How to Become a Certified Information Systems Auditor
Becoming a Certified Information Systems Auditor (CISA) is a major milestone for IT audit and cybersecurity professionals. The process is managed by ISACA and involves a combination of passing a rigorous exam and proving real-world experience.
Here is the step-by-step roadmap to achieving and maintaining your CISA in 2026.
The first step is typically passing the 150-question, 4-hour multiple-choice exam. You have a five-year window after passing the exam to complete the remaining requirements.
The exam is structured around five "Job Practice Areas" that reflect the actual tasks of an IT Auditor:
Information System Auditing Process (21%): Standards and guidelines for performing audits.
Governance and Management of IT (17%): IT strategy, risk management, and organizational structure.
IS Acquisition, Development, and Implementation (12%): Auditing project management and system lifecycles (SDLC).
IS Operations and Business Resilience (23%): IT service management, disaster recovery, and business continuity.
Protection of Information Assets (27%): Physical and logical security, encryption, and incident response.
2. Meet the Work Experience Requirements
You must demonstrate a minimum of five years of professional work experience in information systems auditing, control, assurance, or security.
Experience Waivers (Up to 3 Years)
If you don't have five full years of audit experience, you can substitute it with the following:
1-Year Waiver: For 1 year of general IS experience OR 1 year of non-IS auditing experience.
1-Year Waiver: For an Associate's degree or specific certifications (like CCAK).
2-Year Waiver: For a Bachelor's, Master's, or Doctorate in any field.
3-Year Waiver: For a Master’s degree in Information Systems or Information Security from a university that follows the ISACA model curriculum.
3. Submit Your Application
Once you have passed the exam and met the experience requirements:
Pay the Application Fee: There is a one-time processing fee (usually $50 USD).
Verify Experience: You must have your work experience independently verified by a former supervisor or manager.
Submit Online: Send your application via the ISACA portal within 5 years of passing your exam.
4. Adhere to Professional Ethics
As part of the application, you must agree to the ISACA Code of Professional Ethics. This requires you to maintain high standards of conduct, including:
Maintaining the confidentiality of information obtained during audits.
Performing duties with objectivity, due professional care, and integrity.
Disclosing the results of performed work to the appropriate parties.
5. Maintain Your Certification (CPE)
To keep your CISA active, you must participate in the Continuing Professional Education (CPE) program:
Annual Requirement: Earn at least 20 CPE hours per year.
Three-Year Cycle: Earn a total of 120 CPE hours every three years.
Maintenance Fee: Pay an annual maintenance fee ($45 for members, $85 for non-members).