Editor’s note: The ISACA Now blog is featuring a three-part series from Patrick Trierweiler focused on what early-career professionals can do until they have the required experience to obtain the CISA certification. See below for part one of the series, with the second and third installments to come each of the next two weeks.
This blog series is focused on teaching early-career professionals and those who recently transitioned to IT audit, assurance and compliance how to set themselves up for success when it comes to planning, studying for and passing the CISA—a milestone certification for several disciplines within the compliance space. I will include tips and tricks learned personally as well as from other professionals with 0-5 years in the IT compliance space on what worked for us and what we could have done better. During this first part, we will explain what the CISA is, why you most likely want to have one and how early you can obtain your CISA.
What is the CISA?
ISACA’s Certified Information Systems Auditor (CISA) is the information system audit, assurance and security certification. It touches on several topics in related domains that we will discuss later that enable it to be useful to internal, Sarbanes-Oxley (SOX), ISO, PCI, SOC and HITRUST audit, among other disciplines. CISA is a household name as the certification has been around for 45 years, with more than 190,000 people achieving the certification since its inception in 1978. The certification’s requirements and content have grown and changed with information systems themselves as well as expanded to make the certification very versatile and able to be leveraged in a number of fields. The current domains are the following:
- Domain 1 - Information System Auditing Process
- Domain 2 - Governance and Management of IT
- Domain 3 - Information Systems Acquisition, Development and Implementation
- Domain 4 - Information Systems Operations and Business Resilience
- Domain 5 - Protection of Information Assets
Its versatility and many decades as a globally respected credential give CISA an advantage and a level of brand recognition that makes it a requirement for many upper-level positions, and it can be used to reduce the experience requirements for other certifications. Everyone, from your company’s controller to your service delivery managers to even your least experienced recruiters, know the CISA, and that’s why there is a major push to achieve it. The problem is that it takes several years to gain the experience required and pass the CISA. So, how do you figure out when and how to get the CISA, and what should you do in the meantime?
When can you take the CISA?
Before we figure out what to do while you wait, we should discuss how long you have to wait. If you read ISACA’s exam candidate guide, you see that you need five years of related experience in the last decade before you can certify your CISA after passing the exam. You can pass the exam early and just wait until you have the required experience, but there are methods of getting certified without waiting the five years. These are communicated not on the website but in the CISA application itself. The most common methods for people early in their career can be found below:
- General work experience waiver for one year: If you have experience with “general information systems or general audit work,” that counts as a one-year waiver. I, for example, worked as an IT intern for a year. This also works for the many accounting majors that jump to IT audit after a year of doing financial audit.
- Education experience waivers for a maximum of three years: If you have a general associate's degree, a bachelor’s in a related field, or a master’s in a related field, that counts for one to three years, respectively.
You can do this for a combination of three total years, meaning that you can be certified with only two years of the necessary work experience—which is much better for promotions, certification bonuses and, if you are open to new opportunities, certification reimbursement clauses.
