The CISA certification is a world-renowned competency benchmark that measures an auditor’s skill in evaluating IT systems. Issued by ISACA, it recognizes IT professionals who monitor, manage and protect information systems for businesses.
CISAs ensure that a company’s information systems are well-managed and protected from risk. They are responsible for instituting IT controls and addressing vulnerabilities in IT systems.
A CISA’s main responsibilities usually involve:
- Designing and implementing auditing strategies, based on a sound knowledge of risk management
- Determining whether an organization’s IT assets have adequate protections
- Executing audits with reference to the audited company’s business objectives
- Presenting audit results and offering business solutions based on those results
- Revisiting past audits to measure organizational follow-through on recommendations
CISA-accredited professionals are also often involved in other aspects of business operations. These can include risk and resource management, disaster recovery, policy reviews, and business continuity strategies.
How Does CISA Work?
CISA knowledge is divided into 5 job practice domains, each covering a different aspect of systems auditing. The first step to becoming accredited is to master each of these 5 domains, then go on to take ISACA’s CISA exam.
The five domains are:
- Information Systems Audit Process: This involves planning, conducting and reporting on IS audits.
- IT Governance and Management: CISAs are responsible for managing and evaluating IT departments’ structures, policies and processes.
- Information Systems, Acquisition, Development and Implementation: CISAs often function as project managers during the implementation of IT systems.
- Information Systems Operations and Business Resilience: The maintenance and service management of implemented information systems also falls under the job’s remit.
- Protection of Information Assets: CISAs must identify and recommend practices that actively address cyber risks.
Taking the CISA Exam
The CISA exam previously ran in June, September and December every year, but thanks to online registration and proctoring it is now available year-round.
Candidates must score 450 (out of a possible 800) or higher to pass. You can take the exam up to four times per year, starting with the date of your first attempt. ISACA currently offers English, Chinese Mandarin Simplified, French, Japanese, Korean and Spanish-language versions of the exam.
Applying to take the exam costs $50, and if your application is accepted it will cost a further $595 to take the exam – or $465 for ISACA members.
Preparing for the CISA Exam
The CISA exam is known for its difficulty, with an average pass rate of around 50%. It’s best to begin preparations early: successful candidates generally take between 6 months and a year to revise for the exam.
ISACA offers a number of resources to help prospective CISAs prepare for the exam, including a Questions, Answers & Explanations Database, a CISA-specific prep community, an online review course, and an eBook of study materials. Of these, the most important resource is the ISACA Review Manual, which is updated yearly.
There are also many courses available from training providers, such as Good e-Learning’s CISA Training(hyperlink). These high-quality courses cover all the materials in the Review Manual, with expert-led videos, interactive knowledge checks, and full-length practice exams.
Acquiring your CISA Certificate
Once you pass the exam, the next step is to apply for your CISA certificate. ISACA requires that CISA applicants have at least 5 years of professional experience in IS auditing, control, or security work.
You can substitute one year of other IS experience in place of auditing work, or one year of conventional auditing experience in place of IS work. A relevant university degree can also be used in place of up to 2 years of work experience, depending on the length of the degree. All experience must have occurred within 10 years of the date of your application.
CISA holders are required to take part in ISACA’s Continuing Professional Education (CPE) program. CPE is an on-going training program that makes sure CISAs keep up-to-date with their industry. CPE has four main goals:
- 1 – Monitoring each CISA’s IS audit, control and security knowledge
- 2 – Identifying CISAs who are no longer technically qualified enough to keep their certification
- 3 – Helping heads of department construct stable IS auditing teams by making suggestions on training, development and personnel selection
- 4 – Maintaining CISA knowledge and capabilities by disseminating new updates and releases
ISACA requires a minimum of 20 CPE hours annually, along with 120 hours contact hours over a three-year period. It also charges an $85 annual maintenance fee ($45 for ISACA members).
Benefits of CISA Training
Acquiring a CISA certification helps professionals prove their capability to employers and clients. It is a coveted standard for public companies all over the world and is often mandatory for IT audit and security information management (SIM) positions.
Benefits of certification include:
- A competitive edge in the job market: A much-coveted qualification, showcasing your CISA-status on your CV immediately makes you more attractive to prospective employers.
- Increased workplace value: The knowledge, skills and confidence that come with accreditation can lead to improved work performance and a higher perceived value within an organization.
- Increased workplace credibility: Earning your CISA accreditation shows both technical capability and a high level of organization and determination.
- Access to further development: CISA-accreditation means automatic enrolment in ISACA’s Continuing Professional Education (CPE) program. This program will ensure you are always up-to-date in your field.
- Increased Salary: CISA-certified professionals average between $52,459 and $122,326 in annual salary – far more than their non-accredited counterparts. The highest-paid CISA positions pay upwards of $130k per year.