The Certified Information Systems Auditor (CISA) certification is a globally-recognized certification focusing on the audit, control, and security of information systems (IS). It is a highly respected certification in the field of IT security, audit, risk management, and governance. And, in order to secure this certification, you must satisfy the CISA requirements. So, use this information to discover these requirements and determine your CISA eligibility.
ISACA, the organization that created the CISA, explains that they will award the certification to individuals with an interest in Information Systems auditing, control, and security once those individuals fulfill the following requirements:
- Pass the CISA exam
- Meet the work experience requirements
- Submit an application for the CISA certification
You do not have to pass the CISA exam before you meet the work experience requirements, but most candidates do. And you must have passed the exam and acquired the work experience before you can receive the CISA certification no matter the order in which you accomplish these tasks.
Then, once you have earned the CISA certification, you must do the following to maintain it:
- Adhere to ISACA’s Code of Professional Ethics
- Complete the Continuing Professional Education program requirements
- Comply with the Information Systems Auditing Standards
As you can see, the CISA certification requirements are not very complicated. But, as is the case with any certification, meeting them involves time, effort, and money. You can decide if the commitment is worth it by learning more about each of these requirements.
CISA Certification Requirements
As mentioned, the requirements for earning the CISA certification are passing the CISA exam, accumulating the work experience, and submitting the CISA certification application.
CISA Exam Requirement
As mentioned, the CISA requirement that most candidates satisfy first is the CISA exam requirement. To meet this requirement, you must pass the CISA exam.
But which requirements must you meet for CISA exam eligibility? Well, though the CISA has requirements like many other certifications, the CISA exam requirements are unique in that you do not have to meet any requirements to take the CISA exam.
Yes, it’s true: ISACA does not have any CISA exam eligibility requirements. All ISACA expects of CISA exam candidates is that they have an interest in IS auditing, control, and security.
However, ISACA has designed the CISA exam to test your knowledge of information systems and information technology audit, control, assurance, and security at a deep level. Therefore, passing the exam requires a significant amount of familiarity with these areas, as the CISA exam syllabus proves.
CISA Exam Content
The purpose of the CISA exam is to test candidates on the same tasks they will perform in professional IT positions. Therefore, the CISA exam divides those tasks between 5 different domains. These domains are:
- Information System Auditing Process (21%)
- Governance and Management of IT (17%)
- Information Systems Acquisition, Development, and Implementation (12%)
- Information Systems Operations and Business Resilience (23%)
- Protection of Information Assets (27%)
As you can see, domains 4 and 5 represent more than half of the overall syllabus. For this reason, you must commit a lot of study time to these domains. However, you cannot neglect the other domains, as they are also very important.
CISA Exam Format and Languages
The CISA exam consists of 150 multiple-choice questions. However, your raw score is converted to a scaled score between 200 and 800 for your final CISA exam scoring results. Additionally, you have 4 hours (240 minutes) to answer these questions.
You can also take the CISA exam in one of the following languages:
- Chinese Traditional
- Chinese Simplified
CISA Experience Requirement
In order to obtain your CISA certificate, ISACA also requires you to have at least 5 years of experience in professional information systems auditing, control, or security. Work experience qualifies if your day-to-day activities involve completing tasks listed under at least 1 CISA job practice domain area. ISACA lists all the CISA certification job practice domains on their website. Furthermore, ISACA updates their job practice analysis periodically to ensure the CISA exam content directly relates to the tasks candidates will do with the CISA certification.
You must accumulate your 5 years of work experience with the 10-year period before you apply for CISA certification or within 5 years of passing the CISA exam. And once you pass the CISA exam, you have 5 years to apply for the certification.
As mentioned, most people obtain their work experience after they pass the CISA exam, but you do not have to do this. If you come to the CISA certification process with IS experience already on your resume, then you’re simply ahead of the game. And you will probably have an easier time passing the CISA exam.
What’s more, you do not have to work at the same job for 5 years to fulfill the CISA work experience requirements. Instead, you can amass your experience in a few different ways because ISACA has implemented some substitutions and waivers for CISA work experience.
CISA Work Experience Waiver
To help candidates meet the CISA work experience requirements, ISACA allows candidates to substitute up to 3 years of the CISA work experience requirement’s 5 years with the following substitutions:
- A maximum of 1 year of information systems experience for 1 year of experience
- A maximum of 1 year of non-IS auditing experience for 1 year of experience
- 2 years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) for 1 year of experience
Furthermore, you can also use these educational credits to waive 1 year of relevant CISA work experience:
- 60 completed university semester credit hours (equivalent to a 2-year or associate’s degree)
- ISACA does not impose the 10-year preceding restriction on this substitution
- Bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula
- However, you can’t use this option if you’ve already claimed 3 years of experience substitution and educational waivers.
- A master’s degree in information security or information technology from an accredited university
Additionally, you can employ these degrees/programs to waive 2 years of relevant CISA work experience:
- 120 completed university semester credit hours (equivalent to a 4-year or bachelor’s degree)
- ISACA does not impose the 10-year preceding restriction on this substitution
- ACCA member status from the Association of Chartered Certified Accountants
- Full Chartered Institute of Management Accountants (CIMA) certification
Finally, you can use a master’s degree (post-grad degree) in information systems or a related field to waive 3 years of the CISA work experience requirement.
If you have obtained other degrees, qualifications, and credentials with significant IS auditing, control, assurance or security component, you can submit your case to the CISA Certification Committee for consideration.
CISA Experience Verification Form
The final step in fulfilling the CISA work experience requirements is completing the CISA experience verification form. ISACA expects a supervisor or manager with whom you have worked to independently verify your work experience. Your verifier cannot be part of your immediate or extended family nor can they work in the HR department.
Verifiers must fill out the CISA experience verification form and return it to the candidate to include with their CISA certification application.
CISA Certification Application
After you’ve passed the CISA exam and fulfilled the work experience requirements, all you have left to do is complete and submit the CISA application for certification. And, as mentioned, you must submit the CISA application within 5 years of passing the CISA exam.
You’ll find the CISA certification application ISACA’s website. From there, you can save it to your computer to fill it out electronically or print it out and fill it in by hand. Then, you can upload and submit your application, any additional verification forms needed (such as the CISA experience verification form), and any supporting documents online at ISACA’s support website. You will also need to pay the $50 application processing fee at this time. This fee is a one-time, non-refundable payment.
ISACA’s processing of your application can take anywhere from 2-3 weeks. And decisions on applications are not final, as ISACA has established an appeal process for certification application denials. If you would like to learn about the appeal process in the event that ISACA denies your application, you can email email@example.com.
If ISACA does approve your application at the end of the processing period, then they will notify you via email of your application’s approval. They will also send a certification packet to the primary address in your ISACA profile. This packet will contain a letter of approval, a CISA certificate, and a metal CISA pin. And, delivery of this packet could take 4-8 weeks. But once you get it, you’ll officially be a CISA!
Maintenance Requirements for CISA Certification
Again, after you receive the CISA certification, you must uphold ISACA’s Code of Professional Ethics, meet the Continuing Professional Education program requirements, and follow the Information Systems Auditing Standards.
CISA Certification Professional Conduct Requirements
ISACA members and CISA certification holders must agree to allow the ISACA Code of Professional Ethics to guide their professional and personal conduct. Failure to adhere to the code may lead to an investigation into your conduct and, if necessary, disciplinary action.
ISACA has established the Code of Professional Ethics in order to ensure that the professional and personal conduct of its members and certification holders meets certain ethical standards.
The code states that “Members and ISACA certification holders shall:
- “Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security and risk management.
- “Perform their duties with objectivity, due diligence, and professional care, in accordance with professional standards.
- “Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
- “Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
- “Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge, and competence.
- “Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
- “Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including audit, control, security and risk management.”
CISA CPE Requirements
Like many professional accounting certification administrators, ISACA expects its CISA certification holders to meet continuing professional education (CPE) requirements on an annual basis in order to maintain their certified status. ISACA explains that the goals of the CPE program include:
- Maintaining CISA holders’ competency by requiring them to update their existing information systems auditing, control, and security knowledge and skills.
- Differentiating between qualified CISAs and those who have not taken the required steps to sustain their certification
- Supplying a means by which to monitor information systems audit, control and security professionals’ maintenance of their competency
- Offering criteria for personnel selection and development in order to assist top management in developing sound information systems audit, control, and security functions.
Furthermore, ISACA believes that successfully complying with the CPE policy better trains CISA certificate holders to assess information systems and technology and provide leadership and value to the organizations for which they work.
CISA CPE Hours
Therefore, in the hopes of fulfilling these goals, ISACA has set the CISA CPE quota at a minimum of 20 contact hours of CPE per year. The CPE hours you earn must help you preserve or advance your knowledge or abilities to carry out CISA-related tasks. Additionally, you can use the same CPE hours to fulfill the CPE requirements of more than one ISACA certification if those CPE hours increase job-related knowledge for each certification.
The annual reporting period for CPE starts on January 1 of each year. And when you report your CPE, you must also pay the annual CPE maintenance fees to ISACA international headquarters. The annual ISACA CPE maintenance fee is $45 for members and $85 for non-members.
What’s more, you must also attain and report a minimum of 120 contact hours of CPE for a 3-year reporting period. You must renew your CISA certification every 3 years, and the dates of your 3-year verification period vary. You will see the dates for your certification period on each annual invoice and on the letter confirming your annual compliance.
However, when you first earn the CISA certification, your annual CPE reporting period and your 3-year certification period will begin on January 1 of the following year. You don’t have to report any CPE hours you acquire during the year of your certification, and if you do earn any CPE during this time (from the date of your certification until December 31), you can report them during your first reporting period.
ISACA CPE Guidelines
If you properly report the required number of CPE hours and pay the annual maintenance fees on time, ISACA international headquarters will send you a letter of confirmation. This letter will reveal the number of CPE hours
- ISACA accepted for the annual reporting period
- reported so far in your 3-year certification period
- required to qualify for the fixed 3-year certification period
Consequently, you must check to ensure that these numbers are correct and inform ISACA international headquarters if your letter contains errors or omissions.
If you do not comply with the CISA CPE certification requirements, ISACA will revoke your CISA certification. In that case, you must destroy your CISA certificate immediately.
Qualifying CISA CPE Courses
ISACA has specified that activities that qualify as CISA CPE courses include technical and managerial training applicable to information systems or audit, control, security, or managerial skills. This training does not include training in basic office productivity software such as Microsoft Word or Excel.
These activities and their ISACA-provided definitions include:
ISACA professional education activities and meetings (no limit)
- ISACA conferences, chapter programs, workshops, seminars, and meetings and related activities.
- Number of CPE hours = Number of hours of active participation with proof of attendance
- Minimum of 1 CPE hour
Non-ISACA professional education activities and meetings (no limit)
- In-house corporate training, conferenced, university courses, workshops, seminars, and professional meetings and related activities not sponsored by ISACA.
- 15 CPE hours per semester credit hour = completion of university courses (including online courses) in related fields (semester = 15 weeks of class)
- 10 CPE hours per quarter credit hour = completion of university courses (including online courses) in related fields (quarter = 10 weeks of class).
Certification review courses (no limit)
- Courses must promote your IS audit, control, and security or audit-related managerial knowledge or skills.
- Number of CPE hours = Number of hours of active participation
Self-study courses (no limit)
- Structured courses designed for self-study that offer CPE credits.
- To receive credit, you must get a certificate of completion with the number of CPE hours earned from the course provider.
Earning a passing score on an ISACA Journal quiz (no limit)
- You can count this credit toward each ISACA designation you hold.
- Number of CPE hours = 1 hour
Participating in an online eLearning presentation event sponsored by ISACA (no limit)
- Virtual trade shows, webinars, etc. You can find an updated listing of eLearning events on ISACA’s website. Also, you can count ISACA eLearning activities toward each ISACA designation you hold.
- Number of CPE hours = Number of hours of active participation
Vendor sales/marketing presentations (10-hour annual limitation)
- Vendor product or system specific sales presentations related to the assessment of information systems.
- Number of CPE hours = Number of hours of presentation
Teaching/lecturing/presenting (no limit)
- The development and delivery of professional educational presentations and the development of self-study/distance education courses related to information systems assessments. You cannot earn CPE credits for more than 2 presentations unless you substantially modify the content.
- For presentations and courses (all types):
- Number of CPE hours for first delivery = 5 times the presentation time or time estimated to take the course for the first delivery (e.g.: 2-hour presentation earns 10 CPE hours).
- Number of CPE hours for second delivery = the actual presentation time for the second delivery.
- For self-study/distance education courses:
- 1 hour of CPE hours = each hour spent upgrading/maintaining the course limited to twice the estimated time to take the course.
Publication of articles, monographs, and books (no limit)
- The publication and/or review of material directly related to the information systems audit and control profession. Your submissions must appear in a formal publication or website.
- Furthermore, you must have a copy of the article or the website address available if ISACA requests it.
- Finally, the table of contents and title page for your book or monographs must be available.
- Number of CPE hours = actual number of hours taken to complete or review the material.
Exam question development and review (no limit)
- The development or review of items for the CISA exam or review materials. You can count these CPE hours toward multiple ISACA certifications.
- 2 CPE hours = each question an ISACA CISA item review committee accepts.
- Number of CPE hours = actual hours for the formal item review process.
Passing related professional examinations (no limit)
- The pursuit of other related professional examinations.
- 2 CPE hours = each examination hour if you earned a passing score.
Working on ISACA boards/committees (20-hour annual limitation per ISACA certification)
- Active participation on an ISACA Board, committee, sub-committee, or task force. You can also get CPE credit for active participation as an officer of an ISACA chapter.
- The development, implementation, and/or maintenance of a chapter website counts as active participation, but other responsibilities may count as well.
- You can count these activities toward each ISACA designation you hold.
- 1 CPE hour = each hour of active participation.
Contributions to the IS audit and control profession (20-hour annual limitation in total for all related activities for CISA reported hours)
- Work performed for ISACA and other bodies that contribute to the IS audit and control profession (i.e. certification review manual development, research development, performing peer reviews, Knowledge Center contributor).
- 1 CPE hour = each hour of active participation.
Mentoring (10-hour annual limitation)
- Mentoring efforts directly related to coaching, reviewing or assisting with CISA exam preparation or providing career guidance through the credentialing process either at the organizational, chapter or individual level.
- Your mentoring activity must support a specific person as they prepare for ISACA exams or certification career decisions.
- 1 CPE hour = each hour of assistance.
Calculating CPE Credits
ISACA award 1 CPE hour for each 50-minute increment of active participation in a qualifying ISACA and non-ISACA professional educational activity and meeting. These 50 minutes exclude lunches and breaks. However, you can also earn CPE hours in quarter-hour (15-minute) increments rounded to the nearest quarter hour.
CPE CISA Audits
Normally, ISACA takes your word for it when you report CPE credit hours. However, ISACA occasionally conducts audits of CISA CPE credits.
So, if ISACA audits you, you must supply written evidence of all the CPE activities you previously reported that meet ISACA’s descriptions of qualifying professional education activities.
For this reason, you should retain documentation of the CPE you earned, such as letters, certificates of completion, attendance rosters, verification of attendance forms, and other independent attestations of completion, for 12 months after the end of each 3-year reporting cycle. Each record should at least include the following:
- name of the attendee
- activity title
- name of the sponsoring organization
- activity description
- activity date
- number of CPE hours awarded or claimed
You must send ISACA copies of the supporting documentation of your CPE. Then, the CISA Certification Committee will decide how many hours to accept for each activity.
If you don’t comply with the audit, ISACA will revoke your CISA certification. In this case, you won’t be able to present yourself as a certified individual. Also, requests for confirmation of your certification will report that ISACA has revoked your CISA certification.
Reconsideration and Appeal of CISA Certification Revocation
If ISACA revokes your certification due to a failure to comply with the CPE policy, you may appeal ISACA for CISA reinstatement. To do so, you must write a letter to the Certification Working Group. Your appeal must contain a detailed explanation for your reinstatement request and CPE documentation from the cycle period since revocation to the current year. You can then submit your appeal to the Customer Experience Center.
If ISACA approves your appeal, you pay any previous or current certification maintenance fees. And if you made the appeal more than 60 days after the revocation, you must also pay a $50 reinstatement fee.
If ISACA does not approve your appeal and you still want to return to active CISA certification status, you must re-take and re-pass the exam and re-apply for certification.
ISACA CPE Requirements for Non-Practicing or Retired CISA Certification Holders
ISACA adjusts the CISA certification maintenance requirements for certification holders who are not active and are therefore either non-practicing or retired. The definitions of these 2 status options are:
- Non-practicing: someone who is
- On short-term or long-term unemployment/disability
- No longer working in the field but wishes to retain the CISA certification
- Experiencing other extenuating circumstances that the Certification Working Group has approved
- Retired: someone who is
- Over 55 years old and are permanently retired from the profession
- Unable to perform CISA- specific job functions because of a permanent disability
Non-Practicing CISA Requirements
If you are a non-practicing CISA, you must continue to pay the annual maintenance fees in order to sustain this status. However, you don’t need to meet the CPE requirements. You must be non-practicing for at least 1 year, but you can retain this status indefinitely. Your non-practicing status is effective on January 1 of the year for which you’re requesting the change.
If you’d like to return to active status after being non-practicing for less than 2 years, you must submit supporting documentation for 20 CPE credits that you earned within the past calendar year. If you’d like to return to active status after being non-practicing for more than 2 years, then you must submit supporting documentation for 120 CPE credits earned within the past 3 years. You must also report 1 year of work experience and have a manager, supervisor, or colleague sign the Verification of Work Experience Agreement section of the Certification Return-to-Active Application. Then, after returning to active status, you can’t enter non-practicing status again until after a full 3-year CPE reporting cycle is complete.
Retired CISA Requirements
If ISACA grants you retired CISA status, you don’t have to obtain CPE hours. You also don’t have to pay the annual maintenance fees. However, your retired CISA status is permanent unless you re-take and re-pass the CISA exam and re-apply for certification. Following these steps is the only way to assume an active CISA status again.
CISA Information Systems Auditing Standards Requirement
Finally, the last item you must address to maintain your CISA certification is the Information Systems Auditing Standards requirement. To meet this requirement, you simply must agree to follow ISACA’s Information Systems Auditing Standards.
Help Securing the CISA Certification
Though the CISA requirements are a bit involved, the benefits of the CISA certification make meeting these requirements completely worthwhile. What’s more, passing the CISA exam is one of the biggest CISA requirements, and you don’t have to do that alone. You can use a CISA review course to supplement the CISA review manual and give you the best chance at passing the CISA exam the first time. I’ve reviewed the best CISA courses on the market for you, so finding the right one for you will be easy!
Finally, you can also learn more about how to pass the CISA exam on your first try.