Certified Information Systems Auditor (CISA) Fact Sheet

Since 1978, the CISA program has been a globally accepted standard of achievement among information systems (IS) audit, control and security professionals. More than 100,000 professionals have earned the CISA designation since inception.

About ISACA

Since 1978, the CISA program has been a globally accepted standard of achievement among information systems (IS) audit, control and security professionals. More than 103,000 professionals have earned the CISA designation since inception.

The CISA certification is designed for those who audit, control, monitor and assess an enterprise’s information technology and business systems. CISAs are recognized internationally as professionals with the assurance knowledge, skills, experience and credibility to leverage standards, manage vulnerabilities, ensure compliance, offer solutions, institute controls and deliver value to the enterprise. Often, the CISA credential is a mandatory qualification for an information systems auditor.

View the number of ISACA certifications by region

Certification Requirements

To earn the CISA designation, candidates are required to:

Successfully complete the CISA examination, which is offered three times annually (June, September and December) in 11 languages and at more than 240 locations
Adhere to ISACA’s Code of Professional Ethics and agree to comply with a continuing professional education policy
Submit evidence of a minimum of five years of professional IS auditing, control or security work experience
Adhere to the Information Systems Auditing Standards as adopted by ISACA
Agree to comply with the CISA Continuing Education Policy

CISA retention each year consistently remains in the 90 percent range.

CISA in the Workplace

More than 28,500 serve as audit directors, managers or consultants and auditors (IT and non-IT).
More than 11,000 are IT directors, managers, consultants and related staff.
More than 9,500 are employed in managerial, consulting or related positions in IT operations or compliance.
Nearly 9,000 are security directors, managers, consultants and related staff.
More than 2,600 CISAs are CEOs, CFOs or equivalent executives.
More than 2,400 are CIOs, CISOs, or chief compliance, risk or privacy officers.
More than 2,300 serve as chief audit executives, audit partners or audit heads.

CISA Recognition

SC Magazine selected CISA as a finalist of the 2013 “Best Professional Certification Program” in the Professional Awards category for the third year in a row. CISA was named a finalist by a panel of chief information security officers (CISOs) at major corporations and large public-sector organizations. CISA won the Best Professional Certification Program award in 2009.
CISA was noted as having gained 20% in average market value from 1 April to 1 October 2012 and was listed as a Highest Paying certification in Foote Partners IT Skills and Certifications Pay Index™ (ITSCPI). To make this list, a certification has to be averaging a pay premium in excess of the equivalent of 10% of base salary. CISAs are earning premiums that place them in the top 7% of all 268 certifications currently being reported.
SC Magazine selected CISA as a finalist of the 2012 “Best Professional Certification Program” in the Professional Awards category for the second year in a row. CISA was named a finalist by a panel of chief information security officers (CISOs) at major corporations and large public-sector organizations. CISA won the Best Professional Certification Program award in 2009.
CISA was listed as the fourth-highest-paying certification in the 2012 IT Skills and Salary Survey by Global Knowledge and TechRepublic.
CISA is recognized as one of the “Top Five Security Certifications” in a Global Knowledge blog post.
The Skills Framework for the Information Age (SFIA) has recognized the CISA and CISM certifications by mapping them to the SFIA and showing the relevance of the related skills and experience. (www.sfia.org.uk)
The World Lottery Association (WLA) recommends that its auditors be CISAs or CISMs. WLA represents the interests of global government-controlled lotteries and sets worldwide standards in security and risk management.
The National Association of Insurance Companies (NAIC) has included CISA among the approved certifications for qualified IT examiners. According to NAIC, IT examiners must have sufficient knowledge, background and experience to perform the IT portion of a financial exam.
CISA was named in the top five of Foote Partners’ 2011 semiannual “HOT LIST Forecast” of IT skills and certifications that will increase in value over the next six months.
Mobile Share Trading Guidelines issued by Bombay Stock Exchange recognize the CISA certification by requiring the following: "Once the approval is granted and the member goes live with the Securities Trading Using Wireless Technology, the member is required to submit the system audit certificate on yearly basis duly certified by the CISA certified or equivalent system auditor..."
Third-party audits of Smart Order Routing in the Indian securities market must be conducted by a CISA or equivalent.
A US Drug Enforcement Administration (DEA) regulation notes that CISA is one of two accepted designations that fulfill a requirement for those performing required third-party audits of electronic prescription applications.
In January 2010, the CISA designation was awarded the Best Professional Development Grand Award and the Best Professional Development (Scheme) Gold Award at the Hong Kong ICT Awards 2009 presentation ceremony.
Reserve Bank of India requires CISA qualified personnel to perform IT audits on the information technology infrastructure of all banks that hold government securities.
In a January 2010 study by Mile High Research, ISACA’s CISA and CISM certifications made the top 10 in-demand IT certifications for new jobs posted over the last 14 days. The job descriptions specified one or more certifications as minimum or preferred credentials for the job posting. ISACA and other organizations whose credentials made the top 10 “obviously make a connection between their certifications and employers – that connection is value," said Denny Schall, CLO of Mile High Research.
The DRII Institute for Continuity Management recognizes DRII certification applicants who hold a CISA certification in good standing. DRII offers a 10-percent discount on courses to these applicants. CISAs qualify for the Certified Business Continuity Lead Auditor (CBLA) certification and get a bypass for the references (experience).
The Securities Exchange Board of India requires biannual system audits of all mutual funds to be conducted by an independent auditor who is CISA/CISM-certified or equivalent.
The Peruvian supervisory body that rules on financial entities, insurance companies and private pension funds managers has recognized CISA as an internationally renowned certification that attests to the expertise and specialization of internal auditors.
CISA has earned accreditation from the American National Standards Institute (ANSI) under the International Standard ANSI/ISO/IEC 17024 for the past three years. This accreditation is a benchmark for global organizations that certify individuals worldwide.

For a more comprehensive list of CISA recognitions, please visit www.isaca.org/recognitions.

CISA in the News

Smart Business ~ “How to prepare for changing salaries in 2012” includes CISA on its list of top certifications for 2012.
Inside India Business, January 2012, cites Robert Half’s list of most valued credentials, which includes the CISA certification, in an article titled, “Hiring in 2012? Expect Increasing Competition, Salaries for Financial Candidates.”
Internal Audit Report, January 2011, urged auditors to obtain the CISA in an article titled, “There’s No Better Certification Than the CISA.”
SC Magazine noted in an article titled "Security Certifications: What Decides Know-how?" that the “CISA, in fact, is becoming almost as important as a CPA (Certified Public Accountant) for auditing positions.”
In January 2010, the CISA certification program was awarded the Best Professional Development Grand Award and the Best Professional Development (Scheme) Award in the Hong Kong ICT Awards 2009 presentation ceremony.
Information Security Media Group (ISMG) conducted its first annual Information Security Today Career Trends survey. Based on survey results, the list of top 10 certifications most sought after by security professionals in 2010 includes ISACA’s CISA and CISM certifications.
In an article titled “Certification choices for a career in Information Security,” GetSetGrow.org lists the CISA and CISM as recommended certifications in order to pursue a career in computer security.
An article in ArtWoo, an article network, states, “Second on the list of ‘in demand’ certifications is the CISA, which certifies auditors. And there is good news for this group. Auditors are much in demand in a dwindling economy.”
An article in Enterprise Systems, titled “Careers: The Volatility Trap” states, "While losers continue to outstrip winners in both the certified and uncertified arenas, a number of skill certifications are still in demand, including: ...CISA, CISM."
An article in Catalyst titled, “Where are the Baby Boomers Going?” stated, “According to Lodato, ‘Many retirement-age professionals choose to become consultants instead of retiring. Although they are not required for all consulting engagements, licenses such as CPA, CIA and CISA are desired by clients and sometimes required for certain projects. Having these and other certifications creates more opportunities.’”
A Manilla Times (Phillipines) article, titled “Evolve or Perish,” states, “It is now the age of CISAs or Certified Information Systems Auditors. These are accountants/auditors/technology experts.”
A Bankinfosecurity.com article, titled The Most In-demand Skills, states, "Security professionals should look to increase their skills in several areas: Experienced-based certifications—such as ISACA's CISM and CISA certifications. These certifications are usually valued more highly by hiring organizations because they provide an assurance that the holder has extensive experience in their fields. Other certifications based on simply passing a test to demonstrate specific knowledge will be in less demand. Companies want to know that candidates can do the job, not pass a test."
"If you look at the CISA certification when it first came out, it was something that people thought it would just be nice to have. It's really evolved. It's a requirement for some employers in getting hired or promoted. I think it's become an independent benchmark. You'll see companies that will say, 'Our whole security staff has certifications.'" --Everett Johnson, international president of ISACA (Source: Certification Magazine)

Contact:

Kristen Kessinger, +1.847.660.5512
Joanne Duffer, +1.847.660.5564
news@isaca.org


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs

ISACA: Serving IT Governance Professionals