:max_bytes(150000):strip_icc()/Julia_Kagan_BW_web_ready-4-4e918378cc90496d84ee23642957234b.jpg)
:max_bytes(150000):strip_icc()/melinkedin-amysoricelli-caf60795677440dfa5d0024e5f2d865a.jpg)
:max_bytes(150000):strip_icc()/2G8T0126-BW-5a525a4d8c434885b365bee7b3807f60.jpg)
What Is a Certified Information Systems Auditor (CISA)?
Certified Information Systems Auditor (CISA) is a professional designation issued by the Information Systems Audit and Control Association (ISACA) for experts in auditing, control, and security of information systems.
Candidates must pass a comprehensive exam, satisfy industry work experience and fee requirements, undergo continuing education and professional development, and adhere to ISACA’s Code of Professional Ethics and Information Systems Auditing Standards. CISAs are responsible for risk strategies and IT policy management, and the credential is widely recognized for advancing careers in IT auditing and governance.
Key Takeaways
- The CISA designation is issued by ISACA and is the global standard for IT audit, control, and security professionals.
- CISA candidates must have five years of experience and pass a comprehensive exam with a score of 450 or higher.
- The CISA exam consists of 150 multiple-choice questions covering five key job practice domains.
- CISAs must complete 20 hours of training yearly to maintain their certification and stay updated with industry standards.
- The annual salary for CISA holders ranges between $108,000 and $120,000, reflecting the advanced skills and high demand for this certification.
Key Responsibilities of a Certified Information Systems Auditor
A CISA may review management practices, build risk strategies, perform continuity planning, and monitor IT personnel. A CISA may draft and maintain IT policies, standards, or procedures.
Certified information systems auditors appraise a company's technology-related systems and assess a company's set-up for vulnerabilities. A CISA will implement an audit strategy and execute the audit with the following steps:
- Evaluate a company's objectives, systems, and risks to understand its vulnerabilities and strengths.
- Deliver the audit results and make recommendations to management.
- Guide implementation and monitoring of security upgrades.
- Performing new tests to ensure management has followed through on control changes.
Important
The CISA exam costs $575 for ISACA members and $760 for non-members.
What to Expect in the CISA Exam
The CISA exam lasts four hours and consists of 150 multiple-choice questions. Candidates must meet specific requirements and pay an upfront fee. Exam registration must be completed online. Candidates must score 450 to pass and can sit for the exam in June, September, or December in testing centers worldwide. The exam is available in multiple languages, including Chinese Mandarin, Spanish, French, Japanese, and Korean.
The testing center requires an acceptable form of ID and may limit the use of phones, smart watches, headphones, food/beverages, or visitors. The CISA exam tests candidates’ knowledge of five job practice domains:
- The Process of Auditing Information Systems (18%). Tests planning and execution of risk assessments and audits.
- Government and Management of IT (18%). Tests IT frameworks, enterprise architecture, laws and regulations, and quality assurance.
- Information Systems Acquisition, Development, and Implementation (12%). Tests business cases and feasibility analysis, design methodologies, configuration management, and system migrations.
- Information Systems Operations and Business Resilience (26%). Tests information system operations, end-user computing, system resiliency, data back-up, business continuity planning, and disaster recovery plans.
- Protection of Information Assets (26%). This domain focuses on cybersecurity and tests security, controls, security event management, and physical access limits.
Understanding CISA Work Experience Requirements
CISA candidates must have five years of professional experience in information systems auditing, control, or security. One year of general work experience can be substituted with one year of information systems or financial audit work experience. An optional education waiver is available for work experience and includes:
- 1-year waiver for an associate degree
- 2-year waiver for a bachelor’s, master’s, or doctorate in any field of study
- 3-year waiver for a master’s degree in Information Systems or a related field
Continuing Education Requirements for CISA Certification
CISA professionals must update their knowledge with 20 hours of training each year, totaling at least 120 hours over three years. ISACA requires an annual fee to renew the CISA certification. ISACA members pay $45, and nonmembers pay $85.
Professionals can earn continuing education credits by attending conferences, ISACA courses, online training, tech events, or on-demand learning.
CISAs can also earn CPE for journal quizzes accessible to members only, volunteering with ISACA, volunteering with One in Tech, or attending certain ISACA activities or meetings. Each CISA manages and reports their CPE hours into their ISACA profile and navigates to the Certifications & CPE Management area.
$108,000 to $120,000
The average annual salary of a CISA certification holder as of 2025.
Advantages of Holding a CISA Certification
- IT auditors are a niche market. The CISA certification demonstrates specialized, technical knowledge in a specific industry and the CISA license demonstrates proficiency in this niche area.
- Demand for credentialed IT auditors remains strong. As IT capabilities advance and companies shift to remote operations, there continues to be demand to ensure a company's technology infrastructure meets security and regulatory needs.
- CISAs stay relevant in an evolving industry. The CISA certification requires ongoing education; this CPE requirement means professionals must continue training on new technologies and modern types of risk.
- The certification may bring a higher salary or stronger job security. CISAs have demonstrated their knowledge and proficiency, commanding recognition for being strong leaders in their field. This may lead to raises, promotions, or long-term job stability.
- The certificate is transferrable and widely recognized. The CISA is broadly recognized, meaning many companies and industries recognize its merit.
- The exam provides insights into specialized fields. Though information system auditing is already specialized, candidates may realize they enjoy particular aspects of risk management and auditing more than others. This may lead to a greater understanding of career opportunities and career interests.
How Many CISA Professionals Exist?
As of the last survey in 2022, there are over 151,000 CISA-certified professionals.
How Long Does It Take to Become a Certified Information Systems Auditor?
The most direct timeline to become a CISA is five years, as the ISACA requires half a decade of professional experience on an application. There are exceptions to this rule, and candidates can apply for an educational waiver.
What Does a Certified Information Systems Auditor Do?
A CISA oversees and protects a company's information systems and related departments. This includes performing audits of processes and products, performing risk mitigation techniques to prevent security breaches, and collaborating with other departments to ensure their technology needs are met without compromising security or creating system vulnerabilities.
The Bottom Line
The Certified Information Systems Auditor (CISA) is a globally recognized certification that demonstrates expertise in information systems auditing, control, and security. To earn it, candidates must have at least five years of professional experience and pass a comprehensive 150-question exam.
Maintaining the credential requires continuing professional education and adherence to a strict code of ethics to stay current with industry developments. CISA certification is valued across industries, offering career benefits such as higher demand, job security, and potential salary growth as technology and IT auditing needs expand.
:max_bytes(150000):strip_icc()/midsection-businessmen-analyzing-charts-on-laptop-in-office-1128046391-6cbe4ae4b89a48ebb614592fa053f1c5.jpg)
:max_bytes(150000):strip_icc()/GettyImages-89291857-836f146f000c411592c14a35de4b3b21.jpg)
:max_bytes(150000):strip_icc()/147323400-5bfc2b8c4cedfd0026c11901.jpg)
:max_bytes(150000):strip_icc()/GettyImages-563877055-0c851a75a066461b8e22aa3b692c6189.jpg)
:max_bytes(150000):strip_icc()/GettyImages-1053776276-da447688646e418bae65f8574bc41225.jpg)
:max_bytes(150000):strip_icc()/Cubicle_test_computer_AdobeStock_11967939-c7e2b3b12c6d496498bd22aec61ef85a.jpeg)
:max_bytes(150000):strip_icc()/options-lrg-5bfc2b1f4cedfd0026c10437.jpg)
:max_bytes(150000):strip_icc()/stock-market-836262076-98a3b5ebf8394b6295b51d45b807944b.jpg)
:max_bytes(150000):strip_icc()/CALENDAR-8b63db6048c745aeaab3ded6004cdf36.jpg)
:max_bytes(150000):strip_icc()/shutterstock_112522391-5bfc2b9846e0fb0051bde2d3.jpg)
:max_bytes(150000):strip_icc()/83252658-5bfc2b89c9e77c005877045d.jpg)
:max_bytes(150000):strip_icc()/financial-advisor-with-laptop-and-paperwork-meeting-with-family-at-dining-room-table-697534649-31ff52bcb34e462ba967e51de1fffff2.jpg)
:max_bytes(150000):strip_icc()/GettyImages-611101182-0440e8c316b14f8fa0c19b7db0b956f4.jpg)
:max_bytes(150000):strip_icc()/colleagues-working-together-in-server-control-room-1010851864-d19eeeafdf8c4323ac79069e0d7960bd.jpg)
:max_bytes(150000):strip_icc()/148985994-5bfc2b96c9e77c00519aa74a.jpg)
:max_bytes(150000):strip_icc()/series7.asp-final-5d0469e84c9b49e38114339784af2260.png)