C

CISA (Certified Information Systems Auditor)

CISA (Certified Information Systems Auditor) is the flagship IT audit and control certification issued by ISACA, globally recognized as the standard credential for IT auditors, security auditors, and information systems control professionals. Earning CISA requires passing a 4-hour, 150-question exam (minimum 450/800), demonstrating 5 years of relevant work experience (with substitution options), agreeing to the ISACA Code of Professional Ethics, and committing to continuing professional education (CPE). CISA holders audit, control, monitor, and assess information systems and business processes in organizations worldwide.

What is CISA

CISA (Certified Information Systems Auditor) is the world’s most recognized IT audit certification, established by ISACA in 1978. With over 160,000 certified professionals globally (ISACA 2026), CISA is the de-facto standard credential for IT auditors, information systems control professionals, and GRC (Governance, Risk, Compliance) specialists.

The certification validates expertise in:

  • Information systems auditing — planning, executing, and reporting on IS audits
  • IT governance and management — aligning IT with business strategy
  • Systems acquisition, development, and implementation — project risk management
  • Operations and business resilience — BCM, DR, change management
  • Protection of information assets — security controls, data privacy, compliance

Why CISA Matters in 2026

The regulatory landscape of 2026 makes CISA more relevant than ever:

  • DORA (Digital Operational Resilience Act) — EU financial sector, effective January 2025
  • NIS2 Directive — critical infrastructure cybersecurity
  • AI Act (EU) — AI system auditing requirements
  • GDPR / CCPA — ongoing data protection obligations
  • SOX — US public companies, ongoing
  • PCI DSS 4.0 — payment card industry

All these mandate formal IT audit and control functions — driving demand for CISA-certified professionals.

CISA Exam Structure

  • Format: 150 multiple-choice questions
  • Duration: 4 hours
  • Passing score: 450 out of 800 (scaled)
  • Delivery: Computer-Based Testing (CBT) at Pearson VUE centers + online proctored
  • Cost (2026): $760 ISACA member / $990 non-member
  • Languages: English, Spanish, French, German, Italian, Portuguese, Japanese, Korean, Chinese, Turkish, Hebrew
  • Retake policy: Up to 4 attempts per year

2024+ Exam Blueprint

DomainWeightFocus
1. Information System Auditing Process18%Audit planning, execution, reporting
2. Governance and Management of IT18%IT strategy, frameworks (COBIT), risk
3. IS Acquisition, Development, Implementation12%SDLC, project risk, testing
4. IS Operations and Business Resilience26%Operations, BCM, DR, change mgmt
5. Protection of Information Assets26%Security controls, privacy, compliance

CISA Certification Path

Step 1: Eligibility & Registration

  • 5 years relevant experience (with substitutions)
  • Register with ISACA, pay exam fee

Step 2: Preparation (3-6 months)

  • CISA Review Manual (official, ~1400 pages)
  • CISA QA&E Database (1000+ practice questions)
  • Accredited training partner courses (e.g., 5-10 day bootcamps)
  • Study groups and forums (Reddit r/CISA, LinkedIn groups)

Step 3: Pass the Exam

  • Schedule at Pearson VUE or online proctored
  • Score ≥ 450 required

Step 4: Apply for Certification

  • Submit experience verification (letters from supervisors)
  • Pay certification fee ($50 ISACA member, $75 non-member)
  • Commit to ISACA Code of Ethics and IS Auditing Standards

Step 5: Maintain Certification

  • CPE: 20 hours minimum per year, 120 hours over 3 years
  • Annual maintenance fee: $45 ISACA member, $85 non-member

Career Paths for CISA Holders

IT Audit Roles

  • Internal IT Auditor
  • External IT Auditor (Big 4, specialized firms)
  • IT Audit Manager / Director
  • Chief Audit Executive (CAE)

GRC Roles

  • IT Risk Officer
  • GRC Consultant
  • Compliance Manager
  • IT Risk Manager

Security Roles

  • Information Security Auditor
  • Security Control Assessor
  • SOC 2 Assessor

Leadership Roles

  • CISO (Chief Information Security Officer)
  • CIO (Chief Information Officer)
  • CPO (Chief Privacy Officer) — with privacy specializations

Salary Expectations (2026)

RegionRoleSalary Range
USASenior IT Auditor$110-150K
USAIT Audit Manager$140-200K
UKSenior IT Auditor£75-110K
GermanyIT Audit Manager€90-130K
PolandSenior IT Auditor22-35K PLN/mo netto B2B
PolandIT Audit Manager30-50K PLN/mo

CISA salary premium: 15-25% over non-certified peers in same role.

Complementary Certifications

Most common CISA pairings

  • CISM (Certified Information Security Manager) — ISACA, security management
  • CRISC (Certified in Risk and Information Systems Control) — ISACA, risk management
  • CGEIT (Certified in Governance of Enterprise IT) — ISACA, governance
  • CISSP (Certified Information Systems Security Professional) — (ISC)², broader security
  • ISO 27001 Lead Auditor — IRCA/PECB, ISMS-specific audits

Emerging complementary certs 2026

  • AI Audit certifications (ISACA AI Audit, emerging)
  • Cloud Audit specializations (AWS, Azure, GCP)
  • Privacy certifications (IAPP CIPP/E, CIPM)

CISA vs CISSP — Which Certification for IT Auditors?

A common dilemma for security professionals: CISA or CISSP? They overlap but target different career paths.

AspectCISA (ISACA)CISSP ((ISC)²)
FocusIT audit, assurance, controlInformation security architecture & management
Target roleIT auditors, IS auditors, complianceSecurity architects, CISOs, security managers
Exam150 questions, 4 hours100-150 questions, up to 6 hours, CAT format
Domains5 (Audit, Governance, Acquisition, Operations, Asset Protection)8 (Risk, Asset Sec, Architecture, Comms, IAM, Sec Ops, AppSec, Testing)
Experience req5 years IS audit/control/security5 years in 2+ of 8 domains
Exam cost$575 member / $760 non-member$749
CPE requirement120 hours / 3 years120 hours / 3 years
Job postings 2026~35,000 (Indeed worldwide)~70,000
Salary impact+15-25%+20-30%
Pass rate~50-60%~40-50%

Choose CISA if: you audit IT systems, work in Big 4 / advisory, target IT audit / SOX / compliance roles.

Choose CISSP if: you architect security programs, manage security teams, target CISO / security architect roles.

Hold both if you’re transitioning from audit to broader security management — common path for ISACA professionals after 5-7 years.

CISA 2026 Update — What’s New

ISACA released CISA 2024 Job Practice Update (effective from June 2024 exams, current in 2026):

  • Domain 1 (Audit Process): emphasis on continuous auditing & data analytics
  • Domain 2 (IT Governance): AI governance frameworks added, ESG considerations
  • Domain 3 (Information Systems Acquisition): cloud SaaS/PaaS audit, supply chain (SBOM)
  • Domain 4 (Operations): zero trust architectures, container/Kubernetes audit
  • Domain 5 (Protection of Information Assets): privacy by design, AI risk

Practical implication: if your study materials are pre-2024, refresh — exam questions test new content explicitly.

Exam Day — Practical Tips From Recent Passers

Based on 12 successful CISA candidates we trained in 2024-2025:

  1. Memorize ISACA’s perspective — wrong answer often “right in real world”, correct answer = ISACA’s textbook position
  2. Practice 800+ questions — official QAE database + 1-2 third-party banks (Mike Chapple, Kaplan)
  3. Domain 3 (Acquisition/Implementation) is hardest — least intuitive, most distinct ISACA framing
  4. Time management — 4 hours / 150 questions = 96 sec/question. Move on if stuck >2 min
  5. Pearson VUE testing centers: book 2-3 weeks ahead, prefer mid-week morning slots
  6. Online proctored option: available, but stricter rules — no breaks, single monitor, fully cleared desk

See Also

Frequently Asked Questions

What are the requirements for CISA certification?

Requirements: 1) Pass the CISA exam (150 questions, 4 hours, minimum 450/800 score). 2) 5 years of professional experience in information systems auditing, control, assurance, or security (max 3 years substitutable with university degree, teaching, or other ISACA certifications). 3) Adhere to ISACA Code of Professional Ethics. 4) Agree to Information Systems Auditing Standards. 5) Earn and report Continuing Professional Education (CPE) — 20 hours annually, 120 over 3 years.

How much does a CISA holder earn in 2026?

Global averages 2026 (ISACA, Global Knowledge salary reports): USA $120-170K, UK £75-110K, Germany €80-110K, Poland 18-32K PLN/month netto B2B. CISA adds 15-25% salary premium over non-certified peers in the same role. Top-earning CISA roles: IT Audit Manager/Director, Information Security Manager, GRC Consultant, CISO, IT Risk Officer. Senior CISA holders in Big 4 consulting firms (Deloitte, KPMG, PwC, EY) command top tier compensation.

What topics does the CISA exam cover?

CISA exam covers 5 domains (weighted by 2024+ exam blueprint): Domain 1 — Information System Auditing Process (18%). Domain 2 — Governance and Management of IT (18%). Domain 3 — Information Systems Acquisition, Development, and Implementation (12%). Domain 4 — Information Systems Operations and Business Resilience (26%). Domain 5 — Protection of Information Assets (26%). Strong focus on real-world audit scenarios, risk assessment, IT general controls, application controls, business continuity, security assessment.

How long does it take to prepare for CISA?

Typical preparation time: 3-6 months self-study (10-15 hours/week) for experienced IT audit professionals, 6-9 months for newcomers. Intensive bootcamp programs (5-10 days full-time) require 1-2 months of follow-up practice. Official resources: CISA Review Manual (~1400 pages), CISA QA&E Database (1000+ practice questions), online review courses from ISACA-accredited training partners. Pass rate is approximately 50-60%.

Is CISA worth it compared to other cybersecurity certifications?

CISA is ideal for IT audit and governance career paths. Comparisons: CISA vs CISM (both ISACA) — CISA audits, CISM manages/leads security. CISA vs CISSP — CISSP is broader technical security, CISA is audit-focused. CISA vs ISO 27001 Lead Auditor — ISO certifies ISMS audits specifically, CISA is broader IT audit. For pure audit/GRC: CISA. For security management: CISM. For technical security architecture: CISSP. Many professionals hold multiple (CISA+CISM+CRISC is common combination).

Related Trainings

Other terms starting with C

Cascade Project Management

What is Cascade Project Management? Cascade project management, also known as the Waterfall model, is a sequential project management method in which the project is divided into distinct, consecutive phases

Change Management

Change Management — a systematic approach to dealing with the transformation or transition of an organization from its current state to a desired future state

CHRONO Business Simulation

CHRONO Business Simulation — cHRONO business simulation is a modern training tool that uses virtual reality and artificial intelligence to create realistic business scenarios

Closed Training

Closed Training — closed training are educational programs organized exclusively for employees of one company or institution

Cloud Native Development

What is Cloud Native Development? Cloud Native Development is an approach to building and running applications that fully leverages cloud computing capabilities.

Coaching

What is Coaching? Coaching is a personal and professional development process in which a coach supports the client in achieving specific goals, developing skills, and overcoming obstacles.
See all terms starting with C

Develop your skills with training

Recommended training:

CISA - Certified Information Systems Auditor

Talk to us about training for yourself or your team.

Request training +48 22 487 84 90
Training catalog
Request Training
Call us +48 22 487 84 90