CISA - Frequently Asked Questions

Below are some of the more frequent questions we receive regarding CISA (Certified Information Systems Auditor). A more comprehensive FAQ, covering Exam Registration as well as Certification information, is available on the ISACA CISA web site.

1. What are the qualifications to earn the CISA credential?

Qualifying for CISA requires a combination of the following requirements:

Successful completion of the CISA exam
Adherence to a code of professional ethics
Commitment to continuing professional education program
Compliance with Information Systems Auditing Standards
A minimum of five years of professional information systems auditing, control or security work experience is required for certification.

Substitutions and waivers of such experience may be obtained as follows:

A maximum of one year of information systems experience OR one year of financial or operational auditing experience can be substituted for one year of information systems auditing, control or security experience.
60 to 120 completed college semester credit hours (the equivalent of an Associate or Bachelor degree) can be substituted for one or two years, respectively, of information systems auditing, control or security experience.
A bachelor's or master's degree from a university that enforces the ISACA sponsored Model Curricula can be substituted for one year of information systems auditing, control, assurance or security experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if three years of experience substitution and educational waiver have already been claimed.
Two years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for one year of information systems auditing, control or security experience.

2. Will CISAs qualify for CISM?

The CISM certification program recognizes the achievement of the CISA credential as a baseline representation that an individual has gained general information security skill and knowledge. As such, CISAs receive a two-year general information security waiver. However, CISAs will not be eligible to earn a CISM unless they have the required experience and can demonstrate proficiency and practical knowledge in the role of an information security manager.