Professional development

The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]

Susan Morrow
August 16, 2022 by
Susan Morrow

Whatever career you choose, you need to prove your expertise and capability. In the IT industry, several organizations can help you prove your ability to do your job with authority and knowledge. Information technology is an exciting career with many specializations to choose from as you increase your experience. It is also a career that encourages both men and women across all disciplines to enter. But one thing that IT is not is stagnant.

Technology is fast-paced: The internet entered our lives less than 25 years ago, and already we have the hyper-connectivity of the internet of things (IoT) and cloud computing. Change touches the heart of an enterprise, from automation of business processes to network virtualization. IT professionals must keep up with these changes; to do so, they turn to industry-respected IT certifications from ISACA that  are accredited by the American National Standards Institute (ANSI) under the International Standard ANSI/ISO/IEC 17024:2012

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What is ISACA?

ISACA is a not-for-profit, independent authority representing IT professionals and offers certifications, training and resources to help you progress in your career and stand out from the crowd.

It is over 165,000 members worldwide include people in various positions, from information systems or IT auditors to governance, security and risk professionals and C-suite executives.

How to choose the best ISACA certification path for your career

ISACA offers a variety of certification options aligned with various roles, skill sets and job responsibilities. The main ISACA certs are:

  1. CISA (certified information systems auditor)
  2. CISM (certified information security manager)
  3. CGEIT (certified in the governance of enterprise IT)
  4. CRISC (certified in risk and information systems control)
  5. CDPSE (certified data privacy solutions engineer)

Let’s look at each credential to help you decide which would best suit your career path and professional goals.

Certified information systems auditor (CISA)

IT systems are often very complex. The enterprise is transforming and embracing a culture of digital diversity and cloud-computing. The result is hyper-connectivity across the workforce and IT network. 

The job of an information systems auditor (ISA) is an important role in an organization. An ISA is responsible for internal controls and reviews of computer information systems. The auditor is not only responsible for using audit software to run reviews, but also for documenting and communicating the findings with other key staff. Other responsibilities may involve understanding the governance of IT systems and training other auditors. Completing training and certification as a CISA demonstrates your ability to do the job well.

Who is this certification for?

This is an industry-renowned and recognized certificate that will validate your knowledge in the areas of audit and reporting. It will also demonstrate your capability in vulnerability assessment within IT systems.

The CISA credential is sought by those who audit, control, monitor and assess an enterprise’s information technology and business systems.

If you’re pursuing a career as an IT auditor, you should seriously consider the CISA certification path, which specifically builds your knowledge of auditing information systems, developing and implementing those systems, protecting info assets, information system acquisition and governance.

Where would you use it? 

As IT systems become increasingly under attack from both insider and external forces, having someone who can navigate IT systems is important. The CISA certificate shows you have the skills needed to spot critical issues and communicate them to team members, and the ability to apply a risk-based approach to planning. Having an ISACA CISA certification shows you are a qualified professional who understands the importance of IT governance and standards. It also gives you a good grounding in the impact of choice and maintenance involved in software acquisition.

CISA exam prerequisites and domains

Prerequisites: To take this exam, you need at least five years of experience in IS/IT audit, control, assurance or security. You can reduce the five years to two if you have a combination of the following: one year of information systems experience or non-IS auditing experience; 60 to 120 university semester credit hours (to substitute one or two years, respectively) or a master’s degree in IT or information security (to substitute one year).

Exam info: The four-hour exam contains 150 multiple-choice questions across five domains:

  • Domain 1: information system auditing process (21%). Guidance in how to protect and control IS systems
  • Domain 2: governance and management of IT (17%). Audit and ensure that the correct roles are in place to support the goals of the organization’s strategy
  • Domain 3: information systems acquisition, development and implementation (12%). Includes project governance and management and lifecycle management of testing and releases
  • Domain 4: information systems operations and business resilience (23%). Ensure the processes around operations and maintenance are aligned with business objectives
  • Domain 5: protection of information assets (27%). Ensure alignment of the organization’s standards and procedures and that they fit with the confidentiality, integrity and availability of information assets. This includes measures such as encryption and PKI and identity and access management

Certified information security manager (CISM)

The CISM certificate is an internationally recognized ISACA qualification that demonstrates the ability to manage an organization’s information security. According to ISACA, this is one of the most sought-after security certifications,  and holding it can help you secure a higher salary.

Who is this certification for?

Holding a CISM credential demonstrates your capability as a security practitioner in applying security principles that align with business goals. The certification is seen in the industry as an indicator of someone who can build and implement a company security program. Risk management, data governance and compliance are Increasingly a vital part of an organization’s security strategy. A significant advantage is having someone who understands how to deliver these pieces alongside a coherent strategy. A CISM is also a good option for those who want to move into managerial roles after building technical expertise in IS/IT security and control.

Where would you use it?

The ISACA CISM certification is recognized by governments and industries worldwide as a valuable professional exam. More than 48,000 people have already been certified. This credential proves you have the skills to manage a security program across an organization’s IT systems.

CISM exam prerequisites and domains

Prerequisites: You must have at least five years of information security management experience. However, up to two years can be waived if specific education or certification requirements are met.

Exam info: The 150-question, multiple-choice exam covers four main CISM domains and lasts up to four hours.

  • Domain 1: information security governance (17%). Covers the setup and maintenance of an information security governance framework
  • Domain 2: information security risk management (20%). Demonstrates how to apply risk management based on business goals and expectations
  • Domain 3: information security program (33%). Develop a security program to protect an organization’s assets while keeping the program in line with business goals
  • Domain 4: incident management (30%). Understand how to detect, mitigate and recover from security incidents

For more information, view Infosec’s CISM hub.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Certified in the governance of enterprise IT (CGEIT)

The CGEIT certificate suits you if you want to progress in your governance career. You’ll have the skills to align investments in IT with business strategies and goals and to ensure that risk management is in place. The need for such alignment has several drivers, including creating a competitive edge and helping to comply with industry-specific laws such as the Gramm-Leach-Bliley Act (GLBA).

Who is this certification for? 

The CGEIT credential is a way to demonstrate that you take a holistic approach to the area of IT governance. The exam indicates your ability to work in a senior position and understand how the correct application of IT can benefit the business.

Where would you use it? 

Anyone wishing to progress to a level of management in IT governance can benefit from the ISACA CGEIT certification. This shows an ability to work in a C-level environment and to communicate problems and ideas at that level.

CGEIT exam prerequisites and domains

Prerequisites: This is a management-level exam. You need at least five years of experience in an advisory or oversight role supporting governance of the IT-related contribution to an enterprise. Of those five years, there must be at least one year of experience in defining, establishing and managing a framework for IT governance (Domain 1). In addition, experience directly related to two or more of the remaining CGEIT domains is required.

No experience waiver is allowed except for the possibility of substituting the one-year requirement related to Domain 1 with a COBIT 2019 design and implementation certificate.

Exam info: The test contains 150 multiple-choice, experienced-based questions based on four main domains. Candidates have four hours to complete it.

  • Domain 1: governance of enterprise IT (40%). Establishing a governance framework to achieve the vision and goals of the organization
  • Domain 2: IT resources (15%). Developing and monitoring strategic IT planning
  • Domain 3: benefits realization (26%). Managing IT investments to ensure optimized benefits
  • Domain 4: risk optimization (19%). Developing a holistic IT risk management framework

Certified in risk and information systems control (CRISC)

Risk management is now a vital part of an enterprise. The IT resources used by a modern company are diverse and often involve third-party services in a cloud environment. The role of the modern IT professional must encompass an understanding of the risk to information and systems that the introduction of technology can add to an organization.

Who is this certification for? 

The CRISC credential exam readies IT professionals to analyze and assess the pros and cons of using a given technology in their organization. The certification shows the individual can assess business risk and apply appropriate technical controls.

Where would you use it? 

Any professional wishing to work in a role that involves understanding business risk related to IT would benefit from taking this exam. The ISACA CRISC certification encourages continuous professional development and cutting-edge thinking on risk management. This makes it a valuable career tool for an IT professional.

CRISC exam prerequisites and domains

Prerequisites: At least three years of experience in IT risk management and IS control. No experience waivers or substitutions are possible.

Exam info: The test contains 150 multiple-choice questions and requires four hours to complete.

  • Domain 1: Governance (26%). Understanding enterprise risk management and risk management framework; determining risk profile and tolerance; organizational strategy, goals, objectives and culture, policies and standards
  • Domain 2: IT risk assessment (20%). Analyzing and evaluating IT risk
  • Domain 3: risk response and reporting (32%). Understanding how to evaluate and capture risk response from stakeholders and align with business objectives; understanding how to define, monitor and report key risk indicators (KRIs)
  • Domain 4: IT and security (22%). Evaluating alignment of business practices according to risk management and information security frameworks and standards; business continuity; emerging technology; data lifecycle management

Certified data privacy solutions engineer (CDPSE)

Privacy has taken center stage alongside security in an enterprise setting. The privacy of personal and corporate data is heavily regulated and requires specialist knowledge to understand the highly nuanced details of how to maintain data privacy. The CDPSE certificate suits data privacy specialists involved in areas such as privacy impact assessments (PIAs), identifying strategies for protecting privacy, including security measures such as encryption and data minimization. Understanding the governance and lifecycle of data and how to classify it also plays a prominent role in ensuring that privacy is correctly applied.

Who is this certification for? 

The CDPSE credential is a technical, hands-on qualification for people who want to specialize in privacy matters. This exam aims at privacy engineers, privacy analysts, privacy managers, privacy architects, privacy consultants and others in the privacy field.

Where would you use it? 

Privacy is a cross-disciplinary field, and the exam is designed to measure the ability to work with people from legal, policy, engineering, etc. Holding an ISACA CDPSE certification will demonstrate that you can:

  • Build and implement privacy measures
  • Understand and advise on data lifecycle regulatory requirements
  • Understand the principles of and be able to implement privacy by design (PbD)
  • Map privacy requirements to the goals and needs of the business.
  • Communicate across teams on privacy matters

CDPSE exam prerequisites and domains

Prerequisites: At least three years of experience in data privacy governance, privacy architecture, and/or data lifecycle work. No experience waivers or substitutions are allowed.

Exam info: The test contains 120 multi-choice questions and lasts a maximum of 3.5 hours. It covers three domains:

  • Domain 1: privacy governance (34%): Includes data governance across jurisdictions and privacy laws across the world; management and roles and responsibilities; how to conduct a PIA
  • Domain 2: privacy architecture (36%): The technology side of privacy: Infrastructure, architecture, applications, etc.
  • Domain 3: data cycle (30%): All about the data lifecycle and inventory and classification

How to earn your next ISACA certification

Infosec is one of a handful of ISACA accredited Elite+ Partners and can help you prepare for your exam with hands-on, live and online ISACA boot camps or on-demand ISACA courses where you go at your own pace.

Once you’re ready, you can schedule your desired credential exam year-round, thanks to continuous testing. The registration fees depend on membership status at the time of exam registration; the ISACA member cost is US$575, while the nonmember cost is US$760. A US$50 application processing fee is also required for all cert submissions.

Exams are computer-based and administered and proctored by PSI’s testing centers, located in all 50 states and 120 countries. Exams can also be taken online with a remote proctor; just choose the option via your ISACA profile (create a new profile at

You’ll need a score of 450 (on a scale from 200 to 800) to pass any of the exams. Once certified, you’re responsible for an annual maintenance fee of US$45 for ISACA members and US$85 for non-members.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

ISACA career success

IT professionals must be at the forefront of technological changes. They are also expected to understand how those changes impact the enterprise and how best to align new technologies to business goals to maintain a competitive edge. Keeping up with these changes and demonstrating your skill in making the most of technology is greatly helped by the certification offered by ISACA.

The ISACA exams are not easy. They will test your capability across many areas of IT governance, risk management and information security and can help set you up for career success.


Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.