CISA Certification Guide — Certified Information Systems Auditor
What Is CISA?
Section titled “What Is CISA?”CISA (Certified Information Systems Auditor) is the world’s most widely recognised certification for IT audit, assurance, and control professionals. Offered by ISACA (Information Systems Audit and Control Association), CISA validates the expertise needed to assess IT systems, evaluate controls, identify vulnerabilities, and report findings to business leadership.
Launched in 1978, CISA is one of the oldest and most established cybersecurity certifications in existence. Over 170,000 professionals worldwide hold the CISA designation. It appears consistently in the top five most requested cybersecurity certifications in job postings, particularly for roles in IT audit, compliance, governance, and GRC.
CISA is not a technical hacking certification. It does not test your ability to configure firewalls or exploit vulnerabilities. It tests your ability to audit whether an organisation’s information systems, controls, and governance practices are adequate to manage risk and meet compliance obligations. That distinction makes CISA a natural fit for professionals transitioning from non-IT backgrounds in finance, accounting, legal, healthcare, or operations.
I came across CISA while researching career paths for people with an accounting and compliance background. What surprised me was how many of the concepts — internal controls, audit evidence, risk assessment, governance frameworks — I already understood from a financial context. CISA essentially applies those same disciplines to information systems. That realisation made the transition feel much less like starting over and much more like extending existing expertise into a new domain.
Who Should Get CISA?
Section titled “Who Should Get CISA?”CISA is designed for professionals who audit, assess, and assure information systems. It is a strong fit for a wide range of backgrounds — both technical and non-technical.
CISA is ideal if you:
- Are transitioning from accounting, internal audit, or compliance roles in any industry
- Work in or are targeting IT audit, assurance, risk, or GRC roles
- Want the most broadly recognised GRC credential with the widest job market applicability
- Are in financial services, government, healthcare, or any highly regulated industry where IT audit is a core function
- Already hold Security+ or CGRC and want to specialise in audit and assurance
- Are targeting consultant or advisory roles where audit expertise is valued by clients
CISA is also relevant if you:
- Work in a SOC or security engineering role and want to understand how your work gets audited
- Are a project manager or business analyst who works with IT governance or compliance programmes
- Have a background as a financial auditor who wants to expand into technology audit
For career changers without yet meeting the experience requirement: CISA is a realistic medium-term target. The education waiver (up to 2 years) and related certification waiver (1 year for Security+, CISSP, or similar) can reduce the experience requirement significantly. Many career changers sit the exam while accumulating experience and apply for full certification once eligible.
CISA Exam Domains
Section titled “CISA Exam Domains”CISA covers five domains. The domains have been updated in recent exam revisions to reflect the evolving IT audit landscape, with Domain 1 receiving increased weight to reflect the growing importance of information security governance.
| Domain | Weight | What It Covers |
|---|---|---|
| Domain 1: Information Systems Auditing Process | 21% | Audit standards, risk-based audit planning, audit evidence collection and evaluation, reporting audit findings |
| Domain 2: Governance and Management of IT | 17% | IT governance frameworks, IT strategy alignment, IT organisational structures, IT policies and procedures |
| Domain 3: Information Systems Acquisition, Development and Implementation | 12% | Project management, systems development lifecycle (SDLC), change management, application controls |
| Domain 4: Information Systems Operations and Business Resilience | 23% | IT service management, system performance management, capacity planning, incident management, business continuity, disaster recovery |
| Domain 5: Protection of Information Assets | 27% | Logical access controls, network security, encryption, endpoint security, data classification, privacy |
Domain 5 (Protection of Information Assets) carries the most weight (27%) — the largest single domain. This reflects the increasing importance of security controls in IT audit practice. Domain 4 (Operations and Business Resilience) is the second largest at 23%.
Domain 1 (IS Auditing Process) is the domain that distinguishes CISA from other certifications. It tests your understanding of how to plan and conduct an IT audit — the methodologies, evidence standards, and reporting practices that auditors follow. This is content you will not find in Security+ or CRISC.
CISA Domains at a Glance
Section titled “CISA Domains at a Glance”CISA Five Domains — The IT Audit Lifecycle
CISA covers every phase of IT audit practice from planning through asset protection
Prerequisites and Experience Requirements
Section titled “Prerequisites and Experience Requirements”CISA has a 5-year professional experience requirement, but importantly it has multiple waiver paths that can reduce this to 3 years — or even fewer in some cases.
To become CISA certified, you must:
- Pass the CISA exam
- Have at least 5 years of professional experience in IS audit, control, assurance, or security
- Experience must be within the last 10 years at the time of certification application
- Apply for certification within 5 years of passing the exam
- Agree to ISACA’s Code of Professional Ethics and Continuing Education Policy
Experience waivers:
| Waiver type | Years waived | Notes |
|---|---|---|
| University education (2-year degree) | 1 year | Substitutes for 1 year of required experience |
| University education (4-year degree) | 2 years | Substitutes for 2 years of required experience |
| CISSP, CISM, CRISC, or similar | 1 year | Approved list on ISACA website |
| IT instructor (at university level) | 1 year | Teaching IS or IT courses |
With a 4-year degree and Security+: You need only 2 years of qualifying experience (5 - 2 years degree waiver - 1 year certification waiver = 2 years). This is a realistic timeline for career changers entering GRC or IT audit roles.
What counts as qualifying experience:
- IT audit, internal control review, or external assurance work
- Information security management, governance, or compliance
- IT risk management, third-party risk, or vendor assessment
- IT operations, systems administration, or development (when directly related to IS audit domains)
- Information systems analysis, design, or quality assurance
Exam Format, Cost, and Logistics
Section titled “Exam Format, Cost, and Logistics”| Detail | CISA (2024 format) |
|---|---|
| Number of questions | 150 questions |
| Question types | Multiple choice (4 options) |
| Time allowed | 4 hours |
| Passing score | 450 on a scale of 200-800 |
| Cost | $575 USD (ISACA member) / $760 USD (non-member) |
| Testing provider | PSI (online or at test centres) |
| Languages | English, Chinese (simplified and traditional), Spanish, French, German, Hebrew, Italian, Japanese, Korean, Turkish |
| Validity | 3 years (CPE credits required for renewal) |
| CPE requirement | 120 CPE credits over 3-year renewal cycle (20 minimum per year) |
ISACA membership saves $185 on the exam fee — the $135 annual membership more than pays for itself on exam day. Membership also includes access to ISACA’s official study resources and community.
Exam details source: isaca.org/credentialing/cisa (verified March 2026). ISACA updates exam content periodically — always verify current details before scheduling.
Study Plan for Career Changers
Section titled “Study Plan for Career Changers”Recommended timeline: 3-6 months at 8-12 hours per week.
The CISA mindset: CISA tests you on how an auditor thinks — and the auditor mindset is different from a practitioner mindset. When a CISA question asks what to do after discovering a control weakness, the answer is almost always about following audit protocol: document the finding, assess its materiality, include it in the audit report, and recommend corrective action. Not about immediately fixing the problem yourself. Understanding this distinction early saves considerable study time.
Phase 1 — Foundations (Weeks 1-4):
Read the ISACA CISA Review Manual from beginning to end without trying to memorise everything. Build a mental map of how the five domains relate to each other. Pay particular attention to Domain 1 (the audit process) — this domain sets up the framework that all other domains operate within.
Phase 2 — Domain Study (Weeks 5-14):
Study each domain using the Review Manual and official practice questions. Spend proportionally more time on Domains 5 and 4, which have the highest exam weights. For Domain 3, focus on SDLC audit considerations and change management controls rather than development methodologies.
Phase 3 — Practice and Integration (Weeks 15-20):
Work through ISACA’s official question bank and full practice exams. Aim for 70-75% or above consistently before scheduling. Spend time reviewing wrong answers — understanding why the auditor answer is correct, not just why your initial choice was wrong, is the key to CISA preparation.
Recommended resources:
- ISACA CISA Review Manual — official study guide, essential
- ISACA CISA Review Questions, Answers & Explanations — official question bank, essential
- Peter Gregory’s CISA All-in-One Exam Guide — well-reviewed third-party supplement
- Hemang Doshi YouTube channel — free video explanations covering all five domains
- ISACA CISA Study Hall — adaptive learning platform from ISACA (included in some bundles)
How CISA Compares to CRISC and CISSP
Section titled “How CISA Compares to CRISC and CISSP”CISA vs CISSP — Audit Generalist vs Security Management
- IT audit specialist — The world's most recognised IT audit certification — covers assurance, control evaluation, and audit reporting across five domains
- 5 years experience (with waivers) — Education and certification waivers can reduce this to 2-3 years — more accessible for career changers than CISSP
- Non-technical entry path — Accountants, internal auditors, compliance professionals, and governance specialists transition well — prior IT experience less critical
- Audit and assurance focus — Tests whether controls work and how to evaluate them — not how to implement or attack systems
- Target roles — IT Auditor, IS Audit Manager, Compliance Analyst, GRC Manager, Internal Audit roles across all regulated industries
- Security management breadth — Covers eight domains of information security from risk management to software security — the most comprehensive security management credential
- 5 years experience (minimal waivers) — Requires experience in at least 2 of 8 domains — waivers only reduce to 4 years, not as flexible as CISA
- Technical security knowledge required — Tests cryptography, network security, access control, and security architecture at a depth CISA does not require
- Management and leadership focus — Designed for security leaders making risk-based decisions — programme design, executive communication, governance strategy
- Target roles — Security Architect, Security Director, CISO, Senior Security Engineer, Security Manager — senior individual contributor and leadership roles
Career Impact and Salary Uplift
Section titled “Career Impact and Salary Uplift”CISA salary benchmarks (2024):
| Role | Salary range (USD) | Notes |
|---|---|---|
| IT Audit Associate (with CISA) | $75,000 - $100,000 | Entry-to-mid level with 3-5 years experience |
| IT Auditor / IS Auditor | $90,000 - $125,000 | Mid-level with 5-8 years |
| IT Audit Manager | $115,000 - $155,000 | Manager level with 8-12 years |
| Director of IT Audit / GRC | $140,000 - $200,000+ | Director level, large organisations |
Salary ranges are approximate benchmarks sourced from ISACA IT Skills and Salary Report 2024 and industry survey data as of early 2026. Individual results vary significantly based on location, employer size, industry, and experience. These figures are US market estimates — Australian, UK, and other market salaries will differ. Individual results vary.
Industries that specifically seek CISA:
CISA is most highly valued in regulated industries:
- Financial services and banking — where IT audit is a regulatory requirement (SOX, FINRA, FDIC)
- Healthcare — where HIPAA compliance and IT control assurance are ongoing requirements
- Government and public sector — where IS audit is a formal accountability function
- Big Four consulting firms — Deloitte, PwC, EY, and KPMG all hire CISA-certified auditors for client advisory work
- Technology companies — for SOC 2 readiness, vendor risk, and internal audit functions
The consulting premium: Big Four and boutique advisory firms actively recruit CISA holders. Consulting positions typically pay 15-25% above equivalent industry roles, with the trade-off of travel and client variability. For career changers from accounting or advisory backgrounds, this is a natural path.
CISA is the gold standard for IT audit and compliance. This guide covers the frameworks (NIST, ISO 27001, SOC 2) that CISA tests — giving you a practical foundation before you tackle the exam.
Compliance Frameworks Decoded
NIST, ISO 27001, SOC 2, HIPAA & PCI-DSS explained in plain English.
Summary and Key Takeaways
Section titled “Summary and Key Takeaways”- CISA is the world’s most recognised IT audit certification — held by 170,000+ professionals globally and consistently listed among the top five most requested certifications in GRC job postings.
- It requires 5 years of experience, but education and certification waivers can reduce this to as few as 2 years — making it more accessible for career changers than CISSP.
- Domain 5 (Protection of Information Assets) has the highest exam weight (27%), followed by Domain 4 (Operations and Business Resilience) at 23%. These two domains together account for half the exam.
- CISA tests the auditor mindset — following audit protocols, documenting findings, assessing control effectiveness, and reporting to leadership. Understanding this mindset is the key to exam success.
- CISA is non-technical enough for career changers from audit, accounting, compliance, healthcare, and legal backgrounds to achieve with moderate study investment.
- CISA vs CRISC: CISA is broader with more job postings globally. CRISC specialises in risk management and commands slightly higher compensation in risk-specific roles. Many senior GRC professionals hold both.
- CISA vs CISSP: CISA is audit-focused and more accessible. CISSP is security management-focused and requires deeper technical knowledge. Choose based on your target role, not just your current background.
Exam details, experience requirements, and certification policies verified in March 2026 against ISACA’s official CISA page (isaca.org/credentialing/cisa). ISACA updates exam content periodically — always verify current details before scheduling.
Salary data is approximate and varies by location, employer, and experience. Individual results vary. This guide provides general guidance and does not guarantee employment outcomes.
Frequently Asked Questions
What does CISA stand for?
CISA stands for Certified Information Systems Auditor. It is a professional certification from ISACA that validates expertise in IT audit, assurance, control, and governance. It is the most widely recognised IT audit certification globally.
How much experience do I need for CISA?
Five years of professional experience in IS audit, control, assurance, or security. However, a 4-year university degree waives 2 years, and approved certifications like Security+ or CISSP waive 1 year. With both waivers, you need only 2 years of qualifying experience — a realistic timeline for career changers who enter GRC or IT audit roles.
Can I sit the CISA exam before I have the required experience?
Yes. You can sit and pass the CISA exam before having all the required experience. After passing, you have 5 years to accumulate the qualifying experience and apply for full CISA certification. This is a common approach — you get the exam behind you while continuing to build experience.
Is CISA suitable for non-IT professionals?
Yes, it is one of the most non-IT-friendly senior cybersecurity certifications. CISA does not require you to configure systems, write code, or perform technical attacks. It tests your ability to audit and evaluate whether controls exist, are designed correctly, and operate effectively. Accountants, internal auditors, compliance officers, and governance professionals have a strong conceptual foundation for CISA from their existing careers.
What is the difference between CISA and CRISC?
CISA is the IT audit generalist — it covers five domains of IT audit, assurance, governance, operations, and asset protection. It is the most widely recognised and has the largest global job market. CRISC is the risk specialist — four domains focused specifically on IT risk identification, assessment, response, and control. CISA has education and certification waivers that make it more accessible. Many senior GRC professionals hold both.
How hard is the CISA exam?
CISA has a pass rate of approximately 50-65% on first attempt, making it moderately difficult. The challenge is less about memorising facts and more about internalising the auditor mindset — understanding when to document, escalate, report, and recommend rather than acting directly. Candidates who study thoroughly with official materials and understand the audit process typically pass with 3-6 months of preparation.
What industries hire CISA professionals?
CISA is most in demand in financial services (banking, insurance, investment management), healthcare, government and public sector, Big Four and boutique advisory firms, and large technology companies. Any regulated industry with IT audit obligations — which is most industries above a certain size — values CISA. The certification is particularly powerful in organisations subject to SOX, HIPAA, PCI-DSS, or government audit requirements.
Should I get CISA or Security+ first?
Get Security+ first. Security+ is the entry-level foundation that covers the technical and governance basics underlying all GRC certifications. It also qualifies as an ISACA experience waiver (1 year off the CISA experience requirement). Get Security+, gain 2-3 years of GRC experience, then pursue CISA. This is the most efficient path for career changers.
More resources
Official exam details, experience requirements, waiver information, and certification application process for CISA.
ISACA CISA Review ManualThe official ISACA study guide covering all five CISA domains — the primary and most important study resource.
ISACA IT Skills and Salary ReportAnnual survey of IT professional salaries by certification, role, and region — includes CISA compensation benchmarks.
Hemang Doshi CISA Video SeriesFree YouTube video series covering all five CISA domains — well-regarded by the CISA study community for clear explanations.