Certified Information Systems Auditor certification benefits and eligibility criteria
Benefits of CISA Certification
Obtaining the CISA certification offers several significant benefits:
- Expands knowledge and skills builds confidence in developing knowledge and skills in the areas of audit, controls, assurance, and security that can prepare you for advancement or expand your scope of responsibilities.
- Increases marketability and career options: Having a CISA can provide a competitive advantage and open up many doors of opportunity in various industries and countries.
- Helps you meet other certification requirements: The Payment Card Industry Qualified Security Assessor (PCI-QSA) certification requires that all certificate holders have a current security audit certification, either CISA or ISO 27001 Lead Auditor.
- Builds customer confidence and international credibility: Prospective customers needing control or audit work will have faith that the quality of the audits and controls documented or tested are in line with internationally recognized standards.
Regardless of your current position, demonstrating knowledge and experience in the areas of IT controls, audit, assurance, and security can expand your career options. The certification does not limit you to auditing; it can provide additional value and insight to those in or seeking the following positions:
- Executives such as chief executive officers (CEOs), chief financial officers (CFOs), and chief information officers (CIOs)
- Chief audit executives, audit partners, and audit directors
- Security and IT operations executives (chief technology officers [CTOs], chief information security officers [CISOs], chief information risk officers [CIROs], chief security officers [CSOs]), directors, managers, and staff
- Compliance executives and management
- Security and audit consultants
- Audit committee members
To become a CISA, you are required to pay the exam fee, pass the exam, prove that you have the required experience and education, and agree to uphold ethics and standards. To keep your CISA certification, you are required to take at least 20 continuing education hours each year (120 hours in three years) and pay annual maintenance fees.
Requirements to get CISA certified
- Experience: A CISA candidate must be able to submit verifiable evidence of at least five years’ experience, with a minimum of two years’ professional work experience in IS auditing, control, assurance, or security. Experience can be in any of the job content areas, but it must be verified.
- Ethics: Candidates must commit to adhering to ISACA's Code of Professional Ethics
- Standards: Those certified agree to abide by IS auditing standards and minimum guidelines for performing IS audits.
- Exam: Candidates must receive a passing score on the CISA exam. A passing score is valid for up to five years, after which the score is void.
- Application: An application must be made within five years of passing the exam.
- EducationThose certified must adhere to the CISA Continuing Education Policy, which requires a minimum of 20 continuing professional education (CPE) hours each year, with a total requirement of 120 CPEs throughout the certification period (three years).
To qualify for CISA certification, you must have completed the equivalent of five years’ total work experience. These five years can take many forms, with several substitutions available. Additional details on the minimum certification requirements, substitution options, and various examples are discussed next.
Although it is not recommended, a CISA candidate can take the exam before completing any work experience directly related to IS auditing. As long as the candidate passes the exam and the work experience requirements are fulfilled within five years of the exam date, and within ten years from application for certification, the candidate is eligible for certification.
Direct Work Experience
You are required to have a minimum of two years’ work experience in the field of IS audit, controls, or security. This is equivalent to 4,000 actual work hours, which must be related to one or more of the five following CISA job practice areas:
- Information Systems Auditing Process: Planning and conducting information systems audits following IS standards and best practices, communicating results, and advising on risk management and control practices.
- Governance and Management of IT: Ensuring that adequate organizational structures and processes are in place to align and support the organization's strategies and objectives.
- Information Systems Acquisition, Development, and Implementation: Ensuring that appropriate processes and controls are in place for the acquisition, development, testing, and implementation of information systems to provide reasonable assurance that the organization's strategies and objectives will be met.
- Information Systems Operations and Business Resilience: Ensuring that systems and infrastructure have appropriate operations, maintenance, and service management processes and controls in place to support meeting the organization's strategies and objectives.
- Protection of Information Assets: Ensuring that the organization's security policies, standards, procedures, and controls protect the confidentiality, integrity, and availability of information assets.
All work experience must be completed within the ten years before completing the certification application or within five years from the date of initially passing the CISA exam. You will need to complete a separate Verification of Work Experience form for each segment of experience.