The Certified Information Systems Auditor (CISA) is one of the most respected credentials in IT audit and cybersecurity. It's issued by ISACA—formerly the Information Systems Audit and Control Association—and has been the benchmark for IS audit professionals since 1978. But before you can put those four letters after your name, you need to meet ISACA's eligibility requirements.
Here's the upfront answer: almost anyone can take the CISA exam. You don't need to meet experience requirements before registering or sitting for the test. ISACA separates exam eligibility from certification eligibility. You can register, study, and pass the exam first—then fulfill the work experience requirement afterward to earn the actual credential.
This guide breaks down everything you need to know about CISA exam eligibility, the experience requirement for full certification, education substitutions, and how to navigate the application process.
ISACA allows candidates to register for the CISA exam without first demonstrating eligibility. This is an important distinction. You can sign up, pay the exam fee, and sit for the test regardless of your current experience level.
Where eligibility comes in is when you apply for the CISA designation after passing. That's when ISACA verifies your professional background. If you pass the exam but haven't yet accumulated enough work experience, you can hold your passing score for up to five years and apply for the certification once you've met the requirements.
This structure makes the CISA accessible to students, early-career professionals, and career changers who want to demonstrate commitment to the field while they're still building experience.
To earn the CISA certification (not just pass the exam), you need five years of professional work experience in IS audit, control, assurance, or security. That five-year requirement covers the full scope of what CISA tests—it's not limited to audit roles alone.
ISACA defines qualifying experience across the five CISA job practice domains:
Your work experience doesn't have to span all five domains. Most candidates accumulate experience concentrated in two or three areas, particularly audit and security operations. ISACA accepts any combination of experience across these domains as long as the total reaches five years.
ISACA allows certain educational credentials to substitute for up to three years of the five-year experience requirement. This significantly lowers the barrier for candidates who are newer to the field or transitioning from academia.
The substitutions are:
The maximum substitution is three years. You always need at least two years of actual IS audit or security work experience, regardless of your educational background. A graduate degree alone doesn't make you eligible—real-world experience in the relevant domains is a non-negotiable minimum.
ISACA requires that qualifying experience be "information systems auditing, control, or security work." In practice, many roles qualify—some more directly than others.
Directly qualifying roles include:
Roles that may partially qualify:
ISACA reviews experience claims when you apply for certification. If your role doesn't have "IT audit" in the title but involves substantial IS control or security work, document your responsibilities carefully. ISACA evaluates the substance of what you did, not just the job title.
Experience must have been gained within the 10 years immediately preceding your certification application, or within five years after passing the exam.
This distinction trips up a lot of candidates. Let me be specific:
Passing the CISA exam demonstrates you have the knowledge and skills tested in the five domains. It's a substantial achievement—the exam is rigorous and has a pass rate that ISACA doesn't publish, though independent surveys suggest it's around 50–65% for candidates who prepare adequately.
Earning the CISA certification requires additionally: meeting the five-year work experience requirement (with allowed substitutions), adhering to ISACA's Code of Professional Ethics, and completing the application process.
If you pass the exam today but only have three years of qualifying experience, you're not yet a CISA. You hold a passing score. You can apply for the certification once you've completed two more years in a qualifying role. ISACA gives you five years from your exam pass date to complete the certification requirements.
Applying is straightforward. Here's the process:
Step 1: Create an ISACA account. Go to isaca.org and create a member or non-member account. ISACA members pay a lower exam fee, so if you're serious about the CISA (and potentially other ISACA credentials like the CISM or CRISC), membership often pays for itself.
Step 2: Register for the exam. ISACA administers the CISA as a computer-based test through PSI exam centers and online proctoring. Exam windows are offered throughout the year. After registering, you'll receive authorization to schedule your testing appointment.
Step 3: Pay the exam fee. ISACA members pay approximately $575; non-members pay approximately $760. Fees are updated periodically—check isaca.org for current pricing.
Step 4: Schedule your appointment. Through PSI's scheduling system, find an available testing date and location. Online proctoring is also available if you prefer to test from home.
Step 5: Study and sit for the exam. The CISA exam contains 150 multiple-choice questions. You have four hours. Read our CISA exam prep guide for study strategies and resources.
Once you've passed the exam and have sufficient work experience, submit your CISA certification application through ISACA's website. You'll need to:
ISACA reviews applications and may follow up with questions. Most applications are processed within a few weeks. Once approved, you'll receive your CISA designation and can use the certification mark.
The CISA isn't a one-time achievement. To keep it active, you must earn continuing professional education (CPE) hours and pay an annual maintenance fee.
ISACA requires 120 CPE hours over each three-year renewal period, with a minimum of 20 CPE hours per year. CPE can come from a wide range of activities: attending conferences, completing training courses, writing articles, volunteering in professional organizations, or participating in ISACA chapter activities.
If you let your CISA lapse for non-payment or failure to complete CPE, you can reinstate it—but the process involves back fees and demonstrating CPE compliance.
Explore our CISA training programs guide for CPE-eligible education resources.
Recent graduate with a computer science degree and one year of IT work: You can take the exam. With a bachelor's degree (2-year substitution) + 1 year of qualifying experience, you have 3 of 5 required years. You'd need 2 more years of qualifying work experience before applying for the certification. Take the exam now, hold your passing score, and apply when you're eligible.
Experienced IT auditor with 7 years but no degree: You're eligible. Seven years of qualifying experience exceeds the five-year requirement with no substitutions needed. You can apply for the certification immediately after passing the exam.
Cybersecurity analyst with 4 years in security roles: Likely eligible or close to it, depending on the IS control components of your work. Security analyst roles typically qualify under Domain 5 (Protection of Information Assets). Document your responsibilities carefully when applying.
Career changer from financial audit with IS audit exposure: Financial auditors who perform IS components (SOX IT controls, system change testing) often have qualifying experience. ISACA will evaluate the IS audit content of your work—not just the job title. Detail your IS-specific responsibilities in your application.
Understanding how CISA compares to similar credentials helps you decide whether it's the right investment for your career path. Read our detailed CISA career overview for salary data, job roles, and industry demand.
The CISM (Certified Information Security Manager), also from ISACA, targets security management rather than audit. If your role is more about security program management and less about audit and assurance, CISM may be more directly relevant.
The CRISC (Certified in Risk and Information Systems Control) focuses on IT risk. Some professionals hold both CISA and CRISC—the credentials are complementary for risk and audit roles.
The CIA (Certified Internal Auditor) is broader, covering all internal audit functions. For professionals who audit IS as part of a broader internal audit role, holding both CIA and CISA is common in large enterprises.
For a deeper look at exam structure, domain weights, and how to study, check out our full CISA certification guide.