Certified Information Systems Auditor (CISA) certification

  1. CISA Information

5 Myths of Cloud Computing - HP

7 Deadly Network Security Sins: A Guide for Protection

Best Practices for Making BYOD Simple and Secure

What is the CISA certification?
The CISA (Certified Information Systems Auditor) certification is a globally-recognized accounting credential demonstrating experience and competence for IS audit control, assurance and security professionals. The CISA candidate has the ability to manage vulnerabilities, ensure compliance and employ controls in an enterprise environment. As such, the CISA certification is a recognized standard of excellence and achievement for individuals who audit, control, monitor and assess I.T. and business systems. CISA certification is offered and administered by ISACA (Information Systems Audit and Control Association) (official website).

Who is the CISA certification for?
The CISA certification is an auditing certification focusing on I.T. rather than an I.T. certification focusing on auditing. That being said, while an I.T. background is not necessary to take the exam, it is a subject that the candidate will need to become very familiar with over the course of their CISA-related career. Even with a CISA certification, breaking into the I.T. audit job market without prior I.T. experience might be a difficult challenge (although not impossible).

Are there any prerequisites for the CISA certification?
While the CISA exam itself is open to any individual with an interest in information systems audit, control and security, the CISA certification itself will not be awarded to individuals with fewer than 5 years of relevant professional experience.  In some circumstances candidates can apply for a waiver for up to 3 years of the work experience requirement depending on their previous employment or educational history. For example, general IS experience can be counted in part toward the overall experience requirement.

Candidates claiming relevant work experience must have gained that experience within 10 years prior to applying for the CISA certification. Candidates wishing to take the exam first and then gain the relevant work experience must gain the appropriate work experience requirement within 5 years of passing the exam.

How do I obtain the CISA certification?
The basic steps to becoming CISA qualified are:
  • Pass the CISA exam
  • Apply for CISA certification (after all relevant work experience requirements have been met)
  • Agree to the Code of Professional Ethics
  • Commit to the Continuing Education program
  • Agree to adhere to the Information Systems Auditing Standards
The CISA exam is a paper-based (not computer-based as many candidates may be used to), 200-question multiple-choice exam, with 4 hours to complete it. The exam is offered in a number of different languages.

There are 5 IS audit, control and security domains tested in the exam. They are:
  • The Process of Auditing Information Systems
  • Governance and Management of I.T.
  • Information Systems Acquisition, Development and Implementation
  • Information Systems Operations, Maintenance and Support
  • Protection of Information Assets
A comprehensive outline of the exam topics can be found here.

The exam is scored on a scale of 200-800 and candidates need to score 450 or more in order to pass the exam. Candidates who pass the exam may then apply for their CISA certification assuming all other requirements have been met. The CISA credential is not awarded automatically after passing the exam but rather the candidate must send in an application to be certified.

Exam results will be mailed (and e-mailed if requested) to the candidate approx. 5 weeks after the test.

Candidates who fail the exam (i.e. score under 450 points) can retake the exam (with payment of the applicable fees) at any future exam window. Candidates may retake the exam any number of times under the same conditions.

An example test of the type of questions candidates can expect can be found here.

What does the exam cost?
The CISA exam costs US$600 (for non-members of ISACA). Additionally, candidates will need to pay the certification application fee of US$50.

What are the CISA recertification requirements?
All CISA qualified individuals are required to maintain their credential through an ongoing Continuing Professional Education (CPE) program. This involves paying a yearly fee as well as completing 20 CPE hours annually. There is also a requirement to complete a further 120 CPE hours during a fixed 3-year period.

CPE hours are gained by undertaking activities that enhance or advance the CISA’s knowledge or ability to perform CISA-related duties. Approved activities include official training courses, self-study courses, professional meetings or conferences, seminars, workshops, giving presentations, teaching, mentoring, etc.

Along with the annual fee (US$85 for non-members of ISACA), CISA holders must submit a detailed report of their activities for each year.

Failure to comply with the CPE requirements prohibits the individual from using the designation ‘CISA’ on business cards and resumes.

Comprehensive details about the CPE program can be found here

Where can I take the CISA exam?
The CISA exams are administered in approx. 250 locations worldwide (see here for details). About one month before the test date candidates will be mailed an exam admission paper. This paper will outline the time, date and location of the exam. Candidates must bring this admission paper with them on the day of the exam.

There are only three testing windows available during the year – June, September and December. Registration for a testing window normally opens approx. 3-5 months prior to the exam date, and closes again 1-2 months before the exam date. Candidates are advised to check the official ISACA website for exam registration information.