Professional development

The Ultimate Guide to ISACA Certifications – Overview & Career Paths [updated 2021]

May 3, 2021 by Susan Morrow

Whatever career you choose in life, you need to prove your qualifications. In the IT industry several organizations can help you demonstrate your ability to do your job, not only well, but with authority and knowledge. Information technology is an exciting career with many specializations to choose from as you increase your experience. It is also a career that encourages both men and women across all disciplines to enter. But one thing that IT is not, is stagnant.

Technology is fast-paced: the internet entered our lives less than 25 years ago, and yet already, we have the hyper-connectivity of the Internet of Things (IoT) and cloud computing. Change touches the heart of the enterprise from automation of business processes to network virtualization. IT professionals must keep up with these changes, and to do so, they turn to industry-respected IT certifications from ISACA.

What is ISACA?

ISACA is a not-for-profit, independent authority that represents IT professionals and offers IT certifications. An ISACA certification will progress your IT career and help you to stand out from the crowd. Here is the ultimate ISACA certification list to allow you to choose the certification path best suited for your career.

How to choose the best ISACA certification path for your career

ISACA offers a variety of certification options that are aligned with different roles, skill sets and job responsibilities. The main ISACA certifications are listed below:

  1. CISA (Certified Information Systems Auditor)
  2. CISM (Certified Information Security Manager)
  3. CGEIT (Certified in the Governance of Enterprise IT)
  4. CRISC (Certified in Risk and Information Systems Control)
  5. CDPSE (Certified Data Privacy Solutions Engineer)
  6. CSX-P (CSX Cybersecurity Practitioner)

ISACA also offers certificate paths (different from the more in-depth certifications above). These include COBIT-related certificates, such as:

  1. COBIT 2019 Foundation
  2. COBIT 2019 Design and Implementation
  3. Implementing the NIST Cybersecurity Framework Using COBIT 2019

A note on COBIT

COBIT 5, released in 2012, is the predecessor to COBIT 2019. The latter was designed to reflect the way that modern technology impacts cybersecurity risk. COBIT 2019 includes frameworks such as TOGAF, CMMI and ITIL. COBIT 2019 is a more coherent and connected program than COBIT 5.

Certified Information Systems Auditor (CISA)

IT systems are often very complex. The enterprise is transforming and embracing a culture of digital diversity and cloud-computing. The result is hyper-connectivity across the workforce and IT network. The job of an information systems auditor (ISA) is an important role in an organization. An ISA is responsible for internal controls and reviews of computer information systems. The auditor is not only responsible for using audit software to run reviews, but also for documenting and communicating the findings with other key staff. Other responsibilities may involve understanding the governance of IT systems and training other auditors. Completing training and certification as a CISA demonstrates your ability to do the job well.

The American National Standards Institute (ANSI) has accredited the CISA exam, so it is a valuable ISACA qualification to hold.

Who is this certification for?

This is an industry renowned and recognized certificate that is used to demonstrate the skills needed to be an information systems auditor. The certification will validate your knowledge in the areas of audit and reporting. It will also demonstrate your capability in vulnerability assessment within IT systems.

Where would you use it? 

As IT systems become increasingly under attack from both insider and external forces, having someone who can navigate IT systems is important. The CISA certificate shows you have the skills needed to spot critical issues and communicate them to team members. Having a CISA certificate shows you are a qualified professional who understands the importance of IT governance and standards. It also gives you a good grounding in the impact of choice and maintenance involved in software acquisition.

CISA exam prerequisites and exam domains

Prerequisites: To take this exam, you need to have at least five years of information system auditing or security experience. You can reduce the five years to three if you have at least one year of information system experience, a bachelor’s degree that incorporates ISACA modules or a master’s degree in IT or information security.

The exam itself is broken down into 150 questions across five domains:

  • Domain 1: information system auditing process (21%). Guidance in how to protect and control IS systems
  • Domain 2: governance and management of IT (17%). Audit and assurance the correct roles are in place to support the goals of the organization’s strategy
  • Domain 3: information systems acquisition and development (12%). Includes project governance and management, and lifecycle management of testing and releases
  • Domain 4: information systems operations and business resilience (23%). Ensure the processes around operations and maintenance are aligned with business objectives
  • Domain 5: protection of information assets (27%). Ensure alignment of the organization’s standards and procedures and that they fit with the confidentiality, integrity and availability of information assets. It includes measures such as encryption and PKI, and identity and access management

Certified Information Security Manager (CISM)

The ISACA CISM certificate is an internationally recognized ISACA qualification demonstrating your ability to manage an organization’s information security. According to ISACA, this is one of the most sought-after security certifications and holding it can help you command a higher salary. Cybersecurity as a career has never been more attractive or more challenging. Typical roles that benefit from holding a CISM certificate include security architect and chief information security officer (CISO). According to, the average salary for a CISO is $222,950.

Who is this certification for?

Holding a CISM certificate is a way of demonstrating your capability as a security practitioner and commercial knowledge in applying security principles that align with business goals. The certification is seen in the industry as an indicator of someone who can build and implement a company security program. Increasingly, risk management and data governance and compliance are a vital part of an organization’s security strategy. Having someone who understands how to deliver these pieces alongside a coherent strategy is a major advantage for an organization.

Where would you use it?

More than 46,000 people have been certified as a CISM. The certification is recognized by governments and industries across the world as a valuable professional exam. Once you have this certification under your belt, you will be able to prove you have the right skills to manage a program of security across an organization’s IT systems.

CISM exam prerequisites and exam domains

Prerequisites: This is a prestigious exam and the requirements for entry are stringent. You must have at least five years of information security work experience. Also, you are expected to have three years of information security management experience.

You can avoid some of the expected experience requirements if you hold a Certified Information Systems Auditor (CISA) or a Certified Information Systems Security Professional (CISSP) or have a postgraduate degree in information security.

There are 150 questions in the CISM exam, and the work areas covered are broken into four parts:

  • Domain 1: information security governance (24%). Covers the setup and maintenance of an information security governance framework
  • Domain 2: information risk management (30%). Demonstrates how to apply risk management based on business goals and expectations
  • Domain 3: information security program development and management (27%). Develop a security program to protect an organization’s assets whilst keeping the program in line with business goals
  • Domain 4: information security incident management (19%). Understand how to detect, mitigate and recover from security incidents

Certified in the Governance of Enterprise IT (CGEIT)

This is a professional certification for those wishing to progress their career in IT governance. IT governance is an increasingly important skill as organizations diversify their IT real estate. It is often described as a subset of enterprise governance. Practitioners of IT governance have the skills to align investments in IT with business strategies and goals, as well as ensure risk management is in place. The need for such alignment has several drivers, including creating a competitive edge as well as helping to comply with regulations such as the Gramm Leach Bliley Act (GLBA).

Who is this certification for? 

The exam is a way to demonstrate that you have a holistic approach to the area of IT governance. The exam is viewed as an indicator of your ability to work in a senior position and to understand how the correct application of IT can benefit the business.

Where would you use it? 

Anyone wishing to progress their career to a level of management in IT governance can benefit from the CGEIT certification. Certification in this area shows an ability to work within a C-level environment and to be able to communicate problems and ideas at that level.

CGEIT exam prerequisites and exam domains

Prerequisites: This is a management-level exam, and you need at least five years of management experience in an IT-related or governance support position. There are no waivers for the experience required to take this exam, other than being allowed to substitute two years of teaching IT governance at an accredited university for every year of IT governance experience in the industry.

The exam is a 150-question paper split into four main areas:

  • Domain 1: governance of enterprise IT (40%). Establishment of a governance framework to achieve the vision and goals of the organization
  • Domain 2: IT resources (15%). Develop and monitor strategic IT planning
  • Domain 3: benefits realization (26%). Manage IT investments to ensure optimized benefits
  • Domain 4: risk optimization (19%). Develop a holistic IT risk management framework

Certified in Risk and Information Systems Control (CRISC)

Risk management is now a vital part of an enterprise. The IT resources used by a modern company are diverse and often involve third-party services in a cloud environment. The role of the modern IT professional must encompass an understanding of the risk to information and systems that the introduction of technology can add to an organization.

Who is this certification for? 

The CRISC exam readies IT professionals to analyze and assess the pros and cons of using a given technology in their organization. The certification shows the individual can assess business risk and can then apply appropriate technical controls.

Where would you use it? 

Any IT professional wishing to work in a role that involves understanding business risk, as related to IT, would benefit from taking this exam. The CRISC certification encourages continuous professional development and cutting-edge thinking on risk management. This makes it a valuable career tool for progressing your career as an IT professional.

CRISC exam prerequisites and exam domains

Prerequisites: Individuals wishing to take the exam will have to prove that they have relevant work experience.

The exam is 150 questions, split into four main areas:

  • Domain 1: IT risk identification (27%). Identification methods in determining IT risk in an organization and executing an IT risk management plan
  • Domain 2: IT risk assessment (28%). Analyze and evaluate IT risk
  • Domain 3: risk response and mitigation (23%). Understand how to evaluate and capture risk response from stakeholders and align with business objectives
  • Domain 4: risk and control monitoring and reporting (22%). Understand how to define, monitor and report key risk indicators (KRIs)

CDPSE (Certified Data Privacy Solutions Engineer)

Privacy has taken centre stage alongside security in an enterprise setting. The privacy of personal and corporate data is heavily regulated and requires specialist knowledge to understand the highly nuanced details of how to maintain data privacy. Data privacy specialists are involved in areas such as Privacy Impact Assessments (PIAs), understanding what strategies are used to protect privacy, including security measures like encryption and measures such as data minimisation as well as the governance of data. Understanding the lifecycle of data and how to classify it also plays a large role in ensuring that privacy is correctly applied.

Who is this certification for? 

The CDPSE is a technical, hands-on certification for people wishing to specialise in privacy matters. This is a new exam from ISACA and is an exam aimed at privacy engineers, privacy analysts, privacy managers, privacy architects, privacy consultants, and others in the privacy field.

Where would you use it? 

Privacy is a cross-disciplinary field and the exam is designed to measure the ability to work with folks from legal, policy, engineering and so on. Holding a CDPSE certificate will demonstrate that you are able to:

  • Build and implement privacy measures
  • Understand and advise on data lifecycle regulatory requirements
  • Understand the principles of and be able to implement Privacy by Design (PbD)
  • Map privacy requirements to the goals and needs of the business.
  • Communicate across teams on privacy matters

CDPSE exam prerequisites and exam domains

There are a number of prerequisites for this exam:

  • 5 years work experience in the privacy areas covered by the domains
  • 3 years experience if certain ISACA exams are held:
    • CISA
    • CISM
    • CGEIT
    • CRISC
    • CSX-P
    • FIP

The exam comprises 120 multi-choice questions made up from the following three domains:

  • Domain 1: Privacy Governance (34%): Includes data governance across jurisdictions and privacy laws across the world. Management and roles and responsibilities. As well as how to conduct a PIA.
  • Domain 2: Privacy Architecture (36%): The technology side of privacy: Infrastructure, architecture, applications, etc.
  • Domain 3: Data Cycle (30%): All about the data lifecycle and inventory and classification.

How to earn your next ISACA certification

Infosec is one of a handful of ISACA accredited Elite+ Partners and can help you prepare for your exam with a hands-on certification boot bamp taught by an experienced security professional.

CISA Boot Camp: This boot camp focuses on the essential areas required for success in the CISA exam. It teaches you all the skills needed to prevent unauthorized access to information. It is an intensive course, testing your knowledge and showing you how to apply that knowledge in the real world. You will also be given practice CISA questions.

CISM Boot Camp: At a 94% success rate, this Boot Camp has the highest exam pass rate in the country. This five-day, instructor-led course is designed to give you the best possible chance of passing the CISM exam. The course is based on the official ISACA CISM review manual, and you’ll use practice questions and model answers to increase your chances of exam success.

CRISC Boot Camp: This boot camp is designed and run by IT professionals for IT professionals. The camp has an excellent rating by course attendees and takes you through all the designated exam areas, preparing you for exam success.

CGEIT Boot Camp: This four-day boot camp will explain the CGEIT exam process to ensure you are fully prepared for the exam. Practice questions will help ensure your success.

All Infosec boot camps can be taken in person or online, or you can sign up for Infosec Skills and learn at your own pace with hundreds of on-demand courses, cyber ranges, skill assessments and practice exams.

The path to ISACA certification

An IT professional must be at the forefront of technological changes. They are also expected to understand how those changes impact the enterprise and how best to align new technologies to business goals to maintain a competitive edge. Keeping up with these changes and demonstrating your skill in making the most of technology is greatly helped by the certification offered by ISACA. The ISACA exams are not easy. They will test your capability across many areas of IT governance, risk management and information security — and can help set you up for career success.



Chief information security officer salary in the United States,

ISACA certifications, ISACA

Posted: May 3, 2021
Articles Author
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.

Leave a Reply

Your email address will not be published. Required fields are marked *