Understanding the Certified Information Systems Auditor (CISA) Exam

November 9, 2017 by Infosec

Interested in finding a rewarding career in the infosec world? Perhaps you’ve already got your foot in the door with an entry-level position and want to move on to a higher credential. Whatever the case, passing your CISA exam and earning your certified information systems auditor (CISA) credentials can help ensure a more rewarding career with a wider range of job opportunities.

Is pursuing CISA certification right for you? It can be, particularly if you’re interested in improving your career prospects. This credential is important for auditors, consultants, audit managers and even non-IT auditors.

It’s a credential designed and awarded by ISACA, one of the most trusted names in the information systems and security industry. According to ISACA, “The CISA designation is a globally recognized certification for IS audit control, assurance and security professionals. Being CISA-certified showcases your audit experience, skills and knowledge, and demonstrates you are capable to assess vulnerabilities, report on compliance and institute controls within the enterprise.”

What Is the Goal of the CISA Exam?

There are many benefits to earning your CISA credentials, but it’s important to understand passing the exam does not mean you’re trained in any particular type of software or the use of proprietary tools. This certification has a broader focus, and is non-proprietary. As such, the exam is designed to prove that you have the knowledge and experience necessary for job roles that require CISA certification, and that you have not only gained, but maintained, the level of knowledge necessary to be a valuable asset to an employer.

According to ISACA, “With a growing demand for individuals possessing IS audit, control, and security skills, CISA has become a preferred certification program by individuals and organizations around the world.”

What Is the CISA Exam Schedule, Duration & Format?

Understanding the exam schedule, duration and format of the CISA exam is a critical exam-prep step. You’ll have four hours to complete the exam, and it will be delivered via computer (2016 was the last year paper-and-pencil exams were administered, unless you live in an area of the world where computer-based testing centers are unavailable).

Unlike some other certification exams, the CISA exam is made up of only multiple-choice questions. Self-testing is available through the ISACA website to prepare you for taking the actual test.

Below, we’ve compiled a few example questions drawn directly from ISACA’s CISA self-assessment test:

  1. A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing off on the accuracy and completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner
  1. An organization’s IT director has approved the installation of a wireless local area network (WLAN) access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that:
A. Encryption is enabled on the access point.
B. The conference room network is on a separate virtual local area network (VLAN).
C. Antivirus signatures and patch levels are current on the consultants’ laptops.
D. Default user IDs are disabled and strong passwords are set on the corporate servers.
  1. An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST:
A. Expand the scope of the IS audit to include the devices that are not on the network diagram.
B. Evaluate the impact of the undocumented devices on the audit scope.
C. Note a control deficiency because the network diagram has not been approved.
D. Plan follow-up audits of the undocumented devices.
  1. In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?
A. Approve and document the changes the next business day.
B. Limit developer access to production to a specific time frame.
C. Obtain secondary approval before releasing to production.
D. Disable the compiler option in the production machine.
  1. While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should:
A. Recommend the use of disk mirroring.
B. Review the adequacy of offsite storage.
C. Review the capacity management process.
D. Recommend the use of a compression algorithm.

How to Schedule & Take the CISA Exam

Scheduling your CISA exam is not particularly difficult. It can be done directly through the ISACA website, where you can register, pay for and schedule the exam. It’s impossible to schedule the exam without having first paid your fee.

What’s Required for CISA Testing?

In order to sit for the CISA exam, you’ll need to meet ISACA’s minimum requirements. According to ISACA, you’ll need “five or more years of experience in IS audit, control, assurance or security. Waivers are available for a maximum of three years.”

Of course, meeting those requirements is only the first step. You’ll also need to meet the requirements in order to enter the testing center. The first step here is to ensure that you have the right form of identification.

CISA exam testing centers will allow you to use a number of legal ID types, including the following:

  • Valid state-issued driver’s license
  • Valid military ID card
  • Valid passport
  • Valid state-issued ID card
  • Valid green card or permanent resident card
  • Valid national identification card (if applicable)

The Arrival Process

You will receive an email notifying you of the date, location and time of your CISA exam. You must be on time for this – if you are 15 minutes late or more, you will forfeit your exam fees and not be allowed to take the test. You will need to re-register, pay your fees again and reschedule as though you had canceled. The same thing applies if you arrive without an acceptable form of ID. Any no-shows will also forfeit their registration fees.

On arrival at the testing center, you’ll need to present your ID for verification by the staff/proctor. Once verified, you will be assigned a seat within the testing facility and allowed to take your exam. The testing process is monitored and follows a process similar to taking a test at a kiosk, rather than at an actual PSI testing center.

If you take your test at a PSI kiosk, you’ll arrive at the location and log into the test at the time you were assigned with your approved credentials. Your identity will be verified by remote staff, and you will also be monitored throughout the testing procedure.

All of this information, and more, can be found in the ISACA Exam Candidate Information Guide, available as a downloadable PDF.

Basic Rules to Know

As with most other professional exams, you will need to know and follow a few basic rules during the CISA exam. These include, but are not limited to, the following:

  • You cannot have any sort of reference material.
  • You are not allowed access to a smartphone during the test.
  • You are not allowed to use a calculator.
  • No communications or recording equipment of any type is allowed (and is grounds for dismissal if discovered).
  • You are not allowed to eat or drink during the exam.
  • No visitors are allowed.
  • No baggage is allowed, including purses and briefcases.
  • No weapons or tobacco products are allowed.
  • You may leave the testing area for an emergency or to use the restroom. Departure for any other reason will cause the test to end. You will need to be reauthorized to enter the testing area after leaving.

Cancellation, Rescheduling & Other Questions

You can reschedule your exam if needed. If you reschedule 48 hours or more prior to your exam date, there is no charge. However, if you must reschedule less than 48 hours from the exam date, you will forfeit your registration fee and will need to pay the full amount again when you reschedule. You can only reschedule your exam online through the ISACA scheduling system.

Candidates are allowed to defer one test, and one test only, for a fee of $200. To qualify for deferral, you must reschedule or cancel at least 48 hours prior to your exam date and then purchase a deferral through ISACA’s online system. You’ll then receive an email explaining how to reschedule your deferred exam.

If you need to cancel your exam, you will forfeit the fees paid and must pay the full amount again if you choose to reschedule the exam.

When & How to Schedule Your Test

Once you’ve registered and paid, you can schedule your test. Note that the CISA exam is administered only at specific testing centers in the United States and around the world. You can find a partial list of available testing centers and dates here, but be aware that ISACA continues to update the list as more centers are added.

What If I Fail?

If you do not pass the CISA exam on your first try, you are allowed to retake the test once within the same testing window. You will need to reregister, reschedule and pay your registration fees once more in order to take the exam a second time.

How Much Does It Cost?

Fees for taking the exam vary, depending on whether you’re already an ISACA member and when you’re registering.

For instance, if you’re registering early and are already an ISACA member, you’ll pay $525 to take the exam. If you’re registering early, but are not a member, you’ll pay $710. If you’re registering at the time of the exam and are a member, you’ll pay $575. If you’re not a member, and are registering at the time of the exam, you’ll pay $760.

What Does It Take to Pass the CISA?

The test itself consists of 150 questions. However, it’s important to note scoring is done on a scale, rather than the more traditional point-for-question basis. 200 represents the lowest score possible on the exam (and indicates that very few questions were answered correctly). A score of 800 is the highest possible. A passing score is 450 or higher.


Ultimately, earning your CISA credentials is an excellent way to enhance your career in the infosec field. Whether you aspire to take on a managerial role or simply to make yourself a more appealing job candidate, the CISA credential proves to employers that you have the knowledge, experience and expertise they demand. However, it is crucial that you understand the requirements for testing, and follow the rules laid out by ISACA, whether you’ll be testing at an actual PSI test center or using a PSI kiosk.

If you’re ready to start preparing for the CISA exam, considering enrolling in InfoSec Institute’s CISA Boot Camp. You can also gauge your level of preparedness for free at SkillSet, InfoSec Institute’s free exam prep tool.


Posted: November 9, 2017
View Profile

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.

Leave a Reply

Your email address will not be published.