A Comprehensive Guide to CISA Requirements in 2024

Information technology auditing is a growing field, and you can stand out from the crowd by earning your Certified Information Systems Auditor (CISA) certification. It will give you a leg up on the competition and help mid-career professionals revitalize their job path, including earning a raise.

There are about 150,000 CISA holders worldwide, so this qualification can help anyone in risk management, disaster recovery, or computer science stand out among other applicants. You’ll show potential employees you value your education and adhere to the industry’s professional standards. To earn your certification, you need to meet and maintain certain CISA requirements.

An Overview of CISA Requirements

The Information Systems Audit and Control Association (ISACA), the governing body of CISA, offers eight main certification programs, plus micro-certificates for the IT auditor industry. To earn this accreditation from ISACA, you must pass the CISA exam, have enough work experience, and apply for the CISA certification.

There’s no strict order to how you need to complete these steps. You can take the CISA exam before you have the required work experience or meet the work requirement and then take the exam. Once you meet both qualifications in any order, you can apply for the CISA certification.

You pay to take the exam and pay an application fee for the certification. However, these fees are minor, and the outcome of getting a CISA certification will greatly pay off in terms of an increased salary, job security, and more potential employment opportunities, so it’s worth the small initial investment.

It’s possible to lower the cost of the exam by several hundred dollars if you apply for an ISACA membership. There are options for students, recent graduates, and professionals. As an ISACA member, you have access to industry trends, networking opportunities, and audit strategies, so this professional designation can help further your career even after you take the exam.

Another investment in your future is the study guide or CISA review course you take. Students and recent graduates might prefer to independently use a CISA review manual, while someone on the job longer might prefer a more in-depth session. You’ll learn what’s on the exam and can practice your test-taking skills. 

If you’re unsure about your need for a study course, you can take a practice quiz on the ISACA website. These ten questions give you an idea of what they ask on the official exam, so you’ll have a clear understanding of your knowledge. After you see your practice quiz score, you can decide to register for a study session.

How Do You Maintain Your CISA Certification?

Once you earn your CISA designation, you need to maintain it. This process is just as straightforward as the initial certification. You need to complete Continuing Professional Education (CPE) courses, comply with the Information Systems Auditing Standards, always meet ISACA’s Code of Professional Ethics, and pay an annual maintenance fee.

The Code of Professional Ethics includes information about complying with professional standards, performing work with objectivity, and serving stakeholders with high standards. There’s a drive to maintain confidentiality and inform the relevant parties about the work done in the interest of full disclosure.

Anyone with experience in the field can follow ISACA’s Code of Professional Ethics naturally because they already have work experience and have passed the exam. These qualifications will feel like second nature to them.

CISA Certification Requirements

The CISA prerequisites include the completion of the official exam and meeting the work experience requirements. At that point, you can apply for the certification. Understanding the exam and the work experience are the biggest hurdles to getting this certification.

CISA Exam Information

The CISA examination exam is one of the biggest requirements. It tests your information system knowledge at a deep level, so you need to know the material thoroughly. Working in the industry can help you gain this information from a hands-on perspective, but you can also take review courses and work through study materials independently.

Exam Overview

The exam comes in 11 languages with 150 multiple-choice questions, taken over four hours. It covers five distinct domains in the information technology field, including:

• Protection of information assets
• Information systems operations and business resilience
• Information system auditing process
• Governance and management of IT
• Information systems acquisition, development, and implementation

Exam Scoring

ISACA scales the scores by converting your raw score to a standard score, ensuring all versions are accurate. The scale ranges from 200 to 800, with 800 as a perfect score. You need to earn at least 450 points to pass the exam, which means you met the minimum requirements. If you don’t earn a passing score, you need to retake the exam before applying for certification.

CISA Experience Requirements

Before you can apply for the certificate, you must meet the experience aspect of CISA requirements. You must work in the information systems field for at least five years. You can work in auditing, control, or security. As long as most of your daily tasks fall within one or more of the five domains on the test, your job will count as work experience for this qualification.

Having five years of experience is just the general requirement for the CISA certification. You need to get this job history within ten years, along with the timing of your passing the CISA exam and applying for the certification. While you can take the exam as you acquire five years of work experience, you don’t want to wait too long to complete the entire process.

After passing the CISA exam, you have five years to apply for the official certification. This means you can take the exam before you meet the work history requirements and still qualify for the CISA certification before your exam score expires.

However, many people find it easier to pass the CISA exam if they already have work experience. You might prefer to work in the field for a few years to get the foundational knowledge, then take the exam, and apply for the CISA certification to level up your employment or find a new job.

CISA Experience Substitutions

There are waivers for work experience to streamline the CISA qualification process. You can submit up to five years of experience in information systems, non-information security auditing, or teaching in a related field and eliminate the need for three years of CISA work experience.

Educational credits also equate to one year of experience for the CISA certification. A bachelor’s or master’s degree from an accredited university counts as one year, as do 60 university semester credit hours.

You have to verify your experience with ISACA, either by showing your degree for the equivalencies or by having your supervisor sign off on your work history.

CISA Certification Application

After taking the CISA exam and earning the right amount of work history, you can apply for CISA certification. The only deadline related to this step is that you must complete it within five years of passing the exam.

The online application asks for verification and supporting documents to prove you have the experience and scores necessary to earn the certification. You also have to pay an application fee.

It can take up to three weeks to hear about your application status, but the decisions aren’t final. You can appeal to ISACA if they deny your application. Once you earn the certification, you get a letter of approval, a CISA certificate, and an official pin.

CISA CPE Requirements

CISA’s CPE requirements reset annually on January 1, so you need to continually educate yourself to ensure you know the most updated information in the industry. You need to take a minimum of 20 hours of CPE each year. On the plus side, these courses can help you earn additional ISACA certifications.

This process helps you maintain competency in the field of auditing, control, and security. It’s also a way to discern who recently acquired CISA certification and who has more experience in the industry.

These courses can also help you spotlight your professional goals by earning CPE which can help you specialize in a specific industry or learn the necessary skills that make you stand out from other applicants in the job market.

What Counts as CPE for Professional Auditing

Professional activities that fulfill the CPE requirements include various events, including:

• ISACA professional education activities
• ISACA meetings
• Corporate training
• Conferences, seminars, and workshops
• University courses in related fields
• Certification review courses
• Self-study courses
• Passing ISACA Journal quizzes
• Vendor marketing presentations
• Teaching, lecturing, mentoring, or presenting
• Publishing articles and books
• Serving on ISACA boards and committees

Final Thoughts on CISA Governance

Acquiring your certification might seem like an involved process, but it’s very straightforward. The flexibility of completing the work experience and exam in any order makes it something you can work toward naturally throughout your career. Study tools like the Surgent CISA Review can help you prepare for the process and exam.
If you work in the information technology field, you can earn your certification to increase your salary. The Bureau of Labor Statistics notes that computer and information systems managers earn an average salary of $150,000 with a 10% job growth rate. Expanding your knowledge with the CISA certification will advance your career and ensure you have job security.