In order to become CISA certified, applicants must pass the CISA examination with a score of 450 or higher (scored on a scale of 200 to 800) and possess a minimum of five years of professional experience in the fields of information systems auditing, control, assuranceor security. The work experience must have been within the 10 years prior to a candidate's application submission or within five years of a passed CISA exam. Certain substitutions and waivers may be applied. The candidate must also adhere to ISACA's Code of Professional Ethics and Information Systems Auditing Standards. Once these criteria are met, the candidate can apply for certification.
The CISA exam is four hours long and consists of 150 multiple choice questions set around five job practice domains:
- The process of auditing information systems.
- Governance and management of IT.
- Information systems acquisition, development and implementation.
- Protection of information assets.
- Information systems operations, maintenance and service management.
The exam is administered in June, September and December in testing locations worldwide. Besides English, it is also offered in other languages, including Chinese Mandarin Simplified, French, Japanese, Korean and Spanish.
After achieving CISA certification, CISAs must maintain it by undergoing 20 hours of training per year and a minimum of 120 hours in a three-year period. This training is to ensure that CISAs stay up to date and proficient in their fields.
Attaining CISA certification is considered beneficial as it is accepted by employers worldwide and is often requested for IT audit and security management positions. Although ISACA no longer releases statistics on the number of applicants who pass the CISA exam, it is widely reported that approximately 50% of those taking the exam receive a passing grade.