Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) is a professional certification for Information Technology Audit professionals sponsored by ISACA, formerly the Information Systems Audit and Control Association. This certification was established in the year 1978. The American National Standards Institute (ANSI) has accredited the CISA certification program under ISO/IEC 17024:2003.


  • CISA certification is required for professionals seeking an extra edge over being an auditor in information systems, with audit management and compliance as the core components.
  • A CISA Certification confirms one’s knowledge and experience in the audit management domain.
  • It quantifies and advertises the proficiency of certified professionals.
  • CISA assists in demonstrating the gained knowledge vis-à-vis the level of knowledge required to meet the dynamic challenges of the contemporary enterprise.
  • This certification enhances one’s professional value to the organization.
  • It gives a competitive advantage over peers seeking career progression.
  • It assists in achieving a high professional standard through ISACA’s requirements for continuing education and ethical conduct.
  • Enterprises demand IS audit professionals with knowledge and expertise which can help them identify critical issues and customize practices.
  • The skills and practices that CISA promotes and evaluates are the building blocks of success in the field. Possessing the CISA demonstrates proficiency and is the basis for measurement in the profession.


  • With an increasing requirement for professionals possessing with IS audit, control and security expertise, CISA certified professionals have turned out to be one of the most preferred by organizations around the world. Some of the reasons for CISA certification being the employer’s choice are:
  • Highly qualified and experienced professionals
  • Provide the enterprise with a certification for IT assurance that is recognized by multinational clients, lending credibility to the enterprise
  • Excellent indicators of proficiency in technology controls.
  • Demonstrate competence in five domains, including standards and practices; organization and management; processes; integrity, confidentiality and availability; and software development, acquisition and maintenance.
  • Demonstrate a commitment to providing the enterprise with trust in and value from your information systems.
  • Maintain ongoing professional development for successful on-the-job performance


ISACA publishes CISA Review Manual (CRM) every year, based on which one can prepare for the examination. The manual is organized to assist with the understanding of essential concepts and studying the following updated job practice areas:

  • The Process of Auditing Information Systems
  • Governance and Management of IT
  • Information Systems Acquisition, Development and Implementation
  • Information Systems Operations, Maintenance and Support
  • Protection of Information Asset

The manual also covers:

  • A map of the relationship of each task to the knowledge statements
  • A reference guide for the knowledge statements, including the relevant concepts and explanations
  • References to specific content in the second section for each knowledge statement
  • Sample practice questions and explanations of the answers
  • Suggested resources for further study


The CISA designation is presented to professionals who have an inclination in Information Systems auditing, control and security and also meet the following requirements:

  • Successful completion of the CISA examination: The examination is open to individuals who have an interest in information systems audit, control and security. All are encouraged to work toward and take the examination. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score.
  • Submit an Application for CISA Certification: After having passed the CISA certification exam and having met the work experience requirements, the final step is to complete and submit a CISA Application for Certification. A minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification. Substitutions and waivers of such experience, to a maximum of 3 years, may be obtained as follows:1. A maximum of 1 year of information systems experience OR 1 year of non-IS auditing experience can be substituted for 1 year of experience.2. 60 to 120 completed university semester credit hours (the equivalent of an 2-year or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience.

    3. A bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit This option cannot be used if 3 years of experience substitution and educational waiver have already been claimed.

    4. A master’s degree in information security or information technology from an accredited university can be substituted for 1 year of experience.

    5. Exception: 2 years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for 1 year of experience.

  • Adherence to the Code of Professional Ethics: The objectives of the continuing education program are to:1. Maintain an individual’s competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, control or security.2. Provide a means to differentiate between qualified CISAs and those who have not met the requirements for continuation of their certification

    3. Provide a mechanism for monitoring information systems audit, control and security professionals’ maintenance of their competency

    4. Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development

  • Adherence to the Continuing Professional Education Program
  • Compliance with the Information Systems Auditing Standards


Related Courses