Key facts
- CISA holders: 164,000+
- Average U.S. salary for CISA certification holders: $102,827
- Recommended experience: 5+ years
Start your journey to becoming a certified CISA professional with Infosec.
CISA exam overview
CISA is a mid-level credential offered by ISACA that is a great choice if you hope to enter the world of security auditing or validate your knowledge and skills around security controls. CISA holders understand how to analyze information systems and technology usage in an organization to improve risk management processes. The latest version of the CISA exam covers five knowledge areas, or domains.
Domain 1: Information systems auditing process (21%)
- IS audit standards, guidelines and codes of ethics
- Business processes
- Types of controls
- Risk-based audit planning
- Types of audits and assessments
- Audit project management
- Sampling methodology
- Audit evidence collection techniques
- Data analytics
- Reporting and communication techniques
- Quality assurance and improvement of the audit process
Domain 2: Governance and management of IT (17%)
- IT governance and strategy
- IT-related frameworks
- IT standards, policies and procedures
- Organizational structure
- Enterprise architecture and risk management
- Maturity models
- Laws, regulations and industry standards
- IT resource management
- IT service provider acquisition and management
- IT performance monitoring and reporting
- Quality assurance and quality management of IT
Domain 3: Information systems acquisition, development and implementation (12%)
- Project governance and management
- Business case and feasibility analysis
- System development methodologies
- Control identification and design
- Testing methodologies
- Configuration and release management
- System migration, infrastructure deployment and data conversion
- Post-implementation review
Domain 4: Information systems operations and business resilience (23%)
- Common technology components
- IT asset management
- Job scheduling and production process automation
- System interfaces
- End-user computing
- Data governance
- Systems performance management
- Problem and incident management
- Change, configuration, release and patch management
- IT service level management
- Database management
- Business impact analysis
- System resiliency
- Data backup, storage and restoration
- Business continuity plan
- Disaster recovery plans
Domain 5: Protection of information assets (27%)
- Information asset security frameworks, standards and guidelines
- Privacy principles
- Physical access and environmental controls
- Identity and access management
- Network and end-point security
- Data classification
- Data encryption and encryption-related techniques
- Public key infrastructure
- Web-based communication techniques
- Virtualized environments
- Mobile, wireless and internet-of-things devices
- Security awareness training and programs
- Information system attack methods and techniques
- Security testing tools and techniques
- Security monitoring tools and techniques
- Incident response management
- Evidence collection and forensics
Learn more about the CISA domains.
CISA exam details
CISA covers auditing, controlling, monitoring and assessing information technology and systems. Learn how to conduct risk-based audits to make data models and security practices as efficient as possible.
Launch date: | 1978 | Last update: | June 2019 |
Number of questions: | 150 | Type of questions: | Multiple-choice |
Length of test: | 4 hours | Passing score: | 450 (out of scaled score of 200-800) |
Recommended experience: | 5+ years of work experience in at least three domains (up to 3 years in experience waivers available) | Languages: |
English, Chinese traditional, Chinese simplified, French, German, Hebrew, Italian, Japanese, Korean, Portuguese, Spanish, Turkish |
Validity duration: | Three years | CPEs needed for renewal: | 120 (at least 20 annually) |
Exam cost: | $575 for members, $760 for non-members |
Free and self-study CISA materials
Many providers offer free study materials to help you prepare for your CISA exam, but a good starting point is the CISA exam outline. This comprehensive guide is the definitive resource on the CISA certification exam’s Body of Knowledge, which is the collection of topics on the test. You can develop a training plan and seek appropriate study materials based on this outline.
CISA study guides and books
ISACA and other training providers offer numerous training resources available on Amazon and elsewhere. These include:
- CISA Review Manual, 27th Edition (ISACA)
- CISA Certified Information Systems Auditor Study Guide, 4th Edition by David L. Cannon
- CISA Certified Information Systems Auditor All-in-One Exam Guide, 4th Edition by Peter H. Gregory
- CISA — Certified Information Systems Auditor Study Guide, 2nd Edition by Hemang Doshi
- 10 tips for CISA exam success
For more free resources, download our ISACA Career Kit.
CISA practice questions and exams
Practice exams for CISA certification are a great way to understand the questions you’ll be asked and gauge how ready you are for the big test. While you won’t find the exact questions from the exam, practice questions reflect the exam domains. A few of the most popular CISA practice question options are listed below:
- ISACA’s free CISA practice quiz
- CISA Review Questions, Answers & Explanations Manual, 12th Edition (ISACA)
Most paid CISA training courses also offer practice exams. For example, Infosec's CISA Boot Camp includes access to the ISACA Official Question, Answer & Explanation (QAE) database.
Other free CISA training resources
Many free CISA training materials are produced and shared by the cybersecurity community:
- Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken the CISA.
- YouTube is another great place to connect with cybersecurity practitioners and learn about the CISA exam. Although most CISA courses cost money, there are numerous free CISA videos available to watch.
- Podcasts may not help you directly study for your CISA exam, but those like the Cyber Work Podcast are a great way to learn about cybersecurity career options and your peers' career journeys.
CISA jobs and careers
CISA certification is considered one of the most prestigious auditing credentials in the world and one of the highest-paying certifications cybersecurity practitioners can earn. It can help professionals with at least five years in auditing, control, IT and security reach several management positions.
Common CISA job titles
- Internal auditor
- Information risk analyst
- IT security officer
- IT risk and assurance manager
- Chief information officer
- Network operation security engineer
- IT project manager
Learn more about the job outlook for CISA holders.
CISA live boot camps and self-paced training
Obtaining your information systems auditor certification takes time and effort, and professional training courses for the CISA exam can help all that hard work pay off. Paid training is also a great option if you’re looking to get certified quickly or want extra assistance mastering the concepts covered on the exam.
Live CISA Boot Camp
Live online or in-person boot camps offer a premium CISA training experience. For example, the Infosec CISA Boot Camp provides comprehensive training for your CISA certification in less than a week.
The benefits of a live CISA Boot Camp include:
- Live instruction: Boot camps allow interaction with instructors and peers with useful industry or exam experience to share.
- Complete certification package: Infosec boot camps include everything you need — training materials, exam vouchers or other resources at no additional cost.
- High pass rates: Boot camps prepare you to pass the exam on your first attempt, and Infosec boot camps come with an Exam Pass Guarantee.
Learn more about live CISA Boot Camps.
Self-paced CISA training
Some people absorb new knowledge better when they study at their own pace. Others have hectic lifestyles that don’t fit traditional class schedules. Paid CISA training like the self-paced CISA courses from Infosec, let you create your own learning schedule.
The benefits of on-demand CISA training include:
- Train at your own pace: Train when it’s convenient for you — whether that’s 30 minutes over your lunch or a few hours on the weekend.
- Test on your schedule: With a self-study approach, you can take the exam when you feel ready.
- Prepare at your speed: With on-demand training, you can take your time preparing for your CISA exam.
Learn more about self-paced CISA training.
CISA comparisons and alternatives
CISA certification is designed to help you open more job opportunities, but it is not the only option available. Here is how CISA certification stacks up to other related certifications.
CISA vs. CISSP
Both the CISA and CISSP certifications have recommended experience levels of five years, are for mid-level professionals and have great salary potential. However, CISA is geared more towards auditing and broader fundamentals of network and security, while the (ISC)² Certified Information Systems Security Professional (CISSP) cert gets into the more technical, hands-on engineering aspects. The CISSP exam may be more difficult than the CISA for some candidates since it covers a broader range of topics.
CISA vs. CISM
While both the CISA and CISM certifications are offered by the ISACA, the ISACA Certified Information Security Manager (CISM) certification is a managerial credential whereas the CISA is focused on more hands-on information security auditing. CISM holders typically go on to jobs managing entire departments, while CISA is more appropriate for mid-level practitioners and managers who want to better understand information auditing, risk and security controls. CISA can also be a good stepping stone to eventually taking the CISM exam
CISA vs. CRISC
While both the CISA and CRISC certifications require a fair amount of analyzing skills, the main difference between CISA and ISACA Certified in Risk and Information Systems Control certification is simple: CISA focuses on auditing and CRISC focuses on risk management. CISA is primarily for auditors to prove their skills, but like CISM, CRISC deals with a broader scope of cybersecurity, which makes it a better manager-level certification with a higher annual salary.
CISA vs. CASP+
The CompTIA CASP+ certification is an advanced-level certification offered by CompTIA. Although the exam will test you on knowledge related to compliance, governance and risk, the certification as a whole falls more in line with security engineering and architecture than CISA, which focuses on IT auditing.
CISA vs. CEH
The Certified Ethical Hacker (CEH) certification by the EC-Council is among the most popular certifications for entry-level cybersecurity professionals. The credential validates that you can “think like a hacker” and use the tools a malicious attacker would use during an attack. Many CEHs pursue careers as penetration testers, malware analysts, and security analysts.
It can be useful for understanding how attackers gain access to systems with improper controls, but the CEH is not focused on auditing like the CISA certification is.
Explore Infosec certifications to find the best fit for your career goals.