- Who Actually Qualifies for the CISA
- Breaking Down the Five Years of Experience Requirement
- Experience Substitutions and Waivers
- The Five CISA Domains You Must Master
- Registration, Fees, and Scheduling Mechanics
- How CISA Questions Actually Work
- Who Hires CISA Holders and Why It Matters
- Mapping Your Study Schedule to the CISA Domains
- Frequently Asked Questions
- CISA requires five years of verifiable professional experience in information systems auditing, control, or security before certification is granted.
- ISACA allows specific educational substitutions that can waive up to three of the required five years of experience.
- The exam covers five distinct domains-know their exact names and relative weight before scheduling your test date.
- CISA questions are scenario-based, testing judgment and best-practice reasoning rather than rote memorization of definitions.
Who Actually Qualifies for the CISA
The Certified Information Systems Auditor credential is issued by ISACA, and it sits at the intersection of IT audit, risk, and control. It is not an entry-level certification you pursue straight out of a computer science degree. ISACA designed it for practitioners who already work in-or closely alongside-information systems audit functions, and the eligibility rules reflect that intent clearly.
To sit the exam, there is no formal prerequisite beyond paying the exam fee and registering with ISACA. However, you cannot receive the CISA certification until you demonstrate five years of professional work experience in IS audit, control, assurance, or security. This is a critical distinction: passing the exam and earning the certification are two separate milestones. Many candidates schedule the exam while still accumulating experience, banking the passing score-which is valid for five years-while they complete the work history requirement.
If you are still weighing which certification path is right for your career, the comparison article on CISA vs CISSP: Which Certification Is Right for You breaks down how the two credentials differ in scope, audience, and employer demand. The CISA skews heavily toward audit and assurance; the CISSP leans into security architecture and management breadth.
Breaking Down the Five Years of Experience Requirement
ISACA is specific about what counts toward the five-year experience requirement. The work must be in one or more of these areas: information systems auditing, information systems control, information systems assurance, or information systems security. The experience must be verifiable-ISACA will ask you to submit documentation, and your employer may be contacted to confirm your role and responsibilities.
What Counts as Qualifying Experience
Qualifying experience is broader than many candidates initially assume. You do not need to hold a job title with the word "auditor" in it. Work in IT governance, IT risk management, IS security, and IT compliance functions can all qualify, provided the responsibilities align with the CISA domains. Specifically, experience that maps to the following areas is eligible:
- Performing or reviewing IS audits and assessments
- Designing or evaluating IT controls and control frameworks
- Assessing risks related to information systems acquisition or development
- Evaluating IT operations, change management, or business continuity programs
- Implementing or auditing information asset protection programs
The experience does not need to be continuous. You can accumulate qualifying experience across multiple roles and employers over many years. ISACA accepts part-time work as well, though it is pro-rated-part-time experience is counted proportionally toward the full-time equivalent requirement.
Non-Qualifying Experience
Not all IT work qualifies. Pure software development, network engineering, helpdesk support, or systems administration roles-where audit, control, or assurance is not a primary responsibility-do not count unless you can clearly demonstrate that your specific duties within those roles directly involved IS audit or control activities. ISACA reviews applications and reserves the right to reject experience that does not meet the criteria.
Experience Substitutions and Waivers
ISACA recognizes that not everyone follows a linear path into IS audit, and it provides formal substitution options that can reduce-but not eliminate-the experience requirement. A maximum of three years can be substituted; the remaining two years must be actual qualifying work experience. No combination of educational credentials or substitutions waives the full five-year requirement.
| Substitution Type | Years Waived | Notes |
|---|---|---|
| Two-year or four-year degree from an accredited university | Up to 2 years | One year waived per two-year degree; two years per four-year degree |
| Master's degree in IS or a related field | Up to 1 additional year | On top of the undergraduate degree waiver |
| One year of IS or non-IS auditing experience | 1 year | Non-IS auditing counts for one year only |
| Instructor experience in CISA-related content | Up to 1 year | Must be at a university or post-secondary level |
For a complete and current rundown of the eligibility requirements, including how ISACA verifies experience, refer to the dedicated article on CISA Exam Eligibility and Experience Requirements 2026, which covers the 2026 application cycle specifics in detail.
Key Takeaway
The maximum experience you can substitute with education is three years. Plan to have at least two years of direct, verifiable IS audit or control work on your record before applying for certification-no combination of degrees changes this floor.
The Five CISA Domains You Must Master
The CISA exam is built around five domains. ISACA publishes the relative weight of each domain in its official exam content outline, and those weights shift occasionally. Understanding not just the domain names but the specific content areas within each domain is essential for targeted preparation. Here is what each domain actually demands from a candidate:
Domain 1: Information Systems Auditing Process
This domain tests your understanding of how to plan, execute, and report on IS audits in accordance with ISACA standards and guidelines. It is the foundation of the credential.
- Audit planning, scoping, and risk-based audit approaches
- Evidence collection and sampling techniques in an IS context
- Communicating findings and following up on remediation
- ISACA's own auditing standards, guidelines, and code of professional ethics
Domain 2: Governance and Management of IT
This domain covers how organizations govern IT to support business objectives and manage risk. Expect questions on frameworks, policies, and IT strategy alignment.
- IT governance frameworks including COBIT
- IT organizational structures, roles, and responsibilities
- IT strategy, policies, and enterprise architecture
- IT performance monitoring and management
Domain 3: Information Systems Acquisition, Development, and Implementation
This domain focuses on controls throughout the system development lifecycle and third-party acquisition processes. It is highly practical and scenario-heavy.
- Project management and control practices for IS projects
- SDLC phases, methodologies (waterfall, agile), and associated controls
- Application controls versus general IT controls
- Post-implementation review and system changeover strategies
Domain 4: Information Systems Operations and Business Resilience
This domain assesses your knowledge of IT operations management and the organization's ability to continue operating after disruption. Business continuity is a major sub-topic.
- IT operations, problem management, and change management processes
- Business continuity planning (BCP) and disaster recovery planning (DRP)
- Database management, network infrastructure, and middleware from an audit perspective
- Incident management and response processes
Domain 5: Protection of Information Assets
This domain addresses logical and physical controls that protect information assets. It overlaps with general security knowledge but filters it through an audit and assurance lens.
- Access control concepts, authentication, and identity management
- Network security controls including firewalls, IDS/IPS, and encryption
- Data classification and information security policies
- Physical and environmental security controls
Registration, Fees, and Scheduling Mechanics
ISACA administers the CISA exam through Pearson VUE testing centers globally, and the exam is also available in an online proctored format. Registration is completed through your ISACA account. ISACA members pay a lower exam fee than non-members, so it is worth calculating whether membership cost plus the member exam fee is less than the non-member exam fee-for most candidates pursuing this credential seriously, membership is cost-effective.
After passing, you must submit your certification application within five years of your exam date. The application includes a detailed work history, and ISACA charges a separate application fee at that stage. Maintaining the CISA after certification requires earning Continuing Professional Education (CPE) hours each year and paying an annual maintenance fee. These ongoing costs are part of the total investment in the credential and should factor into your career planning.
How CISA Questions Actually Work
The CISA consists of 150 multiple-choice questions delivered over four hours. Each question has four answer options. The challenge is not the format-it is the reasoning style that ISACA uses. Questions are almost never straightforward knowledge recall. Instead, they present realistic audit scenarios and ask you to identify the best course of action, the most important consideration, or the primary control weakness.
This means two or three of the four answer options will often be defensible in isolation. ISACA is testing whether you understand the hierarchy of auditor responsibilities and ISACA's own professional standards. The answer that reflects what a competent IS auditor would do first-or consider most critical-is the correct one, even if another option sounds reasonable in a vacuum.
For example, a Domain 1 question might describe a situation where an auditor discovers a material control weakness late in an engagement. The question asks what the auditor should do first. Four options might include: continuing the audit, notifying management immediately, documenting the finding in the working papers, and escalating to the audit committee. Understanding ISACA's auditing standards-which this domain explicitly tests-is the only way to select the right answer confidently.
Practicing with realistic CISA-style questions is the fastest way to calibrate your judgment to ISACA's reasoning framework. The CISA practice test platform at cisatest.web.app provides scenario-based questions mapped to all five domains, giving you targeted exposure to the question style before exam day.
Who Hires CISA Holders and Why It Matters
Understanding the employer landscape shapes how you position your study priorities and which domains you emphasize in your work experience documentation. The CISA is not a generalist IT credential-it carries specific hiring signal in clearly defined sectors.
Core Hiring Sectors
- Public accounting and advisory firms: The Big Four and mid-tier accounting firms actively recruit CISA-holders for IT audit practices. These roles require deep competency in Domain 1 (IS Auditing Process) and Domain 2 (Governance and Management of IT), as engagements follow formal audit standards and governance frameworks.
- Financial services: Banks, insurance companies, and asset managers operate under heavy regulatory scrutiny. They hire CISA-holders to assess controls over financial reporting systems, cybersecurity frameworks, and third-party vendor risk-all areas tied to Domains 2, 4, and 5.
- Healthcare organizations: HIPAA compliance and electronic health record system controls create strong demand for IS auditors with CISA credentials. Domain 5 (Protection of Information Assets) is particularly relevant in this sector.
- Government and public sector: Federal agencies and state governments require rigorous IT controls assessments. CISA-holders fill roles in inspector general offices, government accountability functions, and internal audit departments.
- Internal audit departments: Large enterprises across all industries have built-out internal audit functions. The CISA credential is often listed as required or strongly preferred in internal audit manager and senior auditor job postings involving IT systems.
Mapping Your Study Schedule to the CISA Domains
Generic study advice is easy to find. What is actually useful for CISA preparation is knowing how to sequence the domains, where to allocate the most study time, and how to build the scenario-reasoning skill the exam demands. Here is a practical eight-week framework that respects the domain complexity and the way CISA questions layer knowledge:
Domain 1: IS Auditing Process + ISACA Standards
- Read ISACA's IT Audit Framework (ITAF) standards sections
- Practice audit planning and evidence evaluation scenarios
- Anchor your understanding of auditor independence-this concept appears throughout all other domains
Domain 2: Governance and Management of IT
- Work through COBIT framework concepts at a practical level
- Understand IT strategy alignment and how auditors evaluate it
- Connect governance failures to audit findings from Week 1 concepts
Domain 3: IS Acquisition, Development, and Implementation
- Map controls to each phase of the SDLC
- Distinguish application controls from general IT controls
- Review project management risk and control concepts
Domain 4: IS Operations and Business Resilience
- Master BCP and DRP terminology and audit evaluation criteria
- Review change management and incident management control frameworks
- Practice operations scenario questions-this domain is heavily scenario-tested
Domain 5: Protection of Information Assets
- Focus on logical access controls and identity management from an audit standpoint
- Review network security control testing techniques
- Connect physical security controls to information asset risk
Full-Domain Practice and Weak-Area Reinforcement
- Take full-length timed practice exams covering all five domains
- Analyze wrong answers for reasoning pattern, not just topic gap
- Use the CISA practice test tool to drill domain-specific question sets in your identified weak areas
The spaced repetition principle applies here specifically at the domain level: revisit Domain 1 concepts during Week 5 and Week 7, because ISACA often embeds auditing process reasoning inside questions nominally about other domains. An operations scenario in Domain 4 will frequently ask what the auditor should do next-and that answer lives in Domain 1 knowledge.
For candidates still confirming their eligibility path while preparing, bookmarking the full CISA Exam Eligibility and Experience Requirements 2026 article will help you cross-reference your work history against ISACA's current criteria as you study. And when you are ready to benchmark your readiness, cisatest.web.app offers domain-mapped practice questions that mirror the scenario style of the actual exam.
Frequently Asked Questions
Yes. ISACA does not require you to have experience before sitting the exam-only before receiving the certification. You can register, pay the exam fee, and take the CISA at any time. If you pass, your score is held for five years while you complete the experience requirement.
It can, provided your specific responsibilities within that role involved information systems security in an audit, control, or assurance capacity. A pure penetration testing or security engineering role with no audit component is unlikely to qualify. Roles that involve evaluating security controls, assessing compliance, or advising on IS security policy generally do qualify.
The CISA exam consists of 150 multiple-choice questions, and candidates are given four hours to complete it. All questions are single-best-answer format. There is no penalty for guessing, so you should answer every question even if uncertain.
Difficulty is highly individual, but Domain 1 (Information Systems Auditing Process) and Domain 3 (IS Acquisition, Development, and Implementation) are frequently cited as the most challenging because they require integrating ISACA's auditing standards with practical judgment. Domain 3's SDLC control mapping is technical and detailed. Candidates with a non-audit IT background often find Domain 1 the steepest learning curve.
After passing the exam, you submit a certification application through your ISACA account. The application requires you to list each qualifying role with employer name, employment dates, job title, and a description of your IS audit or control responsibilities. ISACA may contact your employers to verify this information. Be specific and use language that maps clearly to the CISA domains-vague descriptions of general IT work are more likely to be questioned during review.