CISA certification guide: Certified Information Systems Auditor explained

If you want to demonstrate your knowledge, abilities, and skills for IT auditing, the CISA certification from the ISACA is a great place to start.

The Certified Information Systems Auditor (CISA) certification validates your knowledge for information systems auditing, assurance, control, security, cybersecurity, and governance.

Offered by the Information Systems Audit and Control Association (ISACA), the credential is designed for IT and IS auditors tasked with evaluating an organization’s information systems to identify issues and potential security threats. This globally recognized certification is one of the few certifications specifically designed for IT auditors. According to the ISACA, the certification is also beneficial for compliance analysts, program managers, risk analysts, data protection managers, security officers, and IT consultants.

CISA certification requirements

To apply for the CISA exam, you’ll need at least five years of professional experience auditing, controlling, or securing information systems (IS) within the past 10 years. You can receive a waiver for up to three years of experience if you have the following:

  • Maximum of one year of IS experience or one year of non-IS auditing experience
  • The equivalent of a two- or four-year degree, which can be substituted for one to two years of experience
  • A master’s degree in IS or IT from any accredited university, which is equivalent to one year of experience

CISA exam

The CISA exam is graded on a scale of 200 to 800 points. To pass, you’ll need to earn a score of 450 or higher. You will be given four hours to complete the 150-question multiple-choice exam, which covers five main job practice areas in IS auditing, control, and security:

  • Domain 1: Information system auditing process (21%)
  • Domain 2: Governance and management of IT (17%)
  • Domain 3: Information systems acquisition, development, and implementation (12%)
  • Domain 4: Information systems operations, maintenance, and service management (23%)
  • Domain 5: Protection of information assets (27%)

Domain 1 covers the basics of IT auditing and how to provide audit services that align with the recommended best practices for protecting and controlling information systems. This domain tests your ability to evaluate how secure an organization’s IS and IT infrastructure is and if there are any potential risks. It includes questions on topics such as IS audit standards, risk-based audit planning, data analytics, sampling methodology, and other skills related to planning and executing an IT or IS audit.  

Domain 2 centers on IT governance and IT management, validating your ability to identify critical issues and offer recommendations for safeguarding information and related technologies. This portion of the exam includes questions about enterprise architecture, maturity models, IT resource management, quality assurance, and management of IT, among other topics.

Domain 3 involves the acquisition, development, testing, and implementation of IT systems to meet organizational goals. You’ll be tested on your knowledge of topics such as project governance, system development methodologies, control identification and design, testing methodologies, configuration, and release management.

Domain 4 tests knowledge of IS operations and business resilience, validating your knowledge of how IT relates to the business overall. Exam questions cover topics such as IT asset management, system interfaces, data governance, systems performance management, problem and incident management, business impact analysis, business continuity planning, disaster recovery planning, among other related topics.

Domain 5 covers the principles, best practices, and pitfalls of cybersecurity. Questions include those on topics related to information asset security and control as well as security event management. You will also be tested on privacy principles, network and end-point security, public key infrastructure (PKI), virtualized environments, security testing tools and techniques, and incident response management, among other related topics.

CISA training

The ISACA offers several options to prepare yourself for the CISA exam. You can choose from visual instructor-led training, online or on-demand review courses, print or downloadable review manuals, review questions and access to an answers and explanation database with a 12-month ISACA membership subscription.

You can also choose to attend a four-day in-person course hosted by the ISACA in various locations across the US. Alternatively, if your organization wants to certify a group of employees at once, IT leaders can bring the training directly to the company.

You can also find courses and bootcamps offered outside the ISACA from third-party companies such as Infosec Institute, Learning Tree, Cybrary, Secure Ninja, Career Academy, BSI, and others.

CISA exam and maintenance fees

ISACA members receive discounted exam fees, but if you want to pass on a membership, you can opt to pay higher fees for certification exams and renewals. The exam requires a $50 application fee. Upon acceptance, ISACA members pay $575 for exam registration, while non-members will need to pay $760.

To maintain your CISA certification, you’ll need to earn a minimum of 20 hours of professional education credits per year and 120 hours every three years. You’ll also need to pay the annual maintenance fee of $45 for ISACA members or $85 for non-members. There’s also the chance you’ll need to comply with the annual CPE audit if you are selected and you will also be expected to comply with the ISACA’s code of professional ethics and abide by the ISACA’s IT auditing standards.

CISA salary

Certifications are great for filling out your resume with more experience and demonstrating your qualifications, but they can also help boost your salary. The average salary for IT auditors with a CISA certification is $128,086 per year, according to data from the ISACA. To compare, PayScale cites the average salary for an IT auditor is $71,000 and $120,000 for a senior IT auditor.

Copyright © 2021 IDG Communications, Inc.

Watch out for these 6 IT management traps to avoid