CISA — Certified Information Systems Auditor

The CISA exam is composed of 150 multiple-choice questions. You’ll have four hours to complete all the questions on the exam. The questions are graded on a scale of 200 to 800 points, and you’ll need to earn at least 450 points to pass.

The CISA exam has a reputation for being extremely difficult. Between 60-70% of test-takers will pass the exam, according to ISACA. It’s crucial to rigorously study for the CISA exam and closely review the latest study guide. You may also wish to take self-guided practice tests to benchmark your knowledge and identify domain areas that require additional study.

The CISA exam is a 150-question, multiple-choice test that you will complete in four hours or less. The exam itself is scored on a scale of 200 to 800 points; a passing score is 450 points or higher. Most test-takers find the CISA exam quite challenging, so it’s important to give yourself adequate time to prepare before taking the test.

Pass rates vary depending on an individual’s experience, study habits and test-taking strategies. For example, Infosec partners with ISACA to offer a CISA Boot Camp with an Exam Pass Guarantee, which means if you don’t pass the exam on your first attempt, you’ll get a second attempt at no cost to you.

Read our 10 tips for CISA exam success for more advice on passing the exam.

The CISA exam has several fees associated with it. First, all test takers must pay a $50 application fee. Once you’ve been accepted, you’ll have to pay a registration fee. The registration fee for ISACA members is $575; for non-members, it’s $760.

The most up-to-date pricing for ISACA exams can be found on the ISACA website. You can download ISACA’s Exam Candidate Information Guide (English) in multiple languages to get the most up-to-date information about costs and other exam details.

Your CISA certification is active for three years following the date you pass the exam. In order to maintain the certification, you’ll have to complete at least 20 hours of continuing professional education (CPE) per year and a total of 120 hours in the three-year window before the expiration. CISA CPE activities include attending conferences, training, classes, volunteering, and more.

Read our article, Earning CISA CPE credits for more.

In addition to completing continuing professional education (CPE) activities, you’ll have to pay an annual maintenance fee to keep your CISA certification active. The annual fee is $45 for ISACA members and $85 for non-members.

The CISA prepares you for careers related to information security auditing, risk management and compliance. CISA is also appropriate for practitioners who need access to U.S. Department of Defense (DoD) information systems, as the certification is compliant with DoD 8570 and DoD 8140.

Some of the most common CISA job titles include:

• Internal auditor
• Public accounting auditor
• IS analyst
• IT audit manager
• IT project manager
• IT security officer
• Network operation security engineer
• Cyber security professional
• IT consultant
• IT risk and assurance manager
• Privacy officer
• Chief information officer

CISA holders have extensive expertise in assessing an organization’s data security and compliance with local regulations and laws. The audit aims to shed light on the business’s current security-related policies, procedures and systems to determine compliance and uncover weaknesses.

During an audit, the auditor will collect an extensive amount of data from information management systems and databases and compile that information into a report. Depending on the size of the organization and the seniority of the role, the auditor may also present their findings to key stakeholders within the organization.

IT audit reports typically include recommendations for improvement and mandatory changes to comply with regulations.

Read Infosec’s article, Roles and responsibilities of information security auditor, for more.

The answer to this question depends on what skills you’d like to validate and the types of roles you plan to pursue. CISA is a practitioner-focused certification with a strong emphasis on IT auditing. If you plan to work in a role where you’re “in the trenches” conducting systems audits and compiling reports, then CISA is a solid choice.

It’s also highly respected and relatively affordable compared to other IT certifications. However, if you plan to pursue a role outside of the IT auditing and compliance space or prefer management instead of hands-on work, then another certification will probably suit your needs better.

With the CISA certification, you can look forward to a competitive salary and a variety of opportunities to move into senior-level and management positions. Below is a sample of CISA salary data taken from Payscale.com in April 2022. Keep in mind that specifics will vary based on factors like location and experience.

• IT auditor: $76,247
• Compliance analyst: $85,179
• Senior information technology (IT) auditor: $88,418
• Risk analyst: $95,819
• Internal auditing manager: $106,777
• Compliance manager: $123,018

Read these Infosec articles for more:

• Average CISA salary
• Want to make more money? Here are the top 5 highest-paying infosec certifications

The CISA is the most popular ISACA certification, with approximately 151,000 CISA holders worldwide, according to ISACA.

While the CISA and CISM are sometimes lumped together, the two certifications are geared towards two very different career tracks.

The CISA is the industry standard for IT systems auditors and is geared toward professionals in hands-on practitioner roles. The CISM is a better fit for mid-and late-career professionals looking to codify their information security management expertise. CISM holders are typically managers, not practitioners. Additionally, CISA job descriptions often overlap with finance and accounting, while CISM roles are more related to program management or information assurance.

CRISC is an ISACA certification with a focus on enterprise-level IT risk management. The exam’s domains include IT risk identification, assessment, response, mitigation and reporting. The income potential for CRISC holders is competitive, with an average CRISC salary of $114,000.

CRISC is an ideal fit for professionals interested in validating their IT risk management skills, while CISA is better suited for validating audit-related skills.

The CISSP (Certified Information Systems Security Professional) is a credential offered by (ISC)². While the CISA focuses on auditing information systems, the CISSP is geared toward implementing, monitoring and maintaining those systems.

While some of the content covered by both exams overlaps, the jobs they prepare you for are quite different. The CISSP is ideal for careers in information security, and CISA is better suited for IT auditing. In terms of salary and earning potential, both certifications are roughly equivalent. According to (ISC)² salary data, CISA holders can expect to earn between $53,000–$122,000; CISSPs typically earn between $74,000–120,000 annually

CASP+ is an advanced-level certification offered by CompTIA. Although the exam will test you on knowledge related to compliance, governance and risk, the certification as a whole falls more in line with security engineering and architecture than CISA, which focuses on IT auditing.

The CEH (Certified Ethical Hacker) by EC-Council is one of the most popular certifications for entry-level cybersecurity professionals. The credential validates that you can “think like a hacker” and use the tools a malicious attacker would use during an attack. Many CEHs pursue careers as penetration testers, malware analysts, and security analysts.

It can be useful for understanding how attackers gain access to systems with improper controls, but the CEH is not focused on auditing like the CISA certification is.