What is a Certified Information Systems Auditor (CISA)?
A Certified Information Systems Auditor (CISA) is a professional credential, issued by ISACA, for people who audit, control, monitor, and assess an organization’s information systems. Holders demonstrate knowledge of IT audit practices, risk management, security controls, and governance over technology.
Core responsibilities (what a CISA does)
– Plan and carry out IT audits to evaluate controls and compliance.
– Identify weaknesses and recommend risk-mitigation steps.
– Review IT governance and management practices.
– Create or update IT policies, standards, and procedures.
– Support business continuity and disaster-recovery planning.
– Coordinate with IT staff and other departments to reduce system vulnerabilities.
Key facts about the CISA credential
– Issuer: ISACA (Information Systems Audit and Control Association).
– Exam: 150 multiple-choice questions, 4 hours. Offered in June, September, and December. Available in multiple languages. Candidates must register online and present acceptable ID at the test center. Typical testing rules restrict phones, smart watches, food/drinks, and visitors.
– Passing mark: a scaled score of 450 (per ISACA guidance).
– Cost: $575 for ISACA members; $760 for non-members (exam fee).
– Experience: Standard requirement is five years of professional experience in information systems auditing, control, or security. Substitute options exist (for example, certain related audit work can replace one year), and education waivers may reduce required experience in some cases.
– Continuing requirements: Holders must earn continuing professional education (CPE) hours to keep the credential active — at least 20 CPE hours per year and a minimum of 120 hours every three years. An annual maintenance fee is required ($45 for ISACA members; $85 for nonmembers).
– Ethics and standards: Applicants and certificants must follow ISACA’s Code of Professional Ethics and relevant auditing standards.
Benefits and market context
– Demonstrates recognized expertise in IT audit, control, and security.
– Employers value CISA for roles that require independent assessment of technology risks.
– Reported average compensation (2023 survey): around $145,000 for CISA holders (survey-based figure; actual pay varies by location, role, experience).
– Scale: Over 151,000 professionals held CISA certification as of the 2022 survey.
Step-by-step checklist to pursue CISA
1. Review eligibility: confirm your work history meets the five-year rule or qualifies for substitutions/waivers.
2. Prepare: study the five ISACA job-practice domains and practice multiple-choice questions.
3. Register and pay the exam fee online for your preferred test window (June, Sept, Dec).
4. Sit the 4-hour, 150-question exam at an approved test center; bring required ID.
5. If you pass (achieve 450 or higher), submit the certification application with documentation of required work experience.
6. Once certified: log and report CPE hours, pay the annual maintenance fee, and follow
professional standards: adhere to ISACA’s Code of Professional Ethics, comply with the CPE (continuing professional education) policy, and meet the annual maintenance-fee requirements. Keep copies of experience verification and CPE evidence in case ISACA requests an audit.
Post-certification maintenance checklist
– Log CPE hours: aim for at least 20 CPE hours per year and 120 CPE hours every three-year reporting cycle (including at least 20 each year). Track dates, activity descriptions, and supporting documentation.
– Annual maintenance: pay ISACA’s maintenance fee each year to keep the credential active. Fees vary by member status and region.
– Ethics and professional conduct: follow ISACA’s Code of Professional Ethics and the CISA continuing professional education policy.
– Record-keeping: retain examination, application, and CPE records for several years in case of audit.
Common pitfalls and how to avoid them
– Underestimating work-experience documentation: don’t assume verbal attestations are enough. Get signed job descriptions, dates, and supervisor contacts where possible.
– Skipping practice questions: the exam is multiple-choice and application-focused. Regular timed practice helps with pacing and applying domain concepts.
– Ignoring domain weighting: allocate study time proportional to ISACA’s domain weights (see study plan below).
– Waiting to apply experience after passing: you must submit documented work experience to be granted the certification—plan this in advance.
Typical timeline and study-hours estimate
– New to the field (limited audit/IT experience): 4–6 months, 200+ study hours, extensive practice questions, and experience documentation.
– Experienced IT/audit professional: 8–12 weeks, 100–150 study hours, targeted review of weak domains.
– Review and practice: at least 25–40% of total study time should be spent on practice exams and reviewing explanations.
12-week sample study plan (example totals)
– Total study hours target: 120 hours (10 hours/week). Adjust up or down by experience.
Week 1–2: Foundations and Domain 1 (Information Systems Auditing Process) — 20 hours
Week 3–4: Domain 2 (Governance and Management of IT) — 20 hours
Week 5–6: Domain 3 (Information Systems Acquisition, Development and Implementation) — 20 hours
Week 7–8: Domain 4 (Information Systems Operations, Maintenance and Service Management) — 20 hours
Week 9: Domain 5 (Protection of Information Assets) — 10 hours
Week 10–11: Mixed practice exams, timed sections, review weak areas — 20 hours
Week 12: Final review, exam logistics, light practice — 10 hours
How to use practice questions effectively
– Simulate exam timing: do full 150-question, 4-hour practice sessions. Review mistakes immediately.
– Categorize errors: factual gaps, misapplied concepts, or time-pressure mistakes. Focus next study session on the largest category.
– Mix new material with review: use spaced repetition—revisit topics at increasing intervals.
Exam scoring and what “passing” means
– The CISA exam uses a scaled score; ISACA’s published passing mark is 450 (on their scale). Passing the exam is necessary but not sufficient for certification—documented work experience must be submitted and approved.
Exam-day checklist (practical)
– Documents: acceptable government photo ID(s) per ISACA/PSI rules. Confirm required ID ahead of time.
– Arrival: arrive at the test center early; allow extra time for check-in and security.
– Rest and nutrition: get a good night’s sleep and bring water/snack for breaks if allowed.
– Technical readiness (if remote testing): test your system per the test provider’s requirements a day or two before.
Career next steps after earning CISA
– Leverage the credential: list CISA on your resume and LinkedIn; highlight audit-related projects with measurable outcomes.
– Target roles: IT auditor, IS auditor, IT risk analyst, compliance analyst, security audit lead—job titles vary by firm.
– Continue networking: join ISACA chapters, online study groups, and industry conferences to find mentors and job leads.
– Keep learning: maintain CPEs with courses, webinars, publishing articles, or speaking at events.
Resources (authoritative)
– ISACA — CISA Certification Overview: https://www.isaca.org/credentialing/cisa
– Investopedia — Certified Information Systems Auditor (CISA): https://www.investopedia.com/terms/c/certified-information-systems-auditor.asp
– U.S. Bureau of Labor Statistics — Information Security Analysts (occupational outlook): https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
– PSI Exams (test delivery and scheduling for ISACA exams): https://www.psiexams.com/isaca
Brief educational disclaimer
This information is educational and not individualized professional advice. Certification requirements, fees, and schedules change; always confirm current rules and dates on ISACA’s official site before acting.