Security & Compliance Blog

Certified Information Systems Auditor (CISA): An Introduction

Stephen Watts
4 minute read
Stephen Watts
image_pdfimage_print

For top-level IT and IS auditors that work with information systems to identify potential security threats within an organization, a Certified Information Systems Auditor (CISA) certification helps to validate the knowledge you possess, gain globally recognized professional standing, display continual growth of learning, and accelerate your career.

As stated on the ISACA site, this certification “is world-renowned as the standard of achievement for those who audit, control, monitor, and assess an organization’s information technology and business systems.” Those who have this certification are top qualified professionals who exhibit proficiency in and create IT/IS audit industry standards. With this certification, auditors earn an average salary of around 110K+ a year and have the ability to leverage their expertise. With that said, it must be understood that this certification is not for just any IT or IS auditor; it comes with requirements and preparations.

A high level of achievement, in this article, we will take a look at the CISA difference, who should take the exam, and preparing for certification.

Advantages Of Having An Employee With A CISA Certification

The ultimate goal of any organization is to become successful and, part of that success is achieving a “good image” through gold-standard operations. By hiring employees that improve the standards of operations via validation within their field, this ultimately leads to higher standards for entire teams and growth throughout the whole organization. A rule that can be applied to any expert, certifications always add positive value to the employee and the organization.

Back to Auditors and a CISA certification, confirming the knowledge of an individual person regarding skill in system auditing, assurance, control security, cybersecurity, and governance opens up countless doors for growth. An article from Business First Family states that “with a CISA certified employee on board, you are more likely to attract new clients. The ISACA is a globally recognized association, and their CISA certification is coveted by many potential customers. In fact, some customers may exclusively work with businesses who have CISA certified individuals on board.” The advantages of hiring a certified employee offers a unique return for which most organizations strive.

Who should take CISA

As a “world-renowned” certification, there are two parts to gaining the coveted CISA title.

First are the pre-requirements, as explained in an article from CIO:  all candidates “need at least five years of professional information systems auditing, control or security work experience within the past 10 years. You can receive a waiver for up to three years of experience if you have the following:

  • Maximum of one year of IS experience or one year of non-IS auditing experience
  • The equivalent of a two- or four-year degree, which can be substituted for one to two years of experience
  • A bachelor’s degree or master’s degree from a university that teaches the ISACA-sponsored curriculum, which can be substituted for one year of experience
  • A master’s degree in IS or IT from any accredited university, which is equivalent to one year of experience

ISACA also offers exceptions for those who have spent two years as a full-time university instructor in a related field, which can be substituted for one year of experience.
Second, following the pre-requirements is the examination. The examination may be taken before the experience requirements are achieved; however, the candidate will have to wait to be awarded certification until all experience requirements are met.
With that, the people who should seek to achieve this certification must be able to agree to the time constraints and the Code Of Professional Ethics in addition to actively wanting to develop within the auditor industry. With a requirement after certification to finish 120 hours of CPE every 3 years with at least 20 hours every year, maintaining and achieving this certification is a commitment in and of itself.

The Examination

Separated into five domains spanning 150 multiple choice questions that cover the main job practices of IT and IS audit, control, and security, this exam is graded based on a scale of 200 to 800 points. A candidate must get a score of 450 or higher, within 4 hours, to pass.

The Domains

  1. 21% – The Process Of Auditing Information Systems
    The information included in this domain set covers IT audit basics as well as how to plan for audits, administer audits, show the results, and activate a plan.
  2. 16% – Governance And Management Of IT
    From the above mentioned CIO article, within this domain, the questions cover “IT strategies, governance, organizational structures, resource management, portfolio management, risk management, control monitoring, reporting of KPIs, and organization’s business continuity plan.”
  3. 18% – Information Systems Acquisition, Development, and Implementation
    Added to ensure that the certified candidates understand how to run IT systems that meet organization goals, this domain covers enhanced IT investments, management processing, IT supplier usage, evaluation process, and post-implementation assessment.
  4. 20% – Information Systems Operations, Maintenance, and Service Management
    In this domain, an understanding of overall IT operations and maintenance is assessed. It reviews frameworks and best practices, as well as data quality.
  5. 25% – Protection Of Information Assets
    Finally, in this domain, everything that keeps a system secure is reviewed. According to an article from Cyber Security Education, this domain is used to “assure the organization that its information will maintain its integrity, confidentiality, and accessibility.”

Before Taking The Exam

Designed to ensure that the IS and IT audit specialist is well versed in all topics and skills, it is ideal to prepare for the official CISA exam with a training series and pre-tests. To achieve this, ISACA offers online, visual, or on-demand instructor-led courses. With these offerings, printable or downloadable manuals are available as well as access to a Q&A database for one year. On top of that, they also offer 4-day, in-person training with options for organizations that want employee groups trained.

To also help prepare there are several third party prep companies For example, Udemy offers extensive 900 question prep exams that are renewed yearly. This will ensure that the candidate is ready for the June, September, or December test dates.

When prepared properly, the candidate may easily register on the ISACA site. After registering, there is a 365-day eligibility period; however, always ensure preparedness before registering. The test costs 575 USD for members or 760 USD for non-members, and no deferrals or extensions are allowed.

Final Steps and Thoughts

After passing the exam and completing the experience requirements, it is now time to apply for certification. It is a three-step process that is again made easy by the ISACA site.

  1. The application costs a one-time, non-refundable 50 USD fee.
  2. Certification application must occur within five years of passing the exam with proof.
  3. Then, it will take three to four weeks to process.

Once certification is achieved, an IT or IS auditor is instantly boosted in ranks within their field. Their resume becomes more appealing to organizations and peers, which ultimately displays a commitment to staying on top of systems auditing skills. Not for the faint of heart auditors, the CISA certification is for only the industry’s best, most elite professionals.

Dummies Guide to Security Operations

When security and operations teams collaborate closely, they can protect your business more effectively against all kinds of threats. Learn more in the SecOps For Dummies guide.


These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

BMC Bring the A-Game

From core to cloud to edge, BMC delivers the software and services that enable nearly 10,000 global customers, including 84% of the Forbes Global 100, to thrive in their ongoing evolution to an Autonomous Digital Enterprise.
Learn more about BMC ›

About the author

Stephen Watts

Stephen Watts

Stephen Watts (Birmingham, AL) has worked at the intersection of IT and marketing for BMC Software since 2012.

Stephen contributes to a variety of publications including CIO.com, Search Engine Journal, ITSM.Tools, IT Chronicles, DZone, and CompTIA.