Certified Information Systems Auditor (CISA)

Posted on by user

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) is a professional certification issued by ISACA that validates expertise in auditing, control, and security of information systems. It’s widely recognized across industries and is especially valued for roles in IT audit, risk management, governance, and compliance.

Key facts at a glance

  • Issuer: ISACA
  • Exam: 4 hours, 150 multiple-choice questions
  • Passing score: 450 (on ISACA’s scale)
  • Experience requirement: 5 years of relevant professional experience (with limited substitutions/waivers)
  • Continuing education: 20 CPE hours per year (120 hours every 3 years)
  • Exam cost (approx.): $575 for ISACA members, $760 for non-members
  • Typical salary range (2025): $108,000–$120,000 annually
  • Number certified (2022): >151,000

What CISAs do

CISAs assess and help protect an organization’s information systems. Typical responsibilities include:
* Planning and executing IT audits and risk assessments.
Evaluating IT governance, policies, and controls.
 Recommending and monitoring remediation and security improvements.
Supporting business continuity and disaster recovery planning.
 Drafting and maintaining IT policies, standards, and procedures.

Typical audit process steps:
1. Evaluate business objectives, systems, and risk exposures.
2. Design and perform audit procedures.
3. Report findings and recommendations to management.
4. Guide implementation of controls and monitor remediation.
5. Re-test controls to confirm effectiveness.

Exam overview

  • Format: 150 multiple-choice questions, 4 hours.
  • Languages and scheduling: Available in multiple languages and offered at testing centers in scheduled windows (commonly June, September, December).
  • Identification and test rules: Testing centers require acceptable ID and may restrict phones, smart watches, headphones, food/drink, and visitors.
  • Cost: Varies by membership status (see Key facts).
  • Passing: Score of 450 required on ISACA’s scoring scale.

Exam domains and weightings

  1. The Process of Auditing Information Systems — 18%
    (audit planning, risk assessment, audit execution)
  2. Governance and Management of IT — 18%
    (IT frameworks, enterprise architecture, laws/regulations, quality assurance)
  3. Information Systems Acquisition, Development, and Implementation — 12%
    (feasibility, design methodologies, configuration and migration controls)
  4. Information Systems Operations and Business Resilience — 26%
    (system operations, resiliency, backup, business continuity, disaster recovery)
  5. Protection of Information Assets — 26%
    (security controls, event management, physical and logical access controls)

Experience requirements and education waivers

  • Standard requirement: 5 years of professional experience in information systems auditing, control, or security.
  • Substitutions: Up to 1 year of required experience may be substituted with relevant experience in information systems or financial auditing.
  • Education waivers (reduce required experience):
  • Associate degree: 1-year waiver
  • Bachelor’s, master’s, or doctorate (any field): 2-year waiver
  • Master’s in Information Systems (or related): 3-year waiver

Continuing professional education and maintenance

  • Requirement: 20 CPE hours per year, 120 hours every 3 years.
  • Renewal fees: ISACA members generally pay lower annual maintenance fees than nonmembers.
  • Earning CPEs: Attend conferences, ISACA courses/webinars, online training, volunteer with ISACA or related programs, complete approved activities and journal quizzes.
  • Reporting: CISAs manage and report CPE hours through their ISACA certification profile.

Advantages of the CISA certification

  • Demonstrates technical competence in IT audit, control, and security.
  • Widely recognized and transferable across industries and geographies.
  • Supports career advancement, higher pay, and stronger job security.
  • Requires ongoing education, keeping holders current with evolving technologies and risks.
  • Helps clarify career focus within specialized areas of IT risk and audit.

Timeline and career outlook

  • Typical timeline: At minimum, five years of qualifying experience is required before full certification—though education waivers can shorten this.
  • Demand: Strong and sustained demand for credentialed IT auditors as organizations increase focus on cybersecurity, compliance, and resilient operations.

Bottom line

CISA is a globally recognized credential for professionals who audit, control, and secure information systems. Earning it requires passing a comprehensive exam, meeting experience and ethical requirements, and committing to ongoing professional education. The certification enhances credibility, career prospects, and earning potential for IT audit and governance professionals.