Rate this post

How To Obtaining Your CISA (Certified Information Systems Auditor) Certification

To become CISA certified, you must pass the exam with a score of at least 450 while also having at least five years of professional information systems auditing, control, or security.


The CISA Exam

The interesting thing about the CISA Exam is that there are no prerequisites to taking the exam. You can take the exam anytime you want. And it is not uncommon for people to take the exam before fulfilling the rest of the certification requirements. But interest alone shouldn’t steer you into taking the exam before you are ready, especially since you will have a time limit to finish the rest of the process once you pass the exam. Let’s take a look at what else you need to do, besides pass the exam—only about 50% pass on the first try.


Work Experience

You will need a minimum of 5 years of professional work experience in information systems auditing, control, or security. Now that may seem like a ton of time and more than a little daunting, but there are quite a few substitutions or waivers that can knock that number down a year or two. Here’s all the possible ways to cut some time:

  • 1 year of information systems OR 1 year of non-information systems auditing experience can be substituted for 1 year of the required experience.
  • 60 to 120 university credit hours (which is the equivalent to an associate’s or a bachelor’s degree respectively) can be substituted for 1 or 2 years, respectively—this is not limited by the 10-year restriction.
  • Obtaining a bachelor’s or master’s degree from a university that uses the ISACA-sponsored Model Curricula may substitute 1 year or experience.
  • Any master’s degree in information security or information technology from an accredited university can be substituted for 1 year of experience.
  • 2 years as an instructor at an accredited university in a related field can be substituted for 1 year of experience.

*If you would like to see or share the information above as an infographic, click here!

Those are plenty of ways to reduce the 5 years of work experience requirement. Keep in mind, however, that you may only substitute in total, a maximum of 3 years. So, regardless if you have enough substitutions to equal 5 years, you may use only 3 years and will still be required to obtain 2 years of the required relevant work experience.

You must also do all these things (except for the earning of an associate’s or bachelor’s degree) within 10 years of applying for the certification and within 5 years of successfully passing the CISA Exam. You must also apply for for the certification within 5 years of passing the exam.

Adhere to the Code of Professional Ethics

Once you become certified, you must agree to adhere to the Code of Professional Ethics as set forth by the ISACA. It’s a pretty straightforward and common sense based code of ethics. But have a look at it from the horse’s mouth:

ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders. Members and ISACA certification holders shall:

  • Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including: audit, control, security and risk management.
  • Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
  • Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the Association.
  • Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  • Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect to complete with the necessary skills, knowledge, and competence.
  • Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them that, if not disclosed, may distort the reporting of the results.
  • Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security, and risk management.

*If you would like to see or share the information above as an infographic, click here!

Failure to comply with this Code of Professional Ethics can result in an investigation into a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.

Adhere to the Continuing Professional Education Program

Aside from passing the exam, fulfilling the work experience, and staying professional, you must also participate in the Continuing Professional Education (CPE) Program. In this program, you’ll basically be keeping up to date on the fast and ever changing world of information systems. To do so you’ll be required to complete 20 contact hours annually as well as 120 contact hours during a fixed 3-year period.

There are annual fees associated with the CPE as well as stringent requirements for what counts towards the 20 and 120 contact hours. For more information, check out the ISACA website here. There plenty of rules and regulations to keep in mind as well as what to do should you fail to maintain the hour requirements.

Keep It Up

The only other thing you need to do is maintain the standards of auditing information systems. Stay up to date, complete your annual and three-year period CPE hours, and keep it professional. It’s a serious commitment, with several requirements that need constant maintenance, but the CISA certification is well worth the effort. You’ll be globally recognized, respected, and trusted to perform a key function in the age of information.



Lead Content Writer

Duke is a professional writer with a penchant for the world of finance and accounting. He enjoys rock climbing, free diving, and cooking.

Favorite Quote: "You can never have too many knives."