The Certified Information Systems Auditor (CISA) Certification Guide (2023)

What is CISA certification?

The Certified Information Systems Auditor certification, or CISA, shows your skills in analyzing, assessing and recommending improvements to your organization’s IT and information systems.

  • Learn cutting-edge, risk-based information systems auditing processes
  • Delve into information systems acquisition, development and implementation best practices
  • Understand how to audit information systems operations and make recommendations to benefit your organization
The Certified Information Systems Auditor (CISA) Certification Guide (2023)

Key facts

  • CISA holders: 164,000+
  • Average U.S. salary for CISA certification holders: $113,000
  • Recommended experience: 5+ years

Start your journey to becoming a certified CISA professional with Infosec.

CISA exam overview

CISA is a mid-level credential offered by ISACA that is a great choice if you hope to enter the world of security auditing or validate your knowledge and skills around security controls. CISA holders understand how to analyze information systems and technology usage in an organization to improve risk management processes. The latest version of the CISA exam covers five knowledge areas, or domains.

Domain 1: Information systems auditing process (21%)
  • IS audit standards, guidelines and codes of ethics
  • Business processes
  • Types of controls
  • Risk-based audit planning
  • Types of audits and assessments
  • Audit project management
  • Sampling methodology
  • Audit evidence collection techniques
  • Data analytics
  • Reporting and communication techniques
  • Quality assurance and improvement of the audit process
Domain 2: Governance and management of IT (17%)
  • IT governance and strategy
  • IT-related frameworks
  • IT standards, policies and procedures
  • Organizational structure
  • Enterprise architecture and risk management
  • Maturity models
  • Laws, regulations and industry standards
  • IT resource management
  • IT service provider acquisition and management
  • IT performance monitoring and reporting
  • Quality assurance and quality management of IT
Domain 3: Information systems acquisition, development and implementation (12%)
  • Project governance and management
  • Business case and feasibility analysis
  • System development methodologies
  • Control identification and design
  • Testing methodologies
  • Configuration and release management
  • System migration, infrastructure deployment and data conversion
  • Post-implementation review
Domain 4: Information systems operations and business resilience (23%)
  • Common technology components
  • IT asset management
  • Job scheduling and production process automation
  • System interfaces
  • End-user computing
  • Data governance
  • Systems performance management
  • Problem and incident management
  • Change, configuration, release and patch management
  • IT service level management
  • Database management
  • Business impact analysis
  • System resiliency
  • Data backup, storage and restoration
  • Business continuity plan
  • Disaster recovery plans
Domain 5: Protection of information assets (27%)
  • Information asset security frameworks, standards and guidelines
  • Privacy principles
  • Physical access and environmental controls
  • Identity and access management
  • Network and end-point security
  • Data classification
  • Data encryption and encryption-related techniques
  • Public key infrastructure
  • Web-based communication techniques
  • Virtualized environments
  • Mobile, wireless and internet-of-things devices
  • Security awareness training and programs
  • Information system attack methods and techniques
  • Security testing tools and techniques
  • Security monitoring tools and techniques
  • Incident response management
  • Evidence collection and forensics

Learn more about the CISA domains.

CISA exam details

CISA covers auditing, controlling, monitoring and assessing information technology and systems. Learn how to conduct risk-based audits to make data models and security practices as efficient as possible.

Launch date: 1978 Last update: June 2019
Number of questions: 150 Type of questions: Multiple-choice
Length of test: 4 hours Passing score: 450 (out of scaled score of 200-800)
Recommended experience: 5+ years of work experience in at least three domains (up to 3 years in experience waivers available) Languages:

English, Chinese traditional, Chinese simplified, French, German, Hebrew, Italian, Japanese, Korean, Portuguese, Spanish, Turkish

Validity duration:  Three years CPEs needed for renewal:  120 (at least 20 annually)
Exam cost: $575 for members, $760 for non-members    

Free and self-study CISA materials

Many providers offer free study materials to help you prepare for your CISA exam, but a good starting point is the CISA exam outline. This comprehensive guide is the definitive resource on the CISA certification exam’s Body of Knowledge, which is the collection of topics on the test. You can develop a training plan and seek appropriate study materials based on this outline.

ISACA career kit Image

CISA study guides and books

ISACA and other training providers offer numerous training resources available on Amazon and elsewhere. These include:

  • CISA Review Manual, 27th Edition (ISACA)
  • CISA Certified Information Systems Auditor Study Guide, 4th Edition by David L. Cannon
  • CISA Certified Information Systems Auditor All-in-One Exam Guide, 4th Edition by Peter H. Gregory
  • CISA — Certified Information Systems Auditor Study Guide, 2nd Edition by Hemang Doshi
  • 10 tips for CISA exam success

For more free resources, download our ISACA Career Kit.

CISA practice questions and exams

Practice exams for CISA certification are a great way to understand the questions you’ll be asked and gauge how ready you are for the big test. While you won’t find the exact questions from the exam, practice questions reflect the exam domains. A few of the most popular CISA practice question options are listed below:

Most paid CISA training courses also offer practice exams. For example, Infosec's CISA Boot Camp includes access to the ISACA Official Question, Answer & Explanation (QAE) database.


Other free CISA training resources

Many free CISA training materials are produced and shared by the cybersecurity community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CISA.
  • YouTube is another great place to connect with cybersecurity practitioners and learn about the CISA exam. Although most CISA courses cost money, there are numerous free CISA videos available to watch.
  • Podcasts may not help you directly study for your CISA exam, but those like the Cyber Work Podcast are a great way to learn about cybersecurity career options and your peers' career journeys.

CISA jobs and careers

CISA certification is considered one of the most prestigious auditing credentials in the world and one of the highest-paying certifications cybersecurity practitioners can earn. It can help professionals with at least five years in auditing, control, IT and security reach several management positions. 


 Common CISA job titles 

  • Internal auditor
  • Information risk analyst
  • IT security officer
  • IT risk and assurance manager
  • Chief information officer
  • Network operation security engineer
  • IT project manager

Learn more about the job outlook for CISA holders.

CISA live boot camps and self-paced training

Obtaining your information systems auditor certification takes time and effort, and professional training courses for the CISA exam can help all that hard work pay off. Paid training is also a great option if you’re looking to get certified quickly or want extra assistance mastering the concepts covered on the exam.

CISA comparisons and alternatives

CISA certification is designed to help you open more job opportunities, but it is not the only option available. Here is how CISA certification stacks up to other related certifications.


Both the CISA and CISSP certifications have recommended experience levels of five years, are for mid-level professionals and have great salary potential. However, CISA is geared more towards auditing and broader fundamentals of network and security, while the (ISC)² Certified Information Systems Security Professional (CISSP) cert gets into the more technical, hands-on engineering aspects. The CISSP exam may be more difficult than the CISA for some candidates since it covers a broader range of topics.


While both the CISA and CISM certifications are offered by the ISACA, the ISACA Certified Information Security Manager (CISM) certification is a managerial credential whereas the CISA is focused on more hands-on information security auditing. CISM holders typically go on to jobs managing entire departments, while CISA is more appropriate for mid-level practitioners and managers who want to better understand information auditing, risk and security controls. CISA can also be a good stepping stone to eventually taking the CISM exam


While both the CISA and CRISC certifications require a fair amount of analyzing skills, the main difference between CISA and ISACA Certified in Risk and Information Systems Control certification is simple: CISA focuses on auditing and CRISC focuses on risk management. CISA is primarily for auditors to prove their skills, but like CISM, CRISC deals with a broader scope of cybersecurity, which makes it a better manager-level certification with a higher annual salary. 


The CompTIA CASP+ certification is an advanced-level certification offered by CompTIA. Although the exam will test you on knowledge related to compliance, governance and risk, the certification as a whole falls more in line with security engineering and architecture than CISA, which focuses on IT auditing.


The Certified Ethical Hacker (CEH) certification by the EC-Council is among the most popular certifications for entry-level cybersecurity professionals. The credential validates that you can “think like a hacker” and use the tools a malicious attacker would use during an attack. Many CEHs pursue careers as penetration testers, malware analysts, and security analysts.

It can be useful for understanding how attackers gain access to systems with improper controls, but the CEH is not focused on auditing like the CISA certification is.

Explore Infosec certifications to find the best fit for your career goals.