CISA — Certified Information Systems Auditor

What is the CISA certification?

The Certified Information Systems Auditor (CISA) by ISACA is the “gold standard” for IT audit control and assurance. This highly sought-after and high-earning certification validates your skills in information systems auditing, governance and management of IT and business resilience. CISA holders look forward to a wide range of professional and financial benefits, including a 22% potential pay boost and 70% on-the-job performance improvement. Many IT auditing jobs require candidates to have a CISA or equivalent certification to sign off on reports. It’s also a commonly held certification among managers and directors in auditing departments. CISA holders often work at major accounting firms and have successful careers as independent consultants. To learn more about CISA opportunities, download your free ISACA Career Kit.

 

Is CISA the right ISACA certification for me?

The answer to this question depends on your career goals. As Chris DeMale, ISACA Director of Channel Business Development, explains, the CISA is all about auditing.

“The operative letter in CISA is the ‘A’ for IT audit,” says DeMale. “For many organizations, the CISA is a requirement for various roles and functions.”

This makes CISA unique among the certifications offered by ISACA, the others of which are related to risk, governance, management and privacy. If you’re interested in pursuing a career as an IT auditor, public accounting auditor, IS analyst or IT audit manager, then CISA is the right certification for you.

How do I get the CISA certification?

The CISA requires five years of work experience in information systems auditing, security or control. You can substitute up to three of the five years with a combination of the below:

  • One year of information systems experience or non-IS auditing experience can be substituted for one year of work experience.
  • 60 to 120 completed university semester credit hours (the equivalent of a 2-year or 4-year degree) can be substituted for one to two years of experience.
  • A master’s degree in information security or information technology from an accredited university can be substituted for one year of experience.
 

CISA exam FAQs

To stay up-to-date with the latest trends in information systems auditing, ISACA regularly updates the CISA exam. The most recent version was last updated in 2019. Here’s what you should know about the current CISA exam:

  • How many questions are on the CISA exam? How long is the CISA exam?

    The CISA exam is composed of 150 multiple-choice questions. You’ll have four hours to complete all the questions on the exam. The questions are graded on a scale of 200 to 800 points, and you’ll need to earn at least 450 points to pass.

  • How hard is the CISA exam?

    The CISA exam has a reputation for being extremely difficult. Between 60-70% of test-takers will pass the exam, according to ISACA. It’s crucial to rigorously study for the CISA exam and closely review the latest study guide. You may also wish to take self-guided practice tests to benchmark your knowledge and identify domain areas that require additional study.

  • How to pass the CISA exam?

    The CISA exam is a 150-question, multiple-choice test that you will complete in four hours or less. The exam itself is scored on a scale of 200 to 800 points; a passing score is 450 points or higher. Most test-takers find the CISA exam quite challenging, so it’s important to give yourself adequate time to prepare before taking the test.

    Pass rates vary depending on an individual’s experience, study habits and test-taking strategies. For example, Infosec partners with ISACA to offer a CISA Boot Camp with an Exam Pass Guarantee, which means if you don’t pass the exam on your first attempt, you’ll get a second attempt at no cost to you.

    Read our 10 tips for CISA exam success for more advice on passing the exam.

  • How much does the CISA exam cost?

    The CISA exam has several fees associated with it. First, all test takers must pay a $50 application fee. Once you’ve been accepted, you’ll have to pay a registration fee. The registration fee for ISACA members is $575; for non-members, it’s $760.

    The most up-to-date pricing for ISACA exams can be found on the ISACA website. You can download ISACA’s Exam Candidate Information Guide (English) in multiple languages to get the most up-to-date information about costs and other exam details.

  • Where do I take the CISA exam?

    The CISA exam is administered by PSI. You can take the exam online with remote proctoring or in-person at a PSI testing center. For more information, see the “Register for the Exam” section on the ISACA CISA page.

    Watch this video to learn more about testing in person a PSI test center: https://psi.wistia.com/medias/3321yp1ic8.

    Watch this video to learn more about remote testing: https://psi.wistia.com/medias/5kidxdd0ry.

  • How to prepare for the CISA exam?

    You have a variety of learning resources at your disposal to prepare for the CISA exam. We recommend starting out with the ISACA candidate guide (check out the ISACA CISA webpage for the most up-to-date version or to download the guide in other languages). The guide covers topics related to exam registration, important deadlines, exam domains and more. The guide is a must-read for every CISA test taker.

    A number of additional training resources are provided in the free and paid CISA training resources sections below.

  • How long is my CISA certification active? How do I earn CPEs?

    Your CISA certification is active for three years following the date you pass the exam. In order to maintain the certification, you’ll have to complete at least 20 hours of continuing professional education (CPE) per year and a total of 120 hours in the three-year window before the expiration. CISA CPE activities include attending conferences, training, classes, volunteering, and more.

    Read our article, Earning CISA CPE credits for more.

  • How much does it cost to renew my CISA?

    In addition to completing continuing professional education (CPE) activities, you’ll have to pay an annual maintenance fee to keep your CISA certification active. The annual fee is $45 for ISACA members and $85 for non-members.

Free and self-study CISA materials

When it comes to preparing for the CISA exam, there are free materials available in a variety of formats. From study guides to web forums and podcasts, you can pick and choose what works best for your learning style and study needs.

CISA study guides and CISA books

Books and study guides are another effective way to prepare for the CISA exam. ISACA provides an official CISA study guide updated to meet the current version of the exam. You can also find unofficial study guides and exam preparation guides on Amazon, certain bookstores and your local library.

Be sure to download your free ISACA Career Kit for more information from ISACA on their certifications.

CISA practice exams and simulations

Practice exams are an essential part of any robust CISA study routine. The exams will help you benchmark your comprehension and target specific concepts or domains that require additional study time. Official and unofficial practice exam questions are available:

  • CISA Review Questions, Answers & Explanations (QAE) Manual, 12th Edition (published by ISACA and also available as a 12-month subscription to the QAE Database)
  • CISA Certified Information Systems Auditor Practice Exams by Peter H. Gregory (published by McGraw Hill)
  • Other services like Boson, Pocket Prep and CertLibray also provide paid ISACA practice exams

Infosec partners with ISACA to provide live online CISA boot camps that include unlimited practice exam attempts and a 12-month subscription to the ISACA QAE Database.

 

Other free CISA training resources

There are a number of other free CISA training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CISA.
  • YouTube is another great place to connect with cybersecurity practitioners and learn about the CISA exam. Although most CISA courses cost money, there are numerous free CISA videos available to watch.
  • Podcasts may not help you directly study for your CISA exam, but those like the Cyber Work Podcast are a great way to learn about cybersecurity career options and your peers’ career journeys.

CISA jobs, careers and salary

CISA is designed for early- to mid-career professionals with at least five years of experience. The certificate is ideal for practitioners who want to validate their existing skills for promotions and pay raises but who aren’t interested in pursuing management just yet. 

  • What are common CISA jobs?

    The CISA prepares you for careers related to information security auditing, risk management and compliance. CISA is also appropriate for practitioners who need access to U.S. Department of Defense (DoD) information systems, as the certification is compliant with DoD 8570 and DoD 8140.

    Some of the most common CISA job titles include:

    • Internal auditor
    • Public accounting auditor
    • IS analyst
    • IT audit manager
    • IT project manager
    • IT security officer
    • Network operation security engineer
    • Cyber security professional
    • IT consultant
    • IT risk and assurance manager
    • Privacy officer
    • Chief information officer

     

  • What does a CISA certification holder do?

    CISA holders have extensive expertise in assessing an organization’s data security and compliance with local regulations and laws. The audit aims to shed light on the business’s current security-related policies, procedures and systems to determine compliance and uncover weaknesses.

    During an audit, the auditor will collect an extensive amount of data from information management systems and databases and compile that information into a report. Depending on the size of the organization and the seniority of the role, the auditor may also present their findings to key stakeholders within the organization.

    IT audit reports typically include recommendations for improvement and mandatory changes to comply with regulations.

    Read Infosec’s article, Roles and responsibilities of information security auditor, for more.

  • Is CISA worth it?

    The answer to this question depends on what skills you’d like to validate and the types of roles you plan to pursue. CISA is a practitioner-focused certification with a strong emphasis on IT auditing. If you plan to work in a role where you’re “in the trenches” conducting systems audits and compiling reports, then CISA is a solid choice.

    It’s also highly respected and relatively affordable compared to other IT certifications. However, if you plan to pursue a role outside of the IT auditing and compliance space or prefer management instead of hands-on work, then another certification will probably suit your needs better.

  • What is the CISA average salary?

    With the CISA certification, you can look forward to a competitive salary and a variety of opportunities to move into senior-level and management positions. Below is a sample of CISA salary data taken from Payscale.com in April 2022. Keep in mind that specifics will vary based on factors like location and experience.

    • IT auditor: $76,247
    • Compliance analyst: $85,179
    • Senior information technology (IT) auditor: $88,418
    • Risk analyst: $95,819
    • Internal auditing manager: $106,777
    • Compliance manager: $123,018

    Read these Infosec articles for more:

  • How many people have CISA?

    The CISA is the most popular ISACA certification, with approximately 151,000 CISA holders worldwide, according to ISACA.

  • Where can I find CISA jobs?

    The CISA is the most popular IT audit-related certification. It’s often listed in IT and security audit job openings to validate your knowledge and skills. To find CISA or cybersecurity audit openings on general job boards like Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder, search for the keywords “CISA,” “ISACA” or “IT auditor.”

    Security-focused job boards such as ClearedJobs and infosec-jobs.com are also good sources of roles for CISM holders. Other good sources of security job postings are cybersecurity groups like ISACA and others (ISSABSidesOWASPWomen in Cybersecurity and others) and cybersecurity websites.

    Before your interview, check out our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”

Paid CISA training and exam prep

When it comes to preparing for the CISA exam, you can choose to train yourself with books and free resources, or you can find a paid course. Most CISA courses fall into two categories: live online CISA boot camps or on-demand CISA courses where you go at your own pace.

Live CISA boot camps

A CISA boot camp provides days of in-depth instruction from an expert instructor. For example, Infosec partners with ISACA to provide a five-day CISA boot camp that you can take live online or in person. There are a number of other training providers that offer similar options.

The benefits of a live CISA boot camp include:

  • Live training and Q&A: You will likely have questions — and you may not know the best place to get them answered. A live instructor can set you on the right path.
  • Complete training package: Most CISA boot camps provide everything you need: instruction, exam vouchers, books, practice exams and labs. Training with a live instructor is more expensive, so when shopping around, be sure you know what’s included in your purchase — and what you’ll have to pay extra for.
  • Improved pass rates: Boot camp providers like Infosec stand by their training with an Exam Pass Guarantee. That means if you fail your exam on your first attempt, you’ll get a second attempt to pass — for free.

Self-paced CISA training

If you’re not in a hurry to earn your CISA, the go-at-your-own-pace model can be a great (and more affordable) option. These types of courses usually consist of a number of pre-recorded videos, along with practice exams and labs or exercises you can do on your own to reinforce the material.

The benefits of on-demand CISA training include:

  • Train when you want: You’re in charge of your training schedule, whether that’s daily on your lunch break or cramming all weekend long. For further motivation, you can join a study group or connect with others who are preparing for the exam.
  • Build an individual training plan: Don’t waste time learning what you already know. Since you’re not tied to a group, you can spend more time focused on the areas you need to learn most.
  • Prepare at your own pace: With on-demand training, you can take your time preparing for your CISA. Just don’t go too slow! Studies show you can quickly forget the information your’re studying — unless you’re actively using it or reviewing it.

CISA comparisons and alternatives

The CISA is one of several advanced cybersecurity certifications that you can choose from. Here’s how it stacks up against the other popular certifications you may want to consider.

  • CISA vs. CISM

    While the CISA and CISM are sometimes lumped together, the two certifications are geared towards two very different career tracks.

    The CISA is the industry standard for IT systems auditors and is geared toward professionals in hands-on practitioner roles. The CISM is a better fit for mid-and late-career professionals looking to codify their information security management expertise. CISM holders are typically managers, not practitioners. Additionally, CISA job descriptions often overlap with finance and accounting, while CISM roles are more related to program management or information assurance.

  • CISA vs. CRISC

    CRISC is an ISACA certification with a focus on enterprise-level IT risk management. The exam’s domains include IT risk identification, assessment, response, mitigation and reporting. The income potential for CRISC holders is competitive, with an average CRISC salary of $114,000.

    CRISC is an ideal fit for professionals interested in validating their IT risk management skills, while CISA is better suited for validating audit-related skills.

  • CISA vs. CISSP

    The CISSP (Certified Information Systems Security Professional) is a credential offered by (ISC)². While the CISA focuses on auditing information systems, the CISSP is geared toward implementing, monitoring and maintaining those systems.

    While some of the content covered by both exams overlaps, the jobs they prepare you for are quite different. The CISSP is ideal for careers in information security, and CISA is better suited for IT auditing. In terms of salary and earning potential, both certifications are roughly equivalent. According to (ISC)² salary data, CISA holders can expect to earn between $53,000–$122,000; CISSPs typically earn between $74,000–120,000 annually

  • CISA vs. CASP+

    CASP+ is an advanced-level certification offered by CompTIA. Although the exam will test you on knowledge related to compliance, governance and risk, the certification as a whole falls more in line with security engineering and architecture than CISA, which focuses on IT auditing.

  • CISA vs. CEH

    The CEH (Certified Ethical Hacker) by EC-Council is one of the most popular certifications for entry-level cybersecurity professionals. The credential validates that you can “think like a hacker” and use the tools a malicious attacker would use during an attack. Many CEHs pursue careers as penetration testers, malware analysts, and security analysts.

    It can be useful for understanding how attackers gain access to systems with improper controls, but the CEH is not focused on auditing like the CISA certification is.