Information security auditor certifications
For those with a passion for information security and a mind for auditing, the role of information security auditor is tailor-made. Not only does it allow you to work in information security, but you also get to put your auditor hat to good use by creating highly detailed reports that establish an accurate picture of the organization’s information security stance.
With this said, you may be wondering what certifications will help you reach this unique role. This article will detail some of the best information security auditor certifications and will explore a little about certifications for this role: the Certified Information Systems Auditor certification (CISA), the Certified Internal Auditor certification (CIA) and the GIAC®️ Systems and Network Auditor certification (GSNA).
A little about certifications for this role
The role of information security auditor is a mid-level role at most organizations. This means that an information security professional will likely not break into the industry with it, nor will it be the role they finish their career at.
Organizations generally will not require that a job candidate be a certification holder before they can work as an information security auditor. However, having a certification may give you an edge over other candidates who do not have one or do not have one that focuses on auditing specifically.
Considered the “gold standard,” the Certified Information System Auditor certification (CISA) is the oldest and most well-known certification in the information security auditor space. Coupled with the fact that it is the most on-point certification in terms of subject matter, we are looking at a clear top certification for this role. CISA is hosted by ISACA.
This certification verifies that the holder has the knowledge, ability and skills necessary for information security auditing. To earn this certification, candidates need to pass an exam covering five domains of knowledge:
- Domain 1: Information System Auditing Process
- Domain 2: Governance and Management of IT
- Domain 3: Information Systems, Acquisition, Development, and Implementation
- Domain 4: Information Systems Operations and Business Resilience
- Domain 5: Protection of Information Assets
CISA certification requirements
If anything can be said about CISA, it’s that it has a high threshold of requirements that must be satisfied before the certification will be awarded. First, it has a high professional experience requirement of at least five years of professional work experience in information systems auditing, security, or control. Under some circumstances, this requirement may be able to be waived in part. More details about these exceptions can be found here.
The requirements don’t stop there. After the certification has been awarded, holders will need to satisfy continuing requirements to remain in good standing. These continuing requirements are:
- Continuing adherence to Code of Professional Ethics
- Continuing adherence to CISA’s Continuing Professional Education Program (CPE). Details can be found here
- Compliance with CISA’s Information System Auditing Standards
The Certified Internal Auditor certification, or CIA, is the premier, globally recognized certification for internal auditors that also applies to information security auditing. Released by the Institute of Internal Auditors, this certification should be on the shortlist of any information security auditor looking to distinguish their work with a well-founded certification.
CIA is a solid choice for an IS auditor who wants to complement the verification already provided by other certifications like CISA. This is because the specific focus of internal auditing will broaden the scope of your verifiable skills and make you a more well-rounded auditor.
The CIA certification exam covers four main areas:
- Internal audit’s role in risk, governance and control
- Conducting the internal audit — engagement
- Business analysis and information technology
- Business management skills
Following in CISA’s footsteps, CIA has certain requirements that need to be satisfied to earn the certification. These requirements are:
- Educational: Candidates must have earned a bachelor’s degree. Certain exceptions are allowed — if you have seven years of experience, you can waive this requirement
- Experience: 24 months of internal auditor experience (or 12 months if you have a master’s degree)
- Character reference: This reference must be signed by a CISA, CFSA, CFAP or CRMA certification holder or a supervisor
The GIAC Systems and Network Auditor (GSNA) is a certification hosted by (as you can probably guess) GIAC. Those that hold this certification can verify that they possess the knowledge, skills and abilities to competently apply risk analysis techniques to properly conduct an audit of their organization’s information systems.
The GSNA certification exam covers five areas of objectives, presented below:
- Auditing concepts and methodology
- Auditing networking devices and services
- Auditing Unix systems
- Auditing Windows systems
- Web application security
As you can see above, this certification presents straightforward audit-focused information that will help make you a leaner, meaner information security auditor if you are a certification holder.
GSNA certification requirements
There are no pre-requirements to earning the GSNA certification. Current certification holders will need to renew their certification and have a couple of options for that. They may take the current exam version and pass it, earn 36 continuing maintenance units (CMU) in an approved training session or publish a technical research paper, along with paying the renewal fee.
The role of information security auditor is a mid-level role that many who have a passion for information security and a mind for auditing will find themselves in, either as a natural career progression or to better fit in in an organization. Those who find themselves in this sought-after job will find that they have some options regarding certifications that may effectively put them ahead of other candidates.
All of the certifications above would successfully bolster anyone’s information security auditor career, but those looking to get the most out of their certifications should focus on earning their CISA certification and then move on down the list.