these rules and requirements to maintain their certification:

1. Annual requirement

  • CISAs must clock and report a minimum of 20 CPE hours per year.
  • The annual reporting period starts on January 1.

2. 3-year reporting period requirement

  • A minimum of 120 CPE hours is required.
  • The 3-year cycle varies. Please check your annual invoice and on the letter confirming annual compliance.

Special note

  • One CPE hour is equivalent to one-hour attendance in a seminar or conference, or a webinar related to your profession.
  • The reporting is based on the honors system, but there is a chance that your CPE credits are audited. (Documentation should be retained for 12 months following the end of each 3-year reporting cycle.)

You can learn more about CISA CPE requirements here.

CISA Certification Requirements Conclusion

At the end of the day, there are many benefits to CISA certification that makes meeting the stringent requirements worth it. However, while there are no specific requirements to take the exam, there are CISA requirements to get your certification, and to maintain it over time. Furthermore, they are well worth it with all the benefits you will reap from holding this certification.

In conclusion, the requirements are worth it and the waivers make it easier if you’re already working in the field. There’s no reason not to go for your CISA certification if this is a career path you are serious about.

Furthermore, check out the further reading section for more important CISA info and updates. You can also learn how to pass the CISA exam on your first try. Do you have other questions about the CISA requirements we missed? Let us know in the comments so we can answer for you!

For Your Further Reading

Please rate this

About the Author Stephanie

I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.

follow me on:
  • Anu says:

    I am a qualified Cost accountant (CMA-India,previously known as CWA) and pursuing CA final from ICAI-India with 3 years mandatory articleship training experience. I am planning to take up CISA this MAY. It is specified that one has to provide a 5 year work experience from the date of passing exam.My queries in this regard are:
    a) How is it possible to show a 5 years experience within 5 years from passing. If one does not any have prior work experience?
    b) Will my qualifications be considered for waiver>

    Thanks for the help in advance

  • mmajstor says:

    Hi Stefanie,

    Regarding this waiver – “60 credit hours (2-year degree) from university,” I think I saw additionally on their website something such as ten years preceding period. Do you know what does it mean? I have finished my university more than 10 years ago and I don’t know whether I can use it as a waiver.


  • Basu says:

    Hi Stefanie,

    I am currently working in IT industry, with total 13 years of experience now. My scope of support has been IT Service Management, Transitions, Service Delivery. I have a Graduation in Science *B. Sc), regular three year course. What is total no. of years of exclusion I can expect to get with my past experience and education completed

    • Meghan D says:


      The maximum waiver is 3 years. You may be eligible to receive all 3 of those years in the form of a wavier; however, without knowing your exact information, I cannot provide you with specific guidance. You can apply to the IIA’s program and see for certain. Or you can contact the IIA to see if you they can provide you with specific guidance prior to you applying to the program.


  • Esaie M says:

    Dear all,

    I am willing to take the CISA exam. Is there any plateform like “GLEIM” for CIA, who can be recommended for the preparation of the CISA exam?

  • >