The CISA program is designed to assess and certify individuals in the IS audit, control, assurance or security profession who demonstrate exceptional skill and judgment. To earn the CISA designation, candidates are required to:

1. Achieve a passing score on the CISA exam

2. Submit an application with verified evidence of a minimum of five years of professional IS audit, control, assurance or security work experience. Substitution and waivers of such experience may be obtained as follows:

-A maximum of one year of information systems OR one year of non-IS audit experience can be substituted for one year of information systems audit, control, assurance or security experience; 60 to 120 completed university semester credit hours (the equivalent of a two-year or four-year degree), not limited by the 10-year preceding restriction, can be substituted for one or two years, respectively, of information systems audit, control, assurance or security experience; and

- A bachelor’s or master’s degree from a university that enforces the ISACA sponsored Model Curricula can be substituted for one year of information systems auditing, control, assurance or security experience. This option cannot be used if three years of experience substitution and educational waiver have already been claimed: and

- Two years as a full-time university instructor in a related field (e.g., computer science, accounting or information systems auditing) can be substituted for one year of information systems audit, control, assurance or security experience.

As an example, at a minimum (assuming a two-year waiver of experience by substituting 120 university credits), an applicant must have three years of actual work experience. This experience can be completed by:

- Three years of information systems audit, control, assurance or security experience;

OR

- Two years of information systems audit, control, assurance or security experience and one full year of audit or information systems experience, or two years as a full-time university instructor.

All experience must be verified independently with employers and have been gained within the 10-year period preceding the application date or within five years after the date of passing the CISA exam. Applications for certification must also be submitted

no more than five years after the date of passing the CISA exam. The application is available at www.isaca.org/cisaapp.

It is important to note that many individuals choose to take the CISA exam prior to meeting the experience requirements. This practice is acceptable and encouraged, although the CISA designation will not be awarded until all requirements are met.

3. Adhere to the ISACA Code of Professional Ethics (www.isaca.org/ethics), which is included in the Candidate’s Guide to the CISA

Exam provided to each registered exam candidate.

Training for the CISA Exam

The CISA exam is offered each year in June and December and consists of 200 multiple-choice questions that cover the CISA job practice areas. The exam covers six information system audit, control and assurance or security areas created from a CISA job practice analysis. The percentages below indicate the emphasis or percent of questions that will appear on the exam from each area. The job practice analysis was developed and validated using prominent industry leaders, subject matter experts and industry practitioners.

The areas and their definitions are as follows:

Content Area

 - IS audit process (10%)—Provide IS audit services in accordance with IS audit standards, guidelines and best practices to assist

the organization in ensuring that its information technology and business systems are protected and controlled.

- IT governance (15%)—Provide assurance that the organization has the structure, policies, accountability, mechanisms and monitoring practices in place to achieve the requirements of corporate governance of IT.

- Systems and infrastructure life cycle (16%)—Provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance and disposal of systems and infrastructure will meet the organization’s objectives.

- IT service delivery and support (14%)—Provide assurance that the IT service management practices will ensure delivery of the level of services required to meet the organization’s objectives.

- Protection of information assets (31%)—Provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets.

- Business continuity and disaster recovery (14%)— Provide assurance that, in the event of a disruption, the business continuity and disaster recovery processes will ensure the timely resumption of IT services, while minimizing the business impact.

CISA exam questions are developed and maintained carefully to ensure that they accurately test an individual’s proficiency in IS audit, control & assurance or security practices.