ISACA requires that a CISA candidate have at least 5 years of experience in IS/IT audit, control, assurance, or security. The experience is needed to both understand the concepts covered within the CISA and to demonstrate to employers the ability to integrate experience with knowledge.
ISACA allows the CISA candidate to waive 3 years of the experience requirement by:
a. A maximum of 1 year of information systems experience or 1 year of non-IS auditing experience can be substituted for 1 year of experience.
b. Sixty (60) to 120 completed university semester credit hours (the equivalent of a 2 or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience.
c. A bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience.
d. A master’s degree in information security or information technology from an accredited university can be substituted for 1 year of experience.
e. Two years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for 1 year of experience.