The CISA certification (Certified Information Systems Auditor) is ISACA's globally recognized credential for professionals who audit, control, and secure information systems. It validates practical skill in IT audit, governance, systems acquisition, operations, and protecting information assets, and is widely required for IT audit and assurance roles.
What is the CISA certification?
CISA is a vendor-neutral certification aimed at IT auditors, audit managers, compliance analysts, and security professionals who assess whether an organization's technology controls actually work. Rather than testing product knowledge, CISA measures audit logic, prioritization, and scenario-based judgment, which is why hiring managers treat it as proof that a candidate can evaluate risk and controls in the real world. It sits alongside ISACA's other credentials such as CISM and CRISC but focuses specifically on the audit and assurance discipline.
Since its inception in 1978, more than 200,000 professionals have earned the CISA certification worldwide (ISACA, 2026), making it one of the most established IT audit credentials in the industry.
CISA exam format and the five domains
The CISA exam consists of 150 multiple-choice questions delivered over a four-hour window. It is scored on a scale from 200 to 800, and you need a scaled score of 450 or higher to pass. Questions are organized across five job-practice domains, each carrying a fixed weighting toward your final score.
- Domain 1 - Information Systems Auditing Process (18%): planning and executing audits based on standards and risk.
- Domain 2 - Governance and Management of IT (18%): IT strategy, policies, structures, and resource management.
- Domain 3 - Information Systems Acquisition, Development and Implementation (12%): project management, controls, and system deployment.
- Domain 4 - Information Systems Operations and Business Resilience (26%): operations, incident response, backups, and continuity.
- Domain 5 - Protection of Information Assets (26%): security controls, identity, encryption, and physical safeguards.
Note that Domains 4 and 5 together account for 50% of the exam, so operations, resilience, and information protection deserve the largest share of your study time.
How much does the CISA certification cost?
The CISA exam registration fee is US$575 for ISACA members and US$760 for non-members. After you pass, a one-time US$50 application processing fee applies when you submit your certification application. Because ISACA membership unlocks the lower exam price plus discounted study materials, many candidates find that joining before registering roughly pays for itself.
Ongoing costs matter too. Once certified, you pay an annual maintenance fee of US$45 for members or US$85 for non-members, and you must budget for training or resources to earn your required continuing professional education (CPE) hours.
CISA experience requirement and maintenance
CISA has a substantial experience requirement: you must demonstrate five years of professional experience in information systems auditing, control, or security, earned within the 10 years before your application or within five years of passing the exam. Waivers can reduce this by up to a maximum of three years. For example, a relevant bachelor's or master's degree can substitute for up to two years, and other combinations of education and experience may also apply.
You can sit the exam before you meet the experience requirement, then apply for the certification once you qualify. To keep the credential active afterward, you must earn a minimum of 20 CPE hours each year and at least 120 CPE hours over every three-year cycle, in addition to paying the annual maintenance fee and adhering to ISACA's Code of Professional Ethics.
CISA salary and career value in 2026
CISA is consistently ranked among the highest-paying IT certifications. Reported averages vary by source and region, from roughly US$110,000 per year on ZipRecruiter data to around US$149,000 in surveys of top-paying certifications, reflecting differences in seniority, location, and job title. Common roles for CISA holders include IT auditor, IT audit manager, information security auditor, compliance manager, and risk analyst.
ISACA does not publish an official pass rate, but industry analysis suggests roughly 50% of first-time candidates pass, which is why structured preparation and realistic practice exams are essential.
How to prepare for the CISA exam in 2026
Most successful candidates study for three to six months, and the majority report needing more than six weeks of focused preparation. Because CISA rewards judgment over memorization, your plan should combine conceptual study with heavy practice on scenario-based questions.
- Download the official CISA Exam Content Outline and map your study time to the domain weightings.
- Work through a structured review course that explains audit reasoning, not just definitions.
- Prioritize Domains 4 and 5, since together they make up half of the exam.
- Take full-length, timed practice exams to build stamina and identify weak domains.
- Review every wrong answer to understand the audit logic behind the correct choice.
Treat practice exams as your primary feedback loop. Aiming to consistently score comfortably above the 450 passing threshold on realistic mock tests is the clearest signal that you are ready to book the real exam.