The CISA designation is awarded to individuals with an interest in Information Systems auditing,

control and security who meet the following requirements:

Why Certify?

Exam Registration

Computer-Based Testing (CBT) Locations

Exam Candidate Guide

CISA: Certified Information Systems Auditor

The Benefits of CISA

How to Become Certified

Job Practice Areas

CISA Exam Registration

Apply for Certification

Prepare for the CISA Exam

Maintain Your CISA

CISA Frequently Asked Questions

CISM: Certified Information Security Manager

CGEIT: Certified in the Governance of Enterprise IT

CRISC: Certified in Risk and Information Systems Control

Additional Resources

Exam Deferral

Follow us:

Successful completion of the CISA examination

Submit an Application for CISA Certification

Adherence to the Code of Professional Ethics

Adherence to the Continuing Professional Education Program

Compliance with the Information Systems Auditing Standards

1. Successful completion of the CISA Examination

The examination is open to all individuals who have an interest in information systems audit,
control and security. All are encouraged to work toward and take the examination. Successful
examination candidates will be sent all information required to apply for certification with their
notification of a passing score. For a more detailed description of the exam see CISA Certification
Job Practice. Also, CISA Exam Preparation resources are available through the association and
many chapters host CISA Exam Review Courses (contact your local chapter).

2. Submit an Application for CISA Certification

Once a CISA candidate has passed the CISA certification exam and has met the work experience
requirements, the final step is to complete and submit a CISA Application for Certification. A
minimum of 5 years of professional information systems auditing, control or security work
experience (as described in the CISA job practice areas) is required for certification. Substitutions
and waivers of such experience, to a maximum of 3 years, may be obtained as follows:

A maximum of 1 year of information systems experience OR 1 year of non-IS auditing experience

can be substituted for 1 year of experience.

60 to 120 completed university semester credit hours (the equivalent of an 2-year or 4-year
degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years,
respectively, of experience.

A bachelor's or master's degree from a university that enforces the ISACA-sponsored Model
Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit
www.isaca.org/modeluniversities. This option cannot be used if 3 years of experience
substitution and educational waiver have already been claimed.

A master's degree in information security or information technology from an accredited

university can be substituted for 1 year of experience.

Exception: 2 years as a full-time university instructor in a related field (e.g., computer science,
accounting, information systems auditing) can be substituted for 1 year of experience.
As an example, at a minimum (assuming a 2-year waiver of experience by substituting 120
university credits), an applicant must have 3 years of actual work experience. This experience
can be completed by:

3 years of IS audit, control, assurance or security experience

OR

2 years of IS audit, control assurance or security experience and 1 full year non-IS audit or IS
experience or 2 years as a full-time university instructor.

It is important to note that many individuals choose to take the CISA exam prior to meeting the
experience requirements.

This practice is acceptable and encouraged although the CISA designation will not be awarded
until all requirements are met.

The work experience for CISA certification must be gained within the 10-year period preceding
the application date for certification or within 5 years from the date of originally passing the
exam. The CISA Application for Certification is available at www.isaca.org/cisaapp. Note that
candidates have 5 years from the passing date to apply for certification.

3. Adherence to the Code of Professional Ethics

Members of ISACA and/or holders of the CISA designation agree to a Code of Professional Ethics
to guide professional and personal conduct.

4. Adherence to the Continuing Professional Education (CPE) Program

The objectives of the continuing education program are to:

Maintain an individual's competency by requiring the update of existing knowledge and skills in
the areas of information systems auditing, control or security.
Provide a means to differentiate between qualified CISAs and those who have not met the
requirements for continuation of their certification

Provide a mechanism for monitoring information systems audit, control and security
professionals' maintenance of their competency

Aid top management in developing sound information systems audit, control and security
functions by providing criteria for personnel selection and development

Maintenance fees and a minimum of 20 contact hours of CPE are required annually. In addition,
a minimum of 120 contact hours is required during a fixed 3-year period.

View the complete Continuing Professional Education Policy.

5. Compliance with the Information Systems Auditing Standards

Individuals holding the CISA designation agree to adhere to the Information Systems Auditing
Standards as adopted by ISACA.

Please note that decisions on applications are not final as there is an appeal process for
certification application denials. Inquiries regarding denials of certification can be sent to
certification@isaca.org.