From the CISA Exam to the CISA Certification: An A-Z Guide
What is CISA?
The Information Systems Audit and Control Association (ISACA) Certified Information Security Manager (CISA) is the premier certification to promote auditing of information systems in support of the business organization.
Table of Contents
Who should pursue a CISA certification?
Those professionals who seek to engage in the assessment and auditing of Information Systems and its associated security controls, providing pivotal understanding of the vulnerabilities that can seriously impact a business organization’s mission and operations.
Benefits of a CISA certification
Employers who hire a CISA certified cybersecurity professional knows that the employee understands how information systems and business work together to ensure confidentiality and integrity of the business IT network, while fully supporting the availability of the IT network to what matters most to the business – it’s mission.
The CISA certification provides an understanding of the defense-in-depth that information security managers create to secure their information systems. Auditing and assessing an information system must be a part of an overall business risk and security management program, allowing maximum value to be obtained from critical resources. The CISA is a critical member with a multitude to opportunities across federal, military, and commercial cybersecurity professions and positions.
How to gain a CISA certification?
The CISA candidate can pursue the certification through several means:
a. A live classroom experience, called a bootcamp, where the candidate is exposed to the 5 domains of the CISA over a 4-day period of time. Benefits of a live classroom experience is the ability to have an instructor tailor the course to the class, answer questions, and bring scenario-based experiences to better understand the concepts.
b. A virtual classroom experience where the candidate is exposed to the 5 domains of the CISA through an internet connection. Benefits of a virtual classroom experience is the ability to take the course from the comforts of where you wish to attend (at home, at a coffee shop, etc), travel and dress code are at your discretion, and breaks are when you desire. Some virtual classrooms have a live instructor to discuss and tailor the class, but the instructor is limited compared to the live classroom experience.
c. Webinar classroom experience is similar to the virtual classroom, except the instruction is normally recorded by a live instructor. Benefits of a webinar-based classroom experience is the ability of the candidate to stop and start the session when they choose depending on the time available. The webinar also allows the candidate to repeat various lessons or segments to better understand the materials.
d. Self-study is the final means to prepare for the CISA exam and is normally combined with a live, virtual, or webinar method. Benefits of a self-study experience is the availability of the ISACA Review Manual and Questions, Answers, and Explanations manual to support in-depth understanding of an Information Systems Auditor, and practice test questions to support the learning of the CISA exam.
1. Register for the CISA exam with ISACA. Ensure the exam is taken within 365 days of registration for the exam; otherwise, the exam fee is forfeit
2. Take and pass the CISA exam at a PSI testing center
3. Notification of passing the exam is immediate with official notification from ISACA within 10 days
4. The candidate has 5 days from passing the exam to apply for the CISA certification
5. The candidate should proceed with obtaining a sponsor who has already been certified by ISACA in one of four ISACA certification programs
6. Ensure the required experience needed for the CISA certification is current and the sponsor can attest to your knowledge in information systems auditing as outlined by the CISA domains
7. Apply with ISACA for the CISA certification
8. Obtain the official ISACA CISA certification
The CISA exam costs $575 (member) or $760 (non-member) per attempt.
What are the prerequisites and eligibility criteria?
ISACA requires that a CISA candidate have at least 5 years of experience in IS/IT audit, control, assurance, or security. The experience is needed to both understand the concepts covered within the CISA and to demonstrate to employers the ability to integrate experience with knowledge.
ISACA allows the CISA candidate to waive 3 years of the experience requirement by:
a. A maximum of 1 year of information systems experience or 1 year of non-IS auditing experience can be substituted for 1 year of experience.
b. Sixty (60) to 120 completed university semester credit hours (the equivalent of a 2 or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience.
c. A bachelor's or master's degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience.
d. A master's degree in information security or information technology from an accredited university can be substituted for 1 year of experience.
e. Two years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for 1 year of experience.
How difficult is it to get CISA certified?
The CISA certification is a difficult certification to obtain. For some candidates, they are able to take a class, study the materials and pass the exam the first time. For other candidates, they need to retake the class, and continue to study the materials for a second exam attempt. The most important point to remember – stay focused and pursue your goals and you will obtain the CISA certification.
How to prepare for the CISA exam?
Most of the successful CISA candidates prepare for the exam in the following way:
01 Self-study – obtain the ISACA Review Manual and Questions, Answers, and Explanations Manual. Many will spend 1-2 months preparing.
02 Bootcamp – after completing a self-study exam preparation, they register for a bootcamp to maximize their ability to understand and retain the information learned. The bootcamp instructor is normally able to highlight and tailor the training materials to fully allow the CISA candidate to understand difficult areas.
03 Continue to self-study until taking the exam (normally within 1-2 weeks of completing the bootcamp)
How long does it take to get CISA certification?
1. A CISA candidate is notified at the PSI testing facility of their pass or fail qualitative score. If a passing score is obtained, you will be informed that you passed pending an ISACA review process. This means that you passed the exam and now ISACA will review the exam you took, the answers provided, and ensure no anomalies or errors are found. Rarely are there any complications in this process.
2. The CISA candidate will be notified within 10 days that they officially passed the exam.
3. The CISA candidate needs to apply for the CISA certification through ISACA within 5 days of exam completion.
4. The CISA candidate must identify an ISACA certified member (someone who is currently an ISACA certification holder) to sponsor them for the certification – the sponsor is attesting to the candidate’s experience and has met the requirements.
5. The CISA candidate applies for the CISA certification through the ISACA website portal by downloading the applications, having the experience attested by the sponsor, and uploading the completed application to the ISACA website.
6. The CISA candidate will normally receive notification from ISACA within 4-6 weeks that they are a CISA with ISACA. If the CISA candidate has an ISACA account, they can view their actual quantitative score under their badge on the ISACA website portal.
How to add CISA to your resume ?
The CISA candidate may add the CISA certification to their resume, place the ‘CISA’ after their name, and download the ISACA CISA badge from the ISACA website after they have been officially notified by ISACA that they are ‘Certified’ as a CISA. Passing the exam does not constitute the ability to use CISA on a candidate’s resume.
How long is CISA valid?
The CISA is valid for 3-years and is renewable through Continuing Professional Education (CPE) units.
What is the re-certification process?
A CISA member enters into their ISACA portal the CPEs earned during a year. As long as a CISA member obtains the required CPEs each year and pays their annual CISA maintenance fee ($45/ year – member, $80/year – non-member), the CISA member is not required to retake the exam.
- A CISA member must obtain 120 CPEs over a 3-year period of time.
- A CISA member must obtain 20 CPEs per year.
1. The CISA exam is a 150 question, multiple-choice exam.
2. A CISA candidate has 4-hours to complete the exam.
3. The multiple-choice exam does permit the ability to flag or return to previous
questions and answers to review and/or change answers.
4. The passing score on the CISA exam is 450. The scoring range is from 200 to 800.
When does the CISA exam changes
The CISA course and exam change approximately every 3-years, or when the information systems auditing domain changes enough to warrant a curriculum and exam change.
How many questions in CISA exam
The CISA has 150 questions.
The CISA exam is a timed exam of a maximum of 4 hours
The CISA exam has a passing score of 450 out of a scoring range from 200 to 800. The questions all have the same value towards the exam score.
Link to the practice tests
ISACA Questions, Answers, and Explanations Manual (ISACA Website)
Jobs and trends
The job market has hundreds of different titles for positions related to information systems auditing. Depending on a candidate’s experience, a candidate with a CISA can pursue Information Assurance, Security Control Assessor, Information System Security Officer (ISSO), and Information Systems Auditor positions.
The numbers of positions demanding information systems auditing expertise is dramatically increasing with more positions needing filled than experts to fill them.
Salary with survey
Depending on where a CISA member chooses to work (location, employer, position), will have significant impacts on salary ranges.
$60,000 CISA experts salary range in an entry-level positions.
$175,000+ For experienced, high-level positions.
CISA Expert Conversation
The need for security experts...
The need for secure communications and information flow has never been greater in our connected, global marketplace. This requirement reaches all corners of information usage – government, military, commercial, and personal. Securing this information flow, ensuring confidentiality and integrity of our growing precious resource – data, is increasing our requirements to understand risk, risk management, and risk mitigation strategies and vision. At the root of all risk strategies is the underlying premise that we must first understand the information domain that impacts our risk strategies, and then turn our attention to those security controls we use to manage and/or mitigate the risks we face to that domain. The use of auditing and accounting has never been more important or in critical need than today so that business leaders and decision-makers can understand the risks they face, without bias or prejudice towards one solution or another.
The world of ecommerce, the life blood of market competition, service, and support flows through the arteries and veins of the global IT network. The life force of the IT network, however, needs periodic reviews of health, to ascertain where and what impacts our networks causing them to be overcome by external and internal threats. Business leaders need real answers to make critical decisions. Technology cannot and will not be the panacea that solves all issues. Business leaders have for too long devoted too many valuable resources to failed technology-alone solutions. Executives need to understand in their terms what the health of their networks are, what solutions will both support and enhance the overall health of their networks, and how business resources can be effectively and efficiently utilized. Business executives value the opinions of trained ISACA Certified Information System Auditor (CISA) experts to clearly identify the health of their networks and provide a diagnosis that outlines the pathway to security and health.
Why CISA certification?
Information system, cybersecurity, and audit experts who have the CISA certification have over five years of experience in Information System (IS) auditing, acquisition, governance, and operations. They understand IT governance and management and what it takes to protect information assets. The world of a CISA extends to Chief Information Security Officers (CISO), Information System Security Officers (ISSO), Information System Auditors (ISA), and senior IT program and project managers. CISA experts, as well as business leaders, understand that once you understand the underlying issues and framework for solution-building, the process for creating effective and efficient information system and security solutions is possible.
How to become CISA certified?
The CISA certification is demanding to attain, and therefore extremely valuable to those who have reached that level of expertise. Dedication and perseverance in understanding overarching business priorities and how auditing and accounting provides tremendous value to senior business leadership is the core to both a self- and formal training CISA course. There are limited resources and critical dependencies that impact an IT network daily – the auditor ensures those resources to be expended are for the right purpose and are value optimized for the business. Identifying a training organization that understands the core requirements of a CISA, translating these requirements into an understanding that resonates with you is a monumental first step in the path to becoming a CISA expert.
When you pass the exam and obtain the CISA certification, you have a right to celebrate for you earned a pivotal, career certification. Employers are seeking you to support them and the career positions are vast and prevalent.
Remember – “Your choice. Your career.”
Remember – “Your choice. Your career.”
James R. Beamon, Colonel (ret), USAF
CISSP, CAP, CISM, CISA, CRISC, CGEIT, Security+, CASP+, PMP
CISSP, CAP, CISM, CISA, CRISC, CGEIT, Security+, CASP+, PMP