Cybersecurity Guide

CISA certification: A complete guide

Written by Steven BowcutLast updated:
In this guide

The CISA certification, which is short for certified information systems auditor, is administered by an organization known as ISACA.

Incorporated in 1969 by a group of people who identified a need for a centralized source of information and guidance in the then-new field of electronic data processing audits, the Information Systems Audit and Control Association (ISACA) today serves 145,000 members in 180 countries.

They are a resource for and connect with 460,000 engaged information and cybersecurity professionals.

CISA certification courses near you
Sponsored Listings

ISACA offers multiple professional certifications, including the CISA, CRISC, CISM, CGEIT, CSX-P, and CDPSE. Each of these certifications lends credibility to practitioners of various aspects of information systems, including:

This guide will examine the purpose and value of the CISA certification. CISA stands for Certified Information Systems Auditor, and we will explore this professional designation’s requirements, costs, and benefits. The information presented in this guide can help evaluate the value of obtaining a CISA and determine if it is the most beneficial certification for a candidate’s career path.

ISACA states that over 151,000 professionals hold this certification and that the CISA is accredited under ISO/IEC 17024:2012 – General requirements for bodies operating certification of persons. It is well accepted within the information systems community to indicate the holder’s knowledge and capabilities. 

IN THIS GUIDE

What is the CISA certification?
CISA requirements
CISA certification costs
CISA exam deep dive
CISA salary information

What is the Certified Information Systems Auditor (CISA) certification? 

The CISA is designed to signify expertise for those that, as a regular part of their work, audit, control, monitor, and assess their organization’s information technology and business systems.

A CISA certification indicates expertise in the following work-related domains:

  • Information systems auditing process
  • Governance and management of IT
  • Information systems acquisition, development, and implementation
  • Information systems operations and business resilience
  • Protection of information assets

Top salaries and an above-average projected job growth rate make obtaining a CISA designation readily justifiable for many IT professionals. 

A rigorous exam and required employment experience make the CISA challenging to obtain. Still, this designation’s popularity is an indication that obtaining certification is within the capabilities of many IT audit, security, and control practitioners. 

According to 2024 Cyberseek data, there are 35,812 people who hold the CISA certification in the United States. At the same time, there are 42,927 job openings looking for someone with a CISA certification.

The primary duty of IS/IT auditors is to stop fraud, needless spending, and non-compliance. They also analyze findings and report to the C-suite. 

Here are a few typical jobs for CISA holders:

  • IS analyst
  • IT audit manager
  • IT project manager
  • IT security officer
  • Network operation security engineer
  • Cybersecurity analyst
  • IT consultant
  • IT risk and assurance manager
  • Privacy officer

What are CISA requirements?

To qualify for the CISA, a candidate must, in addition to passing the CISA exam, have five or more years of experience in an IS/IT audit, control, assurance, or security job. They must also agree to adhere to a professional code of ethics. Experience waivers are possible for a maximum of three years. 

The seven points covered by the professional code of ethics are:

  1. Support the implementation of, and encourage compliance with appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security, and risk management.
  2. Perform their duties with objectivity, due diligence, and professional care in accordance with professional standards.
  3. Serve in the interest of stakeholders in a lawful manner while maintaining high standards of conduct and character and not discrediting their profession or the Association.
  4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge, and competence.
  6. Inform appropriate parties of the results of work performed, including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
  7. Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including audit, control, security, and risk management.

How much does obtaining a CISA certification cost?

Exam fees are based on membership standing at the time of exam registration. ISACA members pay $575.00, while nonmembers pay $760.00. 

The total cost of preparing for a CISA certification will, of course, vary depending on the candidate’s knowledge and experience. A candidate with a minimum of practical knowledge and expertise may choose an instructor-led course to help them prepare for the exam. In contrast, a more seasoned candidate may only need to brush up using the ISACA self-paced exam prep option. 

The self-paced exam prep solution offers a 12-month subscription to interactive, customizable sample exams. These sample exams draw from a database of more than 1,000 questions. ISACA members pay $299.00, and nonmembers $399.00 for this subscription. 

Also available is an online review course that includes on-demand video training sessions, interactive modules and workbooks, case study activities, and assessments. Candidates choosing this option will have access to an online forum to ask questions. For this 22-hour, 365-day course, the member’s subscription fee is $795.00, and nonmembers pay $895.00.

Other costs associated with preparing for the CISA exam in study materials. The official CISA Review Manual and other publications that are hand-selected for their effectiveness in preparing CISA candidates for exam day. These cost around $110 for printed or eBook options. 

For instructor-led test prep, candidates can choose from virtual instructor-led or in-person training and conferences. The cost for these courses vary and can range from around $1,000 for virtual instructor-led to $1,400.00 for in-person classes. For large corporate groups, there is a customized on-site option. 

There are also ongoing costs associated with maintaining a CISA certification. To keep a CISA certification, a certification holder must acquire a minimum of 20 hours of Continuing Professional Education (CPE) credits each year and 120 hours for a three-year reporting cycle period. You must also pay the annual maintenance fee of $45 for ISACA members or $85 for nonmembers.

Over and above the costs associated with training courses and materials, there are soft costs to be considered as well. Time spent preparing for the exam will require sacrifice, and those soft costs should be considered when deciding the overall cost-benefit question. Even so, the higher salaries and increased job opportunities enjoyed by CISA holders indicates that pursuing the certification will nearly always yield a good return on investment. 

Deep dive into the CISA exam

ISACA provides a CISA practice quiz to allow a candidate to self-assess their preparedness to take the exam. An exam candidate guide can be downloaded. It provides essential details about eligibility and the exam process. 

Offered in eleven languages, the CISA certification exam consists of 150 multiple choice questions that cover the exam content outline created from the most recent exam content analysis. Candidates have up to 4 hours to complete the exam.

DOMAINS OF THE CISA JOB PRACTICE AREASWEIGHT
Domain 1: Information System Auditing Process21%
Domain 2: Governance and Management of IT17%
Domain 3: Information Systems Acquisition, Development and Implementation12%
Domain 4: Information Systems Operations and Business Resilience23%
Domain 5: Protection of Information Assets27%
  1. Information system auditing process

Executing risk-based IS audit strategies, following proper IS audit standards, effectively communicating audit results and recommendations, and performing follow-ups are all covered in this domain.

  1. Governance and management of IT

Covered here are evaluating the IT governance structure and IT strategies for effectiveness. IT human resources, business continuity planning, and disaster recovery are examined in this domain as well.

  1. Information systems acquisition, development and implementation

Selecting IT suppliers and contracts that ensure proper service levels are a part of this domain. Knowledge tested includes subjects like feasibility studies, business cases, the total cost of ownership, and return on investment. Additionally, project management and project risk management, project requirements analysis, success criteria, and post-implementation issues are covered in Domain 3.

  1. Information systems operations and business resilience

This domain includes knowledge related to service management practices, enterprise architecture, systems resiliency, control techniques, and performance monitoring. It also examines data backup, database management, data lifecycle, incident management practices, and disaster recovery testing.

  1. Protection of information assets

Topics for this domain are related to the protection of IT assets. They are related to information security, physical and environmental controls, verification of material regarding their confidentiality, integrity, and availability.

Candidate exam scores are reported as a scaled score — a conversion of a candidate’s raw score on an exam to a standard scale. The purpose of a scaled score is to ensure that a standard way of reporting outcomes is used across disparate versions of the exam so that different versions are comparable and fair. 

ISACA uses and reports scores on a standard scale from 200 to 800. 

  • A score of 800 represents a perfect score with all questions answered correctly.
  • A score of 200 represents the lowest score possible and signifies only a small number of questions answered correctly.
  • A candidate must receive a 450 or higher score to pass the exam, which represents the minimum standard of knowledge.
  • A candidate receiving a passing score can then apply for certification if all other requirements are met. 

CISA salary information

CISA often ranks among the most sought-after and highest-paying IT certifications. Job growth expectations are good so the outlook for future employment is ever-increasing. 

According to the US Bureau of Labor Statistics, the rank and file accountants and auditors can expect to earn over $70,000 per year and enjoy a job growth rate of about 4 percent. Computer and Information Systems Managers, on the other hand, make nearly $150,000 per year and can expect a 10 percent job growth rate. 

ISACA claims the average salary of CISA holders is $110,000. This is well above the average for accountants and auditors generally. 

Frequently asked questions

What is the CISA certification?

CISA (Certified Information Systems Auditor) is a globally recognized certification offered by ISACA. It’s designed for professionals who audit, control, monitor, and assess an organization’s information technology and business systems.

Who is the CISA certification designed for?

Individuals in roles like IT auditors, consultants, audit managers, and security professionals can benefit from CISA to validate their expertise and enhance career prospects.

What are the prerequisites for the CISA exam?

While you can take the exam without prior experience, to obtain the certification, you’ll need at least five years of professional experience in information systems auditing, control, or security.

How is the CISA exam structured?

The exam consists of 150 multiple-choice questions, covering five domains: Information System Auditing Process, Governance and Management of IT, Information Systems Acquisition, Development and Implementation, Information Systems Operations and Business Resilience, and Protection of Information Assets.

What’s the passing score for the CISA exam?

The score ranges from 200 to 800, with 450 or higher considered a passing score.

How is the CISA certification exam viewed in the industry?

CISA is highly regarded in the IT audit, control, and security fields. Many organizations consider it a preferred certification for IT audit and compliance roles.
Pursuing the CISA certification can be a significant step in advancing your career in IT governance and security. Proper preparation and understanding of the process will be key to your success.

Conclusion

If you currently are or are interested in becoming an IT auditor, it is likely that you will significantly benefit from achieving and maintaining the ISACA CISA certification. It is widely recognized to be a reliable indicator of the presence of the skills needed to be successful in the IS/IT profession. 

Like all professional certifications, there are costs of both time and money that are required to earn this certification, but the return on these investments is well worth it. 

There is a growing need for professionals with the knowledge necessary to lead IS/IT audit and assurance programs. Employers trust the CISA professional designation and give high priority to job candidates with this certification. Obtaining this certification has been proven to be a useful measure for IS/IT career advancement.