Certified Information Systems Auditor (CISA): Definition, Exam

What Is a Certified Information Systems Auditor (CISA)?

Certified Information Systems Auditor (CISA) refers to a designation issued by the Information Systems Audit and Control Association (ISACA). The designation is the global standard for professionals who have a career in information systems, in particular, auditing, control, and security. CISA holders demonstrate to employers that they have the knowledge, technical skills, and proficiency to meet the dynamic challenges facing modern organizations.

Key Takeaways

  • Certified Information Systems Auditor (CISA) is the global standard for professionals who have a career in information systems, in particular, auditing, control, and security.
  • CISA candidates must pass a comprehensive exam and satisfy industry work experience requirements.
  • CISA candidates must have a minimum of five years of professional experience and must undertake 20 hours of training per year to keep their designation.
  • The CISA exam is broken into five domains, and each domain is weighted differently.
  • The four-hour CISA exam must be passed with a score of 450 in order to earn the CISA certification.

Understanding Certified Information Systems Auditors (CISAs)

To receive a Certified Information Systems Auditor certification, candidates must pass a comprehensive exam and satisfy industry work experience requirements. Candidates must also undergo continuing education and professional development and adhere to ISACA’s Code of Professional Ethics and Information Systems Auditing Standards.

Responsibilities of a Certified Information Systems Auditor

Certified information systems auditors are often in charge of appraising a company's technology-related systems and assessing a company's set-up for vulnerabilities. A CISA will often be tasked with implementing an audit strategy to review potential risk areas as well as executing and overseeing that audit.

A CISA is often heavily involved in processes before and after an audit as well. Before doing any testing, a CISA will evaluate a company's objectives, systems, and risks to better understand its potential vulnerabilities and strengths. After the audit, a CISA delivers the audit results and often makes recommendations to management for steps to perform.

If/as suggestions are approved and adopted by management, the CISA will often be involved in the implementation and monitoring of security upgrades. This includes performing new tests once the recommendations have been put in place or ensuring management has followed through on control changes.

In addition to overseeing audits, a CISA will often have less formal projects with management on review practices, building risk strategies, performing continuity planning, and monitoring IT personnel. A CISA may also be responsible for drafting and maintaining up to date IT policies, standards, or procedures.

The CISA exam costs $575 for ISACA members and $760 for non-members.

How to Become a Certified Information Systems Auditor

There are five steps to become a CISA:

  1. Pass the CISA exam. As discussed below, the CISA certification is awarded to individuals who demonstrate competence in their field.
  2. Submit an application. In addition to passing the exam, the ISACA requires an individual to submit an application demonstrating applicable work experience, educational experience, or a combination of both.
  3. Adhere to the ISACA's Code of Professional Ethics. As is the case with most professional certifications, the ISACA has their own ethical requirements for certification holders. CISA-holders must follow these practices to maintain their license.
  4. Meet CPE requirements. As is also the case with most professional certifications, a CISA must meet continuing education standards to ensure their knowledge is maintained and up-to-date.
  5. Follow the ISACA's Information Systems Auditing Standards. Once an individual holds the certification, they must adhere to the professional standards of executing what they learned and implementing the standards developed by the managing institution.

Certified Information Systems Auditor Exam

The CISA exam lasts four hours and consists of 150 multiple-choice questions. To sit for the exam, the candidate must meet specific requirements (discussed below) as well as pay an upfront fee. This fee is value for 12 months. Exam registration must be completed online.

Candidates must score 450 to pass the exam. The exam scores on a scale between 200 and 800. Candidates have the option to sit the exam in June, September, or December in testing centers worldwide. The exam is also available in multiple languages including Chinese Mandarin (simplified and traditional), Spanish, French, Japanese, and Korean.

Exams scheduled at in-person centers is often highly regulated. The testing center will often require an acceptable form of ID. The testing center may also limit the use of prohibited items such as phones, smart watches, headphones, food/beverages, or visitors. The testing center often does now allow for discussion between test participants; any violation of these rules may lead to discontinuation of your exam session.

CISA Exam Content


The number of CISA certification holders as of September 2022.

The CISA exam tests candidates’ knowledge of five job practice domains:

  1. The Process of Auditing Information Systems (21%). This domain focuses on providing audit services in accordance with designated professional standards that protect and control information systems. This domain is intended to test on planning and execution of risk assessments and audits.
  2. Government and Management of IT (17%). This domain focuses on identifying critical issues and making company-wide recommendations that protect information and related technology resources. This domain is intended to test on IT frameworks, enterprise architecture, laws and regulations, and quality assurance.
  3. Information Systems Acquisition, Development, and Implementation (12%). This domain focuses on the initiating, creation, and ongoing buildout of information systems and their security elements. This domain is intended to test on business cases and feasibility analysis, design methodologies, configuration management, and system migrations.
  4. Information Systems Operations and Business Resilience (23%). This domain focuses on how an information system operates during a normal course of business. This domain is intended to test on information system operations, end-user computing, system resiliency, data back-up, business continuity planning, and disaster recovery plans.
  5. Protection of Information Assets (27%). This domain focuses on cybersecurity and the protection needed to ensure intellectual property or sensitive customer information is protected. This domain is intended to test security, controls, security event management, and physical access limits.

Certified Information Systems Work Experience Requirements

CISA candidates must have a minimum of five years of professional experience in information systems auditing, control, or security. There are several work experience substitutions and waivers up to a maximum of three years that candidates can satisfy.

  • A maximum of one year of information systems experience OR one year of non-information systems auditing experience. (Substitutes one year of work experience.)
  • Sixty to 120 completed university semester credit hours. (Sixty credit hours substitutes one year of work experience, while 120 credit hours substitute two years of work experience.)
  • A master’s degree in information security or information technology from an ISACA accredited university. (Substitutes one year of work experience.)
  • A master’s or bachelor’s degree from a university that sponsors ISACA programs. (Substitutes one year of work experience.)

University instructors who have two years of experience in a related field, such as computer science, information systems auditing, or accounting, can substitute that experience for one year of work experience.

Certified Information Systems Auditor Continuing Professional Education

To ensure professionals who hold the CISA designation keep their knowledge of information systems, auditing, and control updated, they are required to undertake 20 hours of training per year and a minimum of 120 hours in a three-year period. ISACA charges an annual maintenance fee to renew the CISA certification. ISACA members pay $45, and nonmembers pay $85.

The ISACA has communicated a broad range of ways CISAs can earn these continuing education credits. This includes attending specific conferences, completing an ISACA Training Week course, performing online training certified by the ISACA, attending specific tech education events, or completing on-demand learning. CISAs can also earn CPE for journal quizzes accessible to members only, volunteering with ISACA, volunteering with One in Tech, or attending certain ISACA activities or meetings.

Each CISA is expected to manage and report their own CPE hours. This is done by logging into their ISACA profile and navigating to the Certifications & CPE Management area. There, users can add new CPE records, enter in training or educational details, and enter the number of CPE earned.


The average salary of a CISA certification holder as of September 2022.

Benefits of the Certified Information Systems Auditor Certification

By demonstrating professional competency, CISA holders reap several different benefits:

  • IT auditors are a niche market. The CISA certification demonstrates specialized, technical knowledge in a specific industry. IT auditing is different than other types of auditing, and the CISA license demonstrates proficiency in this niche area.
  • Demand for credentialed IT auditors remains strong. As IT capabilities advance and companies shift to remote operations, there continues to be demand for ensuring a company's technology infrastructure meets security and regulatory needs.
  • CISAs stay relevant in an evolving industry. The CISA certification requires ongoing education; this CPE requirement means professionals must continue to take training on new technologies, modern types of risk, and evolving complexities regarding information systems.
  • The certification may bring a higher salary or stronger job security. As is the case with any additional education or certification, CISAs have demonstrated their knowledge and proficiency, commanding recognition for being strong leaders in their field. This may lead to raises, promotions, or long-term job stability.
  • The certificate is transferrable and widely recognized. The CISA is broadly recognized, meaning many companies and industries around the world recognize its merit.
  • The exam provides insights into specialized fields. Though information system auditing is already specialized, candidates may realize they enjoy particular aspects of risk management and auditing more than others. This may lead to a greater understanding of career opportunities and career interests.

How Do I Become a Certified Information Systems Auditor?

To become a CISA, you must pass an exam hosted by the ISACA, meet application requirements, and earn continuing education credits upon achieving certification. In addition, you must act in accordance with the ISACA's ethical and professional standards.

How Long Does It Take to Become a Certified Information Systems Auditor?

The most direct timeline to become a CISA is five years, as the ISACA requires half of a decade of professional experience on your application. There are exceptions to this rule, and candidates can apply for a waiver. In addition, there are educational requirements to satisfy as part of the certification process.

What Does a Certified Information Systems Auditor Do?

A CISA oversees, manages, and protects a company's information systems, IT, or related departments. This includes performing audits of processes and products, performing risk mitigation techniques to prevent security breaches, and collaborating with other departments to ensure their technology needs are being met without comprising security or creating system vulnerabilities.

The Bottom Line

The Certified Information Systems Auditor (CISA) certificate demonstrates professional proficiency in the field of IT security and risk mitigation. CISA must have years of professional experience and pass a 150-question exam to demonstrate this knowledge. Once armed with a CISA license, auditors may enjoy greater job security, better knowledge of their industry, and continual growth through CPE requirements.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. ISACA. "ISACA Certification Exams Candidate Guide."

  2. ISACA. "CISA."

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.