CISA is the auditor's credential - examining and assuring IT controls, governance and compliance. CISM is the manager's credential - building and running a security programme. Choose CISA for audit/assurance/compliance roles and CISM for security-management roles. Some professionals hold both.

Do I need experience for CISA?

Yes - five years of IS audit, control or security experience earned within the ten years before you apply. You can pass the exam first and apply for certification within five years of passing. Some waivers can substitute for part of the requirement.

How do I maintain CISA?

Earn Continuing Professional Education (CPE) credits - at least 20 hours each year and 120 hours over the three-year cycle - and pay ISACA's annual maintenance fee.

How hard is the CISA exam?

It is an advanced, 150-question, four-hour exam offered year-round through Continuous Testing. The challenge is thinking like an auditor: judging the adequacy of controls and evidence, not configuring technology.

On a scaled range of 200 to 800, with 450 the passing mark. The scaled score is not a raw percentage, so you cannot simply convert it to questions answered correctly.

What jobs can CISA help me get?

IS / IT auditor, IT audit manager, internal auditor (IT), IT risk and controls analyst, and compliance roles. It is assurance-focused rather than hands-on security engineering.

How much does CISA cost in total?

The exam is about US$575 for members or US$760 for non-members, plus a roughly US$50 application fee, with optional review materials and ISACA's annual maintenance fee to keep it active. Confirm the current figures on ISACA's site.

Cybersecurity

CISA (ISACA)

advanced

Certified Information Systems Auditor

By The Exam Atlas Editorial Team · Verified 2026-06-06

Free CISA practice questions 30 questions with full answer explanations. No sign-up. Start practice →

Overview

CISA (Certified Information Systems Auditor) is ISACA's flagship certification for IS and IT auditors. It validates that you can audit information systems, assess controls, and report on whether an organisation's IT supports its goals and meets compliance obligations.

The key contrast is with ISACA's own CISM: CISA is the auditor's view (examining and assuring controls, governance and compliance from the outside), while CISM is the security manager's view (building and running a security programme from the inside). CISA is the long-standing default for audit, assurance and compliance roles.

It requires five years of relevant audit, control or security experience to certify, though you can pass the 150-question exam first and apply for certification within five years.

✓ Who it is for

IS / IT auditors and aspiring auditors
Assurance, compliance and controls professionals
IT risk practitioners who assess rather than operate controls
External or internal audit staff (Big Four or consulting) moving into systems and IT audit
GRC, SOX or ISO 27001 control-testing specialists who want a globally recognised audit credential

✕ Who it is not for

People who want to build and operate security controls rather than audit them - CISM or a technical cert fits better.
Early-career candidates without audit/control exposure (five years' experience is required to certify).
Those who want a cheap, quick, entry-level certification.

Exam structure

Information Systems Auditing Process	Planning and executing audits in line with standards
Governance and Management of IT	Auditing IT governance, strategy and structures
IS Acquisition, Development and Implementation	Auditing how systems are acquired, built and deployed
IS Operations and Business Resilience	Auditing operations, continuity and disaster recovery
Protection of Information Assets	Auditing security controls protecting data and systems

How the exam is weighted

Information Systems Auditing Process 18%
Governance and Management of IT 18%
Information Systems Acquisition, Development and Implementation 12%
Information Systems Operations and Business Resilience 26%
Protection of Information Assets 26%

Approximate official domain weighting - confirm the current split in the official exam objectives. Verified 2026-06-06.

What each domain covers

Information Systems Auditing Process: Audit planning aligned to risk · Execution against ISACA audit standards · Evidence, sampling and reporting findings
Governance and Management of IT: IT governance frameworks and strategy · Policies, structures and roles · IT-related risk management and resources
Information Systems Acquisition, Development and Implementation: Project governance and business cases · SDLC and acquisition controls · Testing, migration and post-implementation review
Information Systems Operations and Business Resilience: IT operations, change and problem management · Business continuity and disaster recovery · Backups, RTO/RPO and resilience controls
Protection of Information Assets: Logical and physical access controls · Network, data and endpoint security · Encryption, classification and incident response

Realistic study time

Working IS auditor (5+ yrs) 60-90 hours over 2-3 months
IT professional moving into audit 100-150 hours

Bars show relative effort, not a guarantee. Your time depends on background and study method.

Turn this into a week-by-week schedule with the Study Plan Generator.

What it really costs

Exam fee US$575 member / US$760 non-member approximate - confirm on ISACA's site

Application fee ~US$50 approximate; paid when applying for certification

Retake Full fee again

Study materials US$0-500 ISACA review manual / question database optional

ISACA maintenance Annual fee + CPE member/non-member rates

Fees change and vary by region. Confirm the current amount on the official site before you register.

Want your full out-of-pocket figure? Try the Cost Calculator.

Salary & career value

Indicative ranges for orientation only - not surveyed data, and not financial or career advice. Sources and date below.

CISA is the standard credential for IS audit and assurance, and pay reflects that. US holders in IT-audit and IT-risk roles commonly report roughly US$95k-150k, with senior audit managers higher, and the credential is frequently required for IS-audit postings.

Pass rate: Not published. ISACA does not release official pass rates for the CISA, so any numbers you find online are estimates from prep providers rather than verified figures. The published standard is the score, not a pass rate: results are reported on a scaled range of 200 to 800, and you need 450 to pass.

IT Auditor ~$80k-115k

IT Risk / Controls Analyst ~$90k-130k

IS / IT Audit Senior ~$100k-135k

IT Audit Manager ~$120k-160k

Director of IT Audit (with experience) ~$150k-200k+

Indicative annual pay (USD), each role's typical band on a shared scale.

Other markets (indicative)

United Kingdom	~£50k-80k
Canada	~CA$90k-135k

Jobs that often ask for it:

IS / IT Auditor
IT Audit Manager
Internal Auditor (IT)
IT Risk & Controls Analyst
Compliance / Assurance Lead

Is it worth it?

Worth it for people on the audit, assurance and compliance track, where CISA is the most recognised credential and frequently required for IS-audit roles. It is less suitable if you want to build and operate security controls rather than examine them - CISM or a technical certification fits that better.

Not sure this is the right exam for you? Compare your options with the Exam Finder.

Our specialty · side by side

Compare CISA with other exams

Independent, like-for-like comparisons to help you choose the right one.

VS CISA vs CISM: which ISACA certification should you take? Compare → VS CISSP vs CISA: which security certification should you choose? Compare →

What to do next

CISA suits the audit and assurance track. If you are weighing auditing controls against managing a security programme, compare CISA vs CISM before you commit.

On exam day

Delivered year-round via Continuous Testing at a centre or with remote proctoring (PSI/Pearson VUE); 150 multiple-choice questions in 4 hours. Government-issued ID required.

Keeping your certification

3-year cycle: earn and report 120 CPE hours (at least 20 per year) and pay ISACA's annual maintenance fee (member/non-member rates).

FAQ

CISA or CISM?: CISA is the auditor's credential - examining and assuring IT controls, governance and compliance. CISM is the manager's credential - building and running a security programme. Choose CISA for audit/assurance/compliance roles and CISM for security-management roles. Some professionals hold both.
Do I need experience for CISA?: Yes - five years of IS audit, control or security experience earned within the ten years before you apply. You can pass the exam first and apply for certification within five years of passing. Some waivers can substitute for part of the requirement.
How do I maintain CISA?: Earn Continuing Professional Education (CPE) credits - at least 20 hours each year and 120 hours over the three-year cycle - and pay ISACA's annual maintenance fee.
How hard is the CISA exam?: It is an advanced, 150-question, four-hour exam offered year-round through Continuous Testing. The challenge is thinking like an auditor: judging the adequacy of controls and evidence, not configuring technology.
How is CISA scored?: On a scaled range of 200 to 800, with 450 the passing mark. The scaled score is not a raw percentage, so you cannot simply convert it to questions answered correctly.
What jobs can CISA help me get?: IS / IT auditor, IT audit manager, internal auditor (IT), IT risk and controls analyst, and compliance roles. It is assurance-focused rather than hands-on security engineering.
How much does CISA cost in total?: The exam is about US$575 for members or US$760 for non-members, plus a roughly US$50 application fee, with optional review materials and ISACA's annual maintenance fee to keep it active. Confirm the current figures on ISACA's site.