Is the CISA Worth It?

The prevalence of corporate data breaches is increasing at an alarming rate. Facebook, Tik Tok, and Microsoft have all been hacked recently. All three of these breaches (and many more) resulted from misconfigured security or poor security standards. In other words: they were preventable. In fact, up to 93% of hacks are caused by negligence.

With the preponderance of preventable data breaches, it is no wonder that enterprises are searching for experienced system auditors to neutralize possible threats to their systems. But how can any enterprise confidently hire an IT auditor to prevent tragedies before they occur?

This is where the Certified Information Systems Auditor (CISA) certification comes into play. Along with the CISSP, the CISA is a gold-standard certificate for IT auditors. While it may be considered a gold-standard for IT Auditors, the CISA certificate may not alig

n with your short-term or long-term goals. Let's discuss what it means to be CISA certified, what the test covers, and who should take the exam.

What is CISA Certification?

The Information Systems Audit and Control Association (ISACA) is the governing body that administers the CISA certification exam. The purpose of the CISA certification is to ensure the test taker understands all subjects covered on the CISA syllabus. Specifically, there are five subjects outlined in the syllabus:

• IS (Information Systems) Auditing Process

• IT Governance

• IS Acquisition Development and Implementation

• IS Operations and Business Resilience

• Protection of Information Assets

By mastering these five areas of expertise, a CISA-certified individual should have the confidence and ability to conduct sophisticated IT audits on any corporate system.

As you can see, there are several categories, which is why the test is 150 questions long and takes four hours to complete. The CISA covers a diverse amount of topics, has a lengthy test time, and costs of $760 ($525 if you're an ISACA member). That may seem daunting, but if IT auditing is your bread and butter, then you should give it serious consideration. While the test is a major part of becoming CISA certified, it is not the only part of becoming CISA certified. Let's dig into the prerequisites and requirements to become certified.

CISA Certification Prerequisites and Requirements

One thing that you may notice is that the more prestigious the certification, the more gatekeeping is involved. The CISA certificate is no different. The first requirement mandated by ISACA is that an applicant must have five years of on-the-job experience. When ISACA states, "on-the-job training" they are referring to any day-to-day activity that falls into at least one of the five categories covered in the exam. With that being said, if you are right out of college, or just getting started in the IT industry, this certification may not be for you, yet!

However, if five years seems too long to wait, you don't necessarily have to wait that long. ISACA grants various waivers that can remove up to two years from that requirement. For instance, if the participant has an associates degree, then that's one year off the work experience. A Bachelor's degree slashes two years off the five year mandate, and a Master's degree in an IT related field takes three years off. Going to college can save you a lot of time. The caveat here is that the applicant needs to have graduated within the past 10 years.

Passing the CISA Exam

The next CISA certification prerequisite is an obvious one — actually taking and passing the exam. However, it should be noted that you can actually take the exam before meeting the required work experience. You will not actually be able to claim the certificate until the work experience time is met.

Complying with Information Systems Auditing Standards

As the saying goes, great power comes with great responsibility. Once an applicant has mastered all five of the areas of expertise, it is important that they wield their knowledge with integrity. That is why ISACA requires all applicants to comply with their standards. These standards include maintaining independence, objectivity, and thoroughness during an audit.

It is important to remember that these are more than just words. If any CISA-holder is caught breaking the standards, they are subject to disciplinary action by the ISACA board.

CISA Maintenance Fee and Professional Development

It should be noted that ISACA requires an $85 annual maintenance fee.  That price can be cut down to $40 by becoming a member of ISACA though. In addition to a maintenance fee, applicants are required to pursue twenty hours of Continuing Professional Education (CPE) a year. While this may seem daunting, it is sort of a blessing in disguise. CPE facilitates engagement with the IT auditing community, and encourages members to expand their professional horizon.

One of the best ways to earn CPEs is to attend conferences. The ISACA site always has interesting conferences that can be attended in-person or virtually. In addition to attending conferences, a CISA-certified individual can take online training, volunteer for ISACA, take journal quizzes, and more.

Now that we've touched on the numerous CISA cert prerequisites and requirements, let's take a look at some of the pros and cons with actually taking the exam.

Why You Should Take the CISA Exam

One of the biggest pros for getting a CISA cert is the expected salary increase. A typical CISA will range from $90,000 to $100,000 a year. That is a fantastic salary for an individual who may only be three or four years out of college. If you look at the CISA exam cost and experience sticker shock, understand that it is well worth it and will pay dividends in the long run.

A CISA certification meets the requirement of DOD Direction 8140. CISA certified folks who meet this requirement are given a huge leg up in a federal government job search. There is nothing quite like the job security of working for a federal organization such as the DHS.

CISA certification enjoys a stellar reputation within the IT community and will make you stand out from the rest of the pack.The level of commitment required to obtain and maintain CISA certification is highly respected. It shows you have the ambition and intelligence required of most leadership roles.

Why You Shouldn’t Take the CISA Exam

Becoming CISA certified takes a lot of commitment. Not only do you have to pay a huge price to take the exam, cover maintenance fees, and study for a difficult exam, but also complete mandated CPEs. Many people pass over the CISA exam because they do not have the time to prepare for such a commitment. Ultimately, it is up to you whether the opportunity cost lost by studying for the CISA exam is worth it or not.

Another well known — arguably better known — certification is the CISSP. The CISSP and the CISA certification have many crossovers, however, CISSP focuses more on the implementation, operation, and maintenance of secure information systems. The CISSP also tends to command a higher salary, so if your role is not strictly IT auditing, it may be an avenue worth pursuing instead.

Final Thoughts

So, is the CISA certification worth pursuing? If you are a junior or mid-level IT auditor, then it most certainly is. Similarly, if you are an internal auditor, IT consultant, project manager, or any cybersecurity professional then this certification is definitely worth pursuing.

The CISA certification is a highly marketable certification that will make you a top contender for companies looking for some peace of mind.