The Certified Information Systems Auditor credential is ISACA’s long-standing answer to a critical governance challenge: how organisations can trust the technology, controls, and evidence behind their business processes since its introduction in 1978.
CISA is a professional certification for people who audit, assess, monitor, or advise on information systems controls. It is most relevant to IT auditors, assurance professionals, security analysts moving into audit, risk and compliance staff, and managers who need a common language for evaluating technology control environments.
Last reviewed: 2026. Candidates should always check ISACA’s current exam, fee, eligibility, waiver, scheduling, and continuing professional education policies before registering, because operational details can change even when the core purpose of the certification remains stable.
CISA is often described as an audit certification, but that wording can be too narrow. The exam expects candidates to think like assurance professionals: understand business risk, identify relevant controls, gather appropriate evidence, evaluate whether controls are designed and operating effectively, and communicate findings in a way management can act on.
That perspective matters because many candidates approach CISA as though it were a deep technical security exam. Technical knowledge helps, especially in areas such as access control, backup, logging, change management, cloud operations, and incident response. However, the test is usually more interested in the audit objective and the strength of the control than in low-level implementation detail.
In real work, that difference shows up during SOX IT general controls testing, SOC 2 readiness work, ISO/IEC 27001 internal audits, cloud shared-responsibility reviews, and vendor risk assessments. A CISA candidate is expected to recognise what evidence is useful, why a control exists, whether the evidence supports the control assertion, and how a weakness affects the organisation’s risk position.
The CISA exam is a single multiple-choice exam with 150 questions and a four-hour testing window. It is built around ISACA’s current CISA job practice, which is organised into five domains. Candidates should use the current ISACA exam content outline and recent ISACA review materials rather than relying on old question banks or outdated domain summaries.
| Domain | What it covers in plain English | How it tends to appear in preparation |
|---|---|---|
| Information Systems Auditing Process | How audits are planned, scoped, performed, evidenced, reported, and followed up. | Candidates need to understand independence, risk-based planning, audit evidence, sampling concepts, reporting, and remediation tracking. |
| Governance and Management of IT | How IT supports business objectives, risk management, policies, roles, oversight, and performance. | Questions often test whether a governance arrangement gives management enough visibility and accountability over technology risk. |
| Information Systems Acquisition, Development and Implementation | How systems are selected, built, changed, tested, migrated, and accepted into production. | Preparation should cover project controls, change control, development approaches, testing, data conversion, and implementation risk. |
| Information Systems Operations and Business Resilience | How systems are run, monitored, supported, backed up, recovered, and protected from disruption. | Candidates should connect operational controls to availability, integrity, incident response, disaster recovery, and service continuity. |
| Protection of Information Assets | How organisations protect data, identities, networks, endpoints, applications, and facilities. | This domain is sometimes underweighted by candidates, but it is central to evaluating whether security controls reduce business risk. |
A common preparation mistake is to memorise control names without understanding the audit purpose behind them. For example, a question about privileged access is unlikely to reward someone merely for knowing that access reviews exist. It may ask who should approve access, what evidence would support the review, or what the auditor should do when access is excessive but management claims it is operationally necessary.
Passing the CISA exam and becoming certified are related steps, but they are not the same event. Candidates can sit the exam before they have completed all required professional experience, then apply for certification once the experience requirement and other ISACA conditions are satisfied.
ISACA’s standard requirement is professional experience in information systems auditing, control, assurance, or security. The original eligibility model includes a five-year professional experience requirement, with possible substitutions and waivers under ISACA’s official policy. Because waiver rules depend on education and work history, candidates should check the current ISACA certification application guidance rather than relying on informal summaries.
The practical task is to document experience in a way that shows relevance, not just job titles. A useful experience log records the engagement type, the systems or processes reviewed, the controls tested, the evidence gathered, the frameworks or criteria used, the findings raised, and the applicant’s role in the work. Someone who supported SOX user access testing, reviewed change tickets, assessed backup evidence, or evaluated vendor security questionnaires should capture those details while they are still easy to verify.
Timing also matters. Candidates who are already working in IT audit or assurance may prefer to pass the exam and submit the certification application soon afterwards. Those moving from security operations, compliance, or infrastructure roles may choose to take the exam earlier, then build audit-relevant experience through internal control testing, risk assessments, audit support, or governance work before applying.
CISA, CISM, and CRISC are all ISACA credentials, but they point toward different day-to-day responsibilities. CISA is the better first step when the work is centred on audit, assurance, control evaluation, and evidence. CISM is more aligned with information security programme management and governance. CRISC is more focused on identifying, assessing, responding to, and monitoring risk.
This distinction is useful for professionals deciding where to invest study time. An IT auditor who wants to lead audits, assess controls, or move into assurance consulting will usually find CISA the most directly applicable starting point. A security manager responsible for strategy, operating model, and programme oversight may be closer to CISM. A risk professional working on risk registers, treatment plans, and enterprise risk reporting may find CRISC more aligned.
Hiring managers tend to treat CISA as a strong signal, especially for audit, assurance, compliance, and governance roles. Even so, the credential is rarely enough on its own. Candidates who can describe audit outcomes, control improvements, evidence challenges, and stakeholder conversations usually make a stronger impression than candidates who can only state that they passed the exam.
A workable CISA plan usually combines three habits: reading the current ISACA material, practising questions for reasoning rather than memorisation, and reviewing weak areas until the audit logic becomes natural. The aim is not to become a specialist in every technology mentioned. The aim is to understand how an auditor evaluates technology risk and controls.
| Period | Primary focus | Practical output |
|---|---|---|
| Weeks 1–2 | Read the current exam outline and cover the auditing process and IT governance domains. | Create notes on audit planning, evidence, reporting, governance structures, risk ownership, and accountability. |
| Weeks 3–4 | Study acquisition, development, implementation, operations, and resilience. | Connect change control, project governance, testing, operations, backup, and recovery topics to audit objectives. |
| Weeks 5–6 | Work through practice questions and revisit weak areas, especially Protection of Information Assets. | Track why answers are wrong: misunderstood concept, missed keyword, outdated source, or poor exam technique. |
| Weeks 7–8 | Simulate exam timing, consolidate notes, and rehearse the first-pass strategy. | Build confidence in pacing, question triage, and reading questions from an auditor’s point of view. |
Several pitfalls appear repeatedly in CISA preparation. One is using stale question banks that reflect older domain structures or outdated terminology. Another is giving too little attention to Protection of Information Assets because it feels familiar to candidates with security backgrounds. A third is over-studying technical minutiae while missing the audit judgement that the question is testing.
Exam-day technique should reflect the four-hour, 150-question format. A sensible approach is to answer clear questions on the first pass, mark questions that require deeper thought, and return to them after securing the easier marks. Candidates should avoid spending too long on a single scenario early in the exam, because time pressure can cause avoidable mistakes later.
Readers who decide that structured preparation would help can consider Readynez’s CISA course and certification preparation after they have reviewed the official ISACA job practice and confirmed that CISA fits their role goals.
CISA has several possible cost components: exam registration, study materials, optional training, retake costs if needed, certification application, annual maintenance, and continuing education. Exact fees vary by membership status, region, tax treatment, and ISACA policy, so candidates should check current official pricing before budgeting.
Scheduling is handled through ISACA’s published registration and testing process, including the rules for online or test-centre delivery where available. Candidates should read the identification requirements, rescheduling terms, permitted items, and exam conduct rules before exam day. Most exam-day problems are avoidable when candidates verify the administrative requirements early rather than the night before.
The exam itself is not divided into timed domain sections. Candidates should manage the full four-hour window across the full question set, using marked questions and review time carefully. In practice, a calm pacing strategy is more useful than trying to predict which domain will appear next.
CISA certification is maintained through continuing professional education and annual maintenance requirements. The original ISACA model includes annual and three-year CPE expectations, and the source guidance refers to 20 hours annually and 120 hours across a three-year period. Candidates and certified professionals should still verify the current CPE policy directly with ISACA because reporting rules and accepted activity types can change.
Good CPE planning is easier when it is connected to real work rather than treated as an administrative scramble. Audit planning workshops, security governance training, privacy and compliance learning, cloud risk education, and control framework study can all support professional development when they align with ISACA’s policy. Keeping records throughout the year also reduces the risk of missing evidence if selected for review.
CISA knowledge becomes more concrete when mapped to recurring engagements. In SOX environments, it helps professionals evaluate IT general controls such as user access, change management, job scheduling, backups, and incident handling. In SOC 2 readiness work, it supports the review of control design, evidence quality, monitoring, and remediation ownership.
In ISO/IEC 27001 contexts, CISA knowledge can help internal auditors connect risk assessment, control selection, management review, corrective action, and evidence. In cloud reviews, it supports questions about shared responsibility, identity governance, logging, encryption, resilience, and vendor assurance. In third-party risk work, it helps reviewers look beyond questionnaire completion and assess whether evidence supports the vendor’s control claims.
Framework knowledge can also help, but frameworks should not be studied as isolated vocabulary. COBIT, COSO, ITIL, ISO/IEC 27001, and NIST guidance are most useful when candidates understand how they shape control objectives, responsibilities, evidence, and governance decisions.
CISA can help candidates pass initial screening for IT audit, technology risk, assurance, compliance, and governance roles. It gives employers a recognisable signal that the candidate understands audit concepts and control evaluation. This can be especially useful for security analysts, infrastructure professionals, or compliance staff trying to move into audit-oriented work.
The credential does not replace evidence of impact. Strong candidates can explain how they tested controls, handled incomplete evidence, documented exceptions, challenged weak remediation plans, or translated technical issues into business risk. The certification may open the conversation, but audit judgement and communication skills often determine how far the conversation goes.
CISA is a sound choice when a professional wants to build credibility in information systems audit, assurance, control testing, and governance review. It is less direct for someone whose primary goal is hands-on penetration testing, cloud engineering, or security operations, although those backgrounds can support a strong transition into audit if the person learns how to evaluate controls objectively.
The most effective next step is to compare the official ISACA requirements with current responsibilities, then decide whether self-study, structured training, or a blended approach is appropriate. Readynez also provides ISACA training options and Unlimited Security Training for professionals planning broader security and governance development; questions about fit can be discussed through the contact team.
CISA is ISACA’s Certified Information Systems Auditor credential. It validates knowledge of information systems auditing, governance, systems development and implementation, operations and resilience, and protection of information assets.
The CISA exam has 150 multiple-choice questions and a four-hour testing window. It is not split into separately timed domain sections, so candidates need to manage their own pace across the whole exam.
ISACA’s standard model requires relevant professional experience in information systems auditing, control, assurance, or security, with the original requirement stated as five years. Substitutions and waivers may apply under ISACA’s official policy, so candidates should confirm current rules before applying.
Yes. Candidates can pass the exam before completing the full certification application requirements, then apply for certification once the experience and other ISACA conditions are met. Keeping a detailed experience log makes the later application easier.
Candidates should use the current ISACA exam outline and recent review materials, study each of the five domains, practise questions for reasoning rather than memorisation, and rehearse a time-management strategy for the four-hour exam. A six-to-eight-week plan is realistic for many working professionals who can study consistently.
It depends on the role goal. CISA is usually the better first choice for audit and assurance work, CISM is more aligned with security management and governance, and CRISC is more focused on risk identification, assessment, and response.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?