Way2Certify

Get Trained . Get Certified . Get Ahead

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Training

Overview of the CISA Certification:

CISA Certification:

  • Is a globally recognized certification, which confirms your knowledge and experience in the field of IT audit and Security
  • Enables the holders to demonstrate that they have gained and maintained the level of knowledge required to meet the dynamic challenges of a modern enterprise
  • Combines the achievement of passing a comprehensive exam with recognition of work and educational experience, providing you with credibility in the marketplace. (More details are given below).
  • Adds value to your organization
  • Helps holders get a competitive advantage over peers in their career path.

How to Become CISA Certified:

For obtaining the CISA designation the candidates must meet the following requirements:

  1. Successful completion of the CISA examination
  2. Submit an Application for CISA Certification
  3. Adherence to the Code of Professional Ethics
  4. Adherence to the Continuing Professional Education Program
  5. Compliance with the Information Systems Auditing Standards

1. Successful completion of the CISA Examination

There is no pre-requisite for anyone to take the examination The examination is open to all individuals who have an interest in information systems audit, control and security. Successful examination candidates will be sent all information required to apply for certification with their notification of a passing score. For a more detailed description of the exam see CISA Certification Job Practice. Also, CISA Exam Preparation resources are available through the association.

2. Submit an Application for CISA Certification

Once a CISA candidate has passed the CISA certification exam and has met the work experience requirements, the final step is to complete and submit a CISA Application for Certification. A minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification. Substitutions and waivers of such experience, to a maximum of 3 years, may be obtained as follows:

  • A maximum of 1 year of information systems experience OR 1 year of non-IS auditing experience can be substituted for 1 year of experience.
  • 60 to 120 completed university semester credit hours (the equivalent of an 2-year or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience.
  • A bachelor’s or master’s degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if 3 years of experience substitution and educational waiver have already been claimed.
  • A master’s degree in information security or information technology from an accredited university can be substituted for 1 year of experience.

Exception: 2 years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for 1 year of experience.

As an example, at a minimum (assuming a 2-year waiver of experience by substituting 120 university credits), an applicant must have 3 years of actual work experience. This experience can be completed by 3 years of IS audit, control, assurance or security experience or 2 years of IS audit, control assurance or security experience and 1 full year non-IS audit or IS experience or 2 years as a full-time university instructor.

Many individuals take the CISA exam prior to meeting the experience requirements. This practice is acceptable and encouraged although the CISA designation will not be awarded until all requirements are met.

The work experience for CISA certification must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam. The CISA Application for Certification is available at www.isaca.org/cisaapp. Note that candidates have 5 years from the passing date to apply for certification.

3. Adherence to the Code of Professional Ethics

Members of ISACA and/or holders of the CISA designation agree to a Code of Professional Ethics to guide professional and personal conduct.

4. Adherence to the Continuing Professional Education (CPE) Program 

The objectives of the continuing education program are to:

  • Maintain an individual’s competency by requiring the update of existing knowledge and skills in the areas of information systems auditing, control or security.
  • Provide a means to differentiate between qualified CISAs and those who have not met the requirements for continuation of their certification
  • Provide a mechanism for monitoring information systems audit, control and security professionals’ maintenance of their competency
  • Aid top management in developing sound information systems audit, control and security functions by providing criteria for personnel selection and development

Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition, a minimum of 120 contact hours is required during a fixed 3-year period.

View the complete Continuing Professional Education Policy.

5. Compliance with the Information Systems Auditing Standards 

Individuals holding the CISA designation agree to adhere to the Information Systems Auditing Standards as adopted by ISACA.

Please note that decisions on applications are not final as there is an appeal process for certification application denials. Inquiries regarding denials of certification can be sent to certification@isaca.org.

CISA Job Practice 2019 

The job practice domains, knowledge and supporting tasks are as follows:

Domain 1: Information System Auditing Process (21%)
Domain 2: Governance and Management of IT (17 %)
Domain 3: Information Systems, Acquisition, Development and Implementation (12 %)
Domain 4: Information Systems Operations and Business Resilience (23 %)
Domain 5: Protection of Information Assets (27 %)

Domain 1—Information Systems Auditing Process

   A. Planning

  1. IS Audit Standards, Guidelines, and Codes of Ethics
  2. Business Processes
  3. Types of Controls
  4. Risk-Based Audit Planning
  5. Types of Audits and Assessments

   B. Execution

  1. Audit Project Management
  2. Sampling Methodology
  3. Audit Evidence Collection Techniques
  4. Data Analytics
  5. Reporting and Communication Techniques


Domain 2— Governance and Management of IT

   A. IT Governance

  1. IT Governance and IT Strategy
  2. IT-Related Frameworks
  3. IT Standards, Policies, and Procedures
  4. Organizational Structure
  5. Enterprise Architecture
  6. Enterprise Risk Management
  7. Maturity Models
  8. Laws, Regulations, and Industry Standards affecting the Organization

   B. IT Management

  1. IT Resource Management
  2. IT Service Provider Acquisition and Management
  3. IT Performance Monitoring and Reporting
  4. Quality Assurance and Quality Management of IT


Domain 3—Information Systems Acquisition, Development, and Implementation

   A. Information Systems Acquisition and Development

  1. Project Governance and Management
  2. Business Case and Feasibility Analysis
  3. System Development Methodologies
  4. Control Identification and Design

   B. Information Systems Implementation

  1. Testing Methodologies
  2. Configuration and Release Management
  3. System Migration, Infrastructure Deployment, and Data Conversion
  4. Post-implementation Review


Domain 4—Information Systems Operations and Business Resilience

   A. Information Systems Operations

  1. Common Technology Components
  2. IT Asset Management
  3. Job Scheduling and Production Process Automation
  4. System Interfaces
  5. End-User Computing
  6. Data Governance
  7. Systems Performance Management
  8. Problem and Incident Management
  9. Change, Configuration, Release, and Patch Management
  10. IT Service Level Management
  11. Database Management

   B. Business Resilience

  1. Business Impact Analysis (BIA)
  2. System Resiliency
  3. Data Backup, Storage, and Restoration
  4. Business Continuity Plan (BCP)
  5. Disaster Recovery Plans (DRP)     


Domain 5—Protection of Information Assets

   A. Information Asset Security and Control

  1. Information Asset Security Frameworks, Standards, and Guidelines
  2. Privacy Principles
  3. Physical Access and Environmental Controls
  4. Identity and Access Management
  5. Network and End-Point Security
  6. Data Classification
  7. Data Encryption and Encryption-Related Techniques
  8. Public Key Infrastructure (PKI)
  9. Web-Based Communication Techniques
  10. Virtualized Environments
  11. Mobile, Wireless, and Internet-of-Things (IoT) Devices

   B. Security Event Management

  1. Security Awareness Training and Programs
  2. Information System Attack Methods and Techniques
  3. Security Testing Tools and Techniques
  4. Security Monitoring Tools and Techniques
  5. Incident Response Management
  6. Evidence Collection and Forensics