How to Become CISA Certified

how to become cisa certified

Are you ready to learn how to become a Certified Information Systems Auditor (CISA)? I am going to tell you everything you need to know about the CISA and how to get the certification.

What Is CISA?

The Certified Information Systems Auditor (CISA) certification is the most recognized designation for information systems audit control, assurance, and security professionals. However, you are not alone if you’re unsure how this certification differs from others in the industry.

The CISA certification is one of 4 that ISACA grants. Established in 1969, ISACA is an association for information systems audit, assurance, security, risk, privacy, and governance professionals. Currently, ISACA has more than 140,000 members in 180 countries.

Tech is a growing industry, and the need for securities and protection is growing with it. Consequently, the demand for the CISA and similar certifications has increased after a series of financial scandals, the Enron/Arthur Anderson fallout, and problems in internal control have plagued the industry. Therefore, when you earn your CISA certificate, you’ll be able to help organizations manage the security and health of their IT systems.

So, who earns the CISA? This certification is particularly useful to:

  • IS/IT Auditors
  • Security Professionals
  • IS/IT Consultants
  • Non-IT Auditors
  • IS/IT Audit Managers

What Are the Benefits of Becoming a CISA?

If you already work in information systems, you can enjoy some significant career benefits from earning the CISA. The vocational advantages of the CISA include:

By going through the certification, you’ll identify and master any areas you’ve missed. You’ll see what you need to work on, and you will have the chance to learn and improve your skills.

The certification isn’t just about testing what you know but filling in those essential knowledge gaps and ensuring you continue to do so over time.

CISA also bears international recognition. If you’re working with corporations and IT professionals in other regions, or you make a move to an international company with set protocols, CISA can really help you communicate—and advance your career.

Furthermore, tech recruiters often search for or require CISA certification for certain roles. In short, CISA can put you in a higher pay grade, even if your job responsibilities are similar to your current ones. Who wouldn’t like more money for doing the same work?

What CISA Does for Organizations

CISA also helps organizations maintain standards and manage risk. CISA ensures you’re at a certain level of learning.

If you take a new role requiring CISA certification, it’s likely the company may not only pay for continuing education but actively support you. After all, you need to keep learning to maintain your CISA.

Whether you’re working on a large corporation’s IT infrastructure or securing your router at home, CISA ensures you have the knowledge you need to protect data and maintain proper encryption protocols.

The number of CISAs has doubled in the last decade. Are you ready to join them?

What Jobs Can You Get with CISA Certification?

We’ve talked about how internal auditors get their CISA, but there are other jobs the certification would open you up for as well. Here are some examples:

  • Internal auditor
  • IT audit manager
  • Public accounting auditor
  • IS analyst
  • IT security officer
  • Network operation security engineer
  • Cybersecurity professional
  • IT consultant
  • IT risk and assurance manager
  • Privacy officer
  • IT project manager
  • Chief information officer

What Is the CISA Salary?

The salary potential for people with their CISA certification is also increased. Earnings will vary based on your location, job title, and past experience. However, the average for CISA-certified professionals ranges from $52,459 to $122,325 per year.

Many candidates find their salaries increase in the same job position or type after certification. If you’ve been thinking about asking for a raise, CISA is a good way to ensure you qualify.

How to Become a CISA

If you already have the work experience, then earning the CISA is actually easier than earning other similar certifications. The CISA certification process isn’t so bad in part because you don’t need any qualifications to be eligible for the CISA exam. Instead, anyone can take the CISA exam. However, to obtain the CISA certification, you must fulfill the working experience requirements.

This means you have two options of how to do it:

  1. Take the exam first and then accumulate the work experience
  2. Get the work experience first, which often helps make passing the exam easier

Let’s take a look at some of the benefits of becoming a CISA, so you can see if it’s right for you.

How to Become CISA Certified

1. Register for the CISA Exam

You may not realize, but there is no prerequisite to take this exam. As long as you have given this a good thought and believe that the CISA exam is useful for your career, go ahead.

2. Complete the CISA Exam

This is a pencil-and-paper exam available three times each year. It is a 4-hour exam consisting of 150 questions in multiple choice format. Anyone can take the exam as long as they pay the registration fees. You must pass with a score of at least 450.

In terms of syllabus, there are 5 domains surrounding the role and responsibility of IT auditors. Theories are tested but in general, if you are a practicing IT auditor, it is relatively easy. (See below for more details on the CISA syllabus).

The passing rate is around 50%. Successful candidates can work towards the experience requirements and apply for the certificate.

3. Fulfill the Experience Requirement

This is actually the stricter part of the CISA certification process. You need to have at least 5 years of experience in information system auditing, control or security.

The work experience must be gained within 10 years preceding the application date, or within 5 years from the date of passing the exam.

Note: Substitutes to work experience may be applied for a maximum of 3 of the 5 required years. ISACA allows the following as qualifying substitutes. (See below for more on substitutions and waivers.)

4. Maintain the Certification

You can maintain its active status by paying the maintenance fees and fulfilling the CPE requirements. You’ll need to have at least 20 contact hours per year, and 120 contact hours within a fixed 3-year period. For details, please refer to this CPE Policy on ISACA website.

CISA Exemptions and Waivers

If you don’t have the five years of experience, you may qualify under some of these exemptions or waivers.

  1. The following work experience can substitute 1 year of the above:

  • 1 year in information systems
  • 1 year in non-IS auditing
  • 2 years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing)
  1. These education credits can waive 1 year of relevant experience:

  • 60 credit hours (2-year degree) from university
  • Bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula
  • A master’s degree in information security or information technology from an accredited university.
  1. These degree/programs can waive 2 years of relevant experience:

  • 120 credit hours (4-year degree) from university
  • ACCA (member status)
  • CIMA full certification
  1. Other relevant degrees/programs:

If you have obtained other degrees, qualifications, and credentials with significant IS auditing, control, assurance or security component, you can submit the case to the CISA Certification Committee for consideration.

About the CISA Exam

The CISA certification itself was launched in 1976. However, in the past couple of decades, the number of candidates for this certification has quadrupled! That is a definite testament to the growing tech industry. More than 27,000 IT professionals take the exam each year.

The CISA exam is a one-part exam with 150 multiple-choice questions (reduced from 200 questions) that come from five domain categories. I will explain these domains in more detail below. You have four hours in total to complete these 150 questions.

The exam is offered in several languages, including Chinese (simplified and traditional), English, French, German, Hebrew, Italian, Japanese, Korean, Spanish and Turkish.

Furthermore, Traditional Chinese, German, Hebrew, and Italian are offered in June exams only.

CISA Exam Pass Rate

While there are no requirements to take the exam, you may want to be sure you are fully prepared before you sign up. As stated above, only about 50% of candidates pass it on the first try.

If you want to increase your odds at passing on the first go, it’s important to learn about what is on the exam.

CISA Exam Syllabus

As explained above, there are five domains to the CISA Exam Syllabus. It will be important to know these as you study and prepare for the exam. These five domains are how the exam is broken down into parts, based on the subject matter each section covers.

The five domains are:

1: The process of auditing information systems (21%)

2: Governance and management of IT (16%)

3: Information systems acquisition, development, and implementation (18%)

4: Information systems operations, maintenance, and support (20%)

5: Protection of information assets (25%)

Now, let’s look at each more in-depth:

1: The process of auditing information systems

This section covers how IT auditors provide certain services, auditing standards, and how to assist an organization in protecting and controlling their information systems. Tasks also include developing and implementing a risk-based IT audit strategy, planning and conducting the actual audit, and reporting the findings of the audit.

Candidates will be expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools Techniques, Code of Professional Ethics and other standards, as they apply for auditors.

2: Governance and management of IT

This domain covers how IT auditors provide assurance that structure and processes are in place at an organization. This may include evaluating the effectiveness of the IT governance structure, for example, or the organizational structure.

It could also involve evaluating the HR management, policies and standards, and seeing how these things align with the company’s strategies and objectives as a whole.

3: Information systems acquisition, development, and implementation

This domain covers how IT auditors provide assurance that the practices the organization has for acquisition, development, testing, and implementation of IS meet the strategies and objectives of the organization.

Some tasks might include evaluating potential investments, development, maintenance, and subsequent retirement, or evaluating project management practices within the company.

4: Information systems operations, maintenance, and support

In this domain, you will look at how the auditor provides assurance that the processes for IS operations, maintenance, and support meet the strategies and objectives of the organization. This could include periodic reviews of the IS, evaluating certain service level management practices, and processing information systems maintenance.

5: Protection of information assets

Finally, the last domain is about the protection of information assets to the company. It provides assurance that the organization’s security policies, standards, procedures and controls and allow confidentiality, integrity, and availability of the information assets.

This could include anything from evaluating the information security policies, standards and procedures to the design, implementation, and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.

Which CISA Domains are Most Important?

Domains 4 and 5 represent more than half of the syllabus. It is important that you know these two areas very well, and at the same time achieve a decent score in the other domains.

How Long Does It Take to Get CISA Certification?

If you already have the relevant work experience required, you can get your CISA certification as soon as you take and pass the exam. Because of this, it will only take as long as it takes you to study and prepare for the exam and get scheduled to test it.

How Can You Get CISA Study Material?

If you want to ensure your best shot at passing the exam, consider the best CISA training courses and CISA study guides. There’s the CISA Super Review, SimpliLearn CISA Course, and Surgent CISA Review to name a few.

I believe most candidates would agree that CISA SuperReview has the best video lectures, practice questions, and CPE credits. On top of that, it includes excellent customer support with access to Allen himself. Because of this, it’s at the top of my list, but the others are also good.

Wrapping It Up – Are You Ready for CISA?

By now, you should know more about how to become CISA certified. Furthermore, you should also have enough information to help you determine if this is right for you. If you have the work experience already, it’s a no-brainer.

We live in a very tech-driven world today and CISA certification is one way to prove you have the skills needed to work in these highly tech-driven fields. It can greatly increase your value as an employee or potential candidate.

If you’re planning to take the CISA exam, check out our CISA study guide here. Therefore, you can then go into it fully prepared and ready to pass.

For Your Further Reading

Please rate this

About the Author Stephanie

I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.

follow me on:
  • Harshavardhan says:

    Hi Stephanie

    Thank you for writing an elaborate blog posts on whole CISA scenario.

    I want to pursue a CISA certification but I am unable to find a way out because I am confused. I have completed my Bachelors & Masters in Computer Application & I have 2 years of work experience in consulting, development, networking, database in implementation of ERP.

    Is it good to go for a CISA certification if there is no formal IT audit experience?

    • Stephanie says:

      Hi Harshavardhan,
      Thanks for your note, and you are most welcome. In terms of taking the CISA exam, it’s no problem because you don’t need any specific prerequisite for that. For the actual exam, given your very relevant master’s degree I think you will likely do well.

      The question is more on the working experience. Not too sure but your current work may get 1 year of waiver. Then your education will give you 2 years This means that you still need 3 years of specific IT auditing experience to get the qualification.

      So in summary, you don’t need the formal IT audit experience now but in order to get the certificate later on, you do need at least 3 years of that. This is at least my understanding. you may want to double check with ISACA as well.

      More info here:
      Regards, Stephanie

  • Jim Thorpe says:

    Hi Stephanie, I am considering the CISA, but their explanation of how experience requirements are determined to be met are kind of vague to me. I am not asking about the difficulty of the exam, but I am wondering if my experience will qualify in order to meet the 5 years requirement. I have 12 years experience in IT as a Network Engineer and IT Manager. I have been responsible for the security of networks that require Sarbox, PCI, and HIPAA for 20 years. My masters degree is from an accredited university in accounting. However, I have never had the word “security” or the word “auditor” in my job title. I am just not sure if the experience requirements can be met by jobs that are responsible for security but not specifically an auditor or security engineer.

    • Stephanie says:

      Hi Jim, I wish I could give you an answer, but I am not sure. I think on the “security” side you are all set but it depends how much they want the auditing side of the experience to be counted. You can send them an email and ask for their suggestion? When asked to give description of your work, try to package it with a bit more quantitative analysis and checking into it. Auditing is pretty much that in broad terms. Good luck! Stephanie

    • Robin says:

      Hi Jim,

      If I may be of help, you may approach your local ISACA Chapter, the VP of Membership should be able to assist on clarify & answer your questions.

  • Shreeya says:

    Hi Stephanie
    This is Shreeya. I have a Bachelor’s Degree in accounting and 4.5 years non-it audit experience.Can I consider sitting for the CISA Exam?

  • Stacie says:

    I have masters degree in computers and have 3 years of experience in IT. (No auditing or security experience )

    Can I opt for this course ? How do I start preparing for this course ?

    Which book should I follow to start first?

    I see lots of books on amazon for this course . Should I buy those books?

    Please help …

    • Stephanie says:

      Hi Stacie, the easiest way is to sign up for a CIA exam review course, which is specifically designed for candidates to pass the exam in the most efficient manner. You can check out the pros and cons of the top providers here:

      Do note that you have to fulfill at least one year of internal audit experience to get the certification. It’s ok not to have any of this experience now, but you should plan to get that sometime in your career to make taking the CIA exam worthwhile.

  • Seth says:

    Hi Stephanie,

    As far as work experience goes the ISACA website states that a minimum of 5 years of professional information systems auditing, control or security work experience is required for certification. Do you know what they mean by security work experience? I have worked in corporate security for 10 years mostly focused on physical security, business continuity and security compliance with such standards as NERC CIP, HIPAA, PCI DSS, TCPA. I have never had the job title of information system auditor. Do you think my work experience would qualify for the CISA certification?

  • Aishwarya Agarwal says:

    Hi Stephanie,
    I am quite confused as to what does ‘Experience in professional information systems auditing, control or security work’ actually means??
    Does it means a job for 5 years related to above mentioned work or a sought of training/internship with an organisation?
    Please help…

  • Ryan says:

    Hi Stephanie. Thank you for the useful info. I have just passed the sept 2016 exam. For cert requirement. I have a bachelors degree in Information tecnology and a masters degree in information technology security. My degrees were completed 10 years ago. I have a number of years non IT experience. Can you pls advise that based on my background, how much experience do I need going forward to be certified?





  • Seth says:

    Hi Stephanie,

    As far as work experience goes the ISACA website states that a minimum of 5 years of professional information systems auditing, control or security work experience is required for certification. Do you know what they mean by security work experience? I have worked in corporate security for 10 years mostly focused on physical security, business continuity and security compliance with such standards as NERC CIP, HIPAA, PCI DSS, TCPA. I have never had the job title of information system auditor. Do you think my work experience would qualify for the CISA certification?

  • Siva says:

    Hi, can you please clarify if my experience of 5 years in Internal audit will qualify for CISA certification. It is not specifically in Information system, but normal auditing experience. Will it count?

    • Stephanie says:

      Hi Siva, did you read the post on the exam requirements (the big bold link at the bottom of the page above)? Anyway, you can waive 1 year of experience using non-IS audit experience. You may want to check that page out for details.

  • zeeshan says:

    Hello Guys!!
    I have a keen interest in IT auditing but still not getting an opportunity to enter in security site, although i have been working in ISP (Core OPS) and 4 year plus exp along with CCNA ,CCNP certificate.beside that i did BE (electronics),
    Kindly suggest me is am eligible for CISA ?

  • Sundar says:

    Hi Stephanie,
    I would like to pursue CISA. I have a Bachelors degree in Commerce and Masters in Computer Applications and I have around 20 years of experience in the Information Technology field. I have never worked in audit environment. What sort of waiver I can get because I read a 5 years prior auditing experience is required.

    Also, I am not a citizen of USA or do not hold a green card.Do I have the eligibility to take up CISA certification.

    Could you please guide me how to go about in getting certified in CISA.

    Thank you very much for your time and help.Hoping to hear from you.


    • Stephanie says:

      Hi Sundar,
      You certainly don’t need a US citizenship or residency to take the CISA certification. It’s a global certification 🙂
      I tried to guide people on how to get started in this post… maybe you can click and see what you need to go for your next step? I would check out the qualification page (the exam requirements). Also, you may want to check out the official website as well. Stephanie

  • roman says:

    hi stephine,
    I have a bachelor degree from computer science and engineering (4 year -2014) and currently student of Master-(cse)program. (complete within 3 month) but I have also 7 years full time job experience as IT engineer ( administration) and all those education was evening (2005-2009) I aslo complete my diploma in computer engineering after that o start my job simultaneously did those 2 degree. now come to the point, is my profile and experience match with this?

    pls let me know your valuable advice.

    thank you

    • Stephanie says:

      Hi Roman,
      Thanks for your note. It looks to me that you have a good background to study for this exam, but in terms of the experience, they do require IT audit experience. I know it’s a chicken-and-egg kind of situation, but in reality, if you pass the CISA exam, people know you are committed to this industry and it’s helpful that way. No guarantee on jobs of course, but I believe that’s how it could be offer value-add. Hope it helps! Stephanie

  • Swapnil says:

    Hi Stephanie,

    I have 8 years of experience in Network Infrastructure , system admin , Networking environment, considering CISA exam, will i be ok with the domain?

  • Pradep says:

    Hi Stephanie,
    I am looking to prepare for CISA, having 15 years of IT experience.
    Can you please guide on some of the ways to prepare, which can result maximum possibility of passing the exam ?

  • gunnar says:

    I have no background in IT Auditing nor controls or security but would love to join ISACA.
    does it mean I can’t join?

  • Kp says:

    I am a science graduate with 13 years of banking experience. I am very much I interested in CISA certification…but not sure as I do not have IT background…

  • Nathan says:

    Hi Stephanie ,

    Im from the Philippines ,where can I take and file for CISA exam do you have a website to refer to .Thanks

  • >