CISA certification: Overview and career path

If you want to be an IT auditor or are one now and don't have a certification, then why not consider the Certified Information Systems Auditor (CISA) credential? This is one of the key certifications employers seek when considering candidates for IT auditor and assurance positions worldwide. The exam was updated in 2024 to align with current technology, auditing requirements and cyber threats.

The CISA certification program guides professionals through the knowledge needed to be in the profession and proves the presence of skills specific to the audit IS/IT function. You can also earn a handsome salary. Check out our Cybersecurity salary guide to learn more.

One reason you can make good money with a CISA certification is that IT audit leaders and professionals are assuming an increasingly integrated role in technology initiatives in their organizations. As a result, companies are actively looking for professionals who can prove their expertise in these key roles.

Earn your CISA, guaranteed!

Get your CISA live online or on-site, backed with an Exam Pass Guarantee!

View Pricing

What is the CISA certification?

Though there is no single path into the IS/IT audit profession, the CISA certification can help credential holders get a competitive edge over others without the designation. As ISACA explains, the CISA certification showcases a professional's audit experience, skills and knowledge. It demonstrates the ability to assess vulnerabilities, report on compliance, understand the internal controls structure and institute controls within a risk-based approach for security activities to mitigate increasing cyber threats. Auditors play a significant role in an organization, and that is why a forward-thinking corporation is likely interested in attracting and retaining top talent who can provide an accurate IT audit trail.

The CISA credential is governed by ISACA, one of the most trusted names in the information systems and security industry. ISACA's oldest credential, dating back to 1978, focuses on demonstrating your capabilities in every stage of the auditing process, from updates to a company's policies to ensuring compliance with procedures and understanding how well an organization can assess vulnerabilities.

CISA exam domains

There are five CISA domains, which are briefly explained below:

Domain 1: Information systems auditing process

18% of the exam | Provide audit services in accordance with IS audit standards to assist the organization in protecting and controlling information systems.

This domain covers topics like executing effective risk-based audit planning, following proper IS audit standards, communicating results and recommendations to stakeholders and performing necessary audit follow-ups. This section tests applicants' knowledge of audit standards, tools and techniques. It also tests knowledge of risk assessment concepts, controls and applicable laws and regulations pertaining to audits affected by business processes. In addition, it covers techniques relating to evidence collection, communication, quality assurance (QA) systems and frameworks, and types of audits.

Domain 2: Governance and management of IT

18% of the exam | Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization's strategy.

This domain looks at general IT strategies in an organization and evaluates the effectiveness of the IT governance structure. It also covers the evaluation of a number of areas to check their alignment with the organization's objectives as well as their efficacy. This includes IT human resources and organization, policies and procedures, portfolio management, business continuity plan and disaster recovery, as well as key performance indicators. This section tests specific knowledge of IT governance and strategies, issues, process optimization techniques, enterprise risk management (ERM), quality management and quality assurance, scorecards, KPIs and topics related to business continuity.

Domain 3: Information systems acquisition, development and implementation

12% of the exam | Provide assurance that the practices for the acquisition, development, testing and implementation of information systems align with the organization's strategies and objectives.

This domain covers topics related to selecting IT suppliers and contracts that can guarantee proper service levels. It also covers the management of projects, from checking their progress according to plans to proper documentation of all phases. It also touches on systems implementation, testing and evaluation. Knowledge tested includes topics like feasibility studies, business cases, total cost of ownership (TCO) and return on investment (ROI), project management and risk management, project requirements analysis, success criteria and post-implementation issues. It also covers secure coding and specific knowledge of system development methodologies and tools, such as agile, rapid application development (RAD) and object-oriented design techniques.

Domain 4: Information systems operations and business resilience

26% of the exam | Provide assurance that the processes for information systems operations, maintenance and service management align with the organization's strategies and objectives.

This domain covers evaluating IT practices to ensure they meet the stated service levels and the needed controls. It looks at operations, maintenance requirements, database and incident management practices and the evaluation of business continuity and resilience of the organization's IT infrastructure. It covers knowledge related to service management practices, enterprise architecture, systems resiliency, control techniques and performance monitoring. It also tests data backup, database management, data lifecycle, incident management practices and disaster recovery testing.

Domain 5: Protection of information assets

26% of the exam | Provide assurance that the organization's policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets.

This domain is all about topics related to the protection of IT assets: the evaluation of policies and procedures as related to information security, physical and environmental controls, verification of material regarding their CIA (confidentiality, integrity and availability), along with storing, transportation and disposal of assets, as well as information security programs. The domain tests the candidates' knowledge of particular features of different roles, including:

• Privacy and information security laws and regulations
• Physical and environmental controls
• Identification, authentication and restriction of users
• BYOD and virtualization risks and voice communications security
• Encryption, PKI and digital signatures
• Data handling risks and proper procedures, attack methods, detection and testing techniques
• Digital forensics

What changed in the 2024 CISA exam update?

While the five domains remain generally the same when compared to those offered by the previous version, the 2024 update has significant changes to the weights of each domain:

• Domain 1 decreased from 21% of the exam to 18%.
• Domain 2 increased from 17% to 18%.
• Domain 3 remains at 12% (no change from the previous exam).
• Domain 4 increased from 23% to 26%.
• Domain 5: decreased from 27% to 26%.

Earn your CISA, guaranteed!

Get your CISA live online or on-site, backed with an Exam Pass Guarantee!

View Pricing

Who should earn the CISA?

The CISA credential is often a mandatory qualification for employment as an IS auditor. These professionals have many job responsibilities and duties, including working with teams of IT professionals to create secure environments for staff and the business as a whole. After identifying security threats, auditors must be able to patch and secure each system, including network, desktop and external software systems. An information systems security auditor is just one of many career options in the field. In addition to IS/IT auditors, the CISA target market also includes those in other roles, such as:

• IS/IT consultants
• IS/IT audit managers
• Security professionals
• Non-IT auditors

The ISACA CISA certification is also a DoD-approved baseline certification under DOD 8140/8570). According to ISACA, more than 200,000 professionals have earned the CISA certification since its inception in 1978, with approximately 151,000 active certification holders worldwide serving in various roles from auditors to senior leadership positions.

Gain a competitive advantage with a CISA certification

There are many reasons to become CISA certified. It proves you know how to evaluate the adequacy and effectiveness of an organization's IT systems for internal controls and risks of a company's technology network against policies and regulations. A CISA certification can also increase your earnings potential. According to ISACA, the average U.S. CISA holder earns $149,000 per year, although our CISA salary analysis found a lower average.You can also discover how much money you can earn as a CISA with Infosec's Cybersecurity salary guide.

Considering getting another ISACA certification? Then you may be interested in our webinar on the ISACA career path: The highest paying certifications in the industry. This breaks down how certifications improve your chances of earning more money, the salaries you can expect from entry-level positions and which ones can earn you the highest salaries.

Get your guide to the top-paying certifications

With more than 448,000 U.S. cybersecurity job openings annually, get answers to all your cybersecurity salary questions with our free ebook!

Get Your Copy

Other common CISA questions

What experience do you need to apply for the CISA?

ISACA's globally recognized CISA certification requires all auditors to have some degree of technical expertise. In fact, five years of experience is needed in IS auditing, control or security, while up to a maximum of three years can be substituted by specific experience or college courses/degrees. The path to certification requires understanding and familiarity with the five CISA domains.

Members of ISACA and holders of the CISA designation also need to agree to a Code of Professional Ethics and are required to follow a continuing professional education (CPE) program that requires maintenance fees and at least 20 contact hours of CPE annually, in addition to a minimum of 120 contact hours during a fixed three-year period. They also have to comply with ISACA Information Systems Auditing Standards.

The test is offered throughout the year via computer-based testing. You can schedule your exam at any time.

What does the CISA exam cost?

The CISA exam costs $575 for ISACA members and $760 for non-members. To pass the exam, candidates must score at least 450 out of 800 points. The exam consists of 150 multiple-choice questions, and candidates have four hours to complete it. While exam fees are the primary cost, you should also budget for study materials, which can range from $109 to $895 depending on your chosen resources and membership status.

What is the best way to train for the CISA exam?

ISACA works with authorized training solutions like Infosec to help prepare candiates for the exam. Infosec offers a five-day ISACA CISA Boot Camp with an Exam Pass Guarantee

How can I earn CPEs to maintain my CISA certification?

Like other ISACA certifications, you must earn CPE credits to maintain your certification. This can be done through ongoing education, conferences, publications and more. Read our article on CISA CPEs for more.