What Is A Certified Information Systems Auditor (CISA) Designation?

1739 0

Certified Information Systems Auditor (CISA)

A CISA, or Certified Information Systems Auditor is someone that is certified to audit information systems (computers and networks) and the internal controls that a company has put around them to protect them from attack and subsequent compromise.

What is a CISA Designation?

The CISA designation is assigned to those individuals that have passed a rigorous exam developed and utilized by ISACA also known as the Information Systems Audit and Control Association.  These individuals are primarily employed to ensure that the controls that an organization has put in place effective and working as intended to protect the IT assets and sensitive information that the company is seeking to protect.

According to the ISACA, the CISA exam consists of 150 questions from 5 “domains”:

Domain 1—The Process of Auditing Information Systems (21%)
Domain 2—Governance and Management of IT (16%)
Domain 3—Information Systems Acquisition, Development and Implementation (18%)
Domain 4—Information Systems Operations, Maintenance and Service Management (20%)
Domain 5—Protection of Information Assets (25%)

Who Employs a CISA?

Actually, just about any firm can employ a CISA, however it is typically larger firms that have more complex controls that need to be validated on a recurring basis.  This is especially true if the company employing the CISA operates in regulated industry such as banking (GLBA), healthcare (HIPAA), or retail (PCIDSS).

What is the Difference Between a CISA and CISSSP?

According to the ISC2,

“The CISA certification, as its name implies, is about the audit of information systems. The CISSP is focused on the implementation, operation and maintenance of secure information systems. There is a slight overlap in content, but the primary focus is different. Both certifications are highly regarded by the industry, but each validates a different skillset, so it comes down to the kind of job being sought in the cybersecurity field – IT audit, or information security.”

As you can see, the CISSP focuses more on the security of an IT system rather than the controls surrounding it which would be the focus of the CISA.

Many would argue that the two certifications are complementary and give the individual holding the certifications a more holistic view of information system security as well as the controls that should be put in place to protect the system and the data that resides on it or passes through it.

Should I Get a CISA or CISSP Certification?

Really this depends upon your career goals.  Are you looking at becoming an auditor or are you looking at becoming a systems administrator or security analyst?  Deciding on your career path will go a long way in helping you determine which certification is the most appropriate for you to obtain.

Will the CISA Certification Help My Compensation?

In a word, yes!

According to a salary comparison:

“According to this recent IIA salary report, the 236 survey respondents with a CISA certification have an average salary of $105K, versus $65K for those without certification. This staggering statistic shows that the certification can make a huge difference in how much you get paid annually. What it doesn’t show, is that it also opens you up to positions you may not have been qualified for without the certification. But, more on that later.

This is only a rough comparison as they are many factors involved, including the number of years in the field, education level and type of companies they work for. But overall, the 61% premium is a big enough incentive for you to take the CISA certification seriously.”

Do I Have to Have a Degree to Get a CISA Certification?

No, but there are minimum work experience requirements. You need to have at least 5 years of work experience in a related field.  College credit will count towards these years, but as an example, a Master’s degree will only provide you a substitute for 1 year of work experience.

With that being said, a degree in a related field such as accounting or information security will go a long way to helping you prepare for and pass the CISA exam.

Once I Have My Certification, Am I Done?

Unfortunately, no.  Even after receiving your certification, you will have to maintain a certain number of hours of continuing education credits.  Per the ISACA:

“The CISA CPE policy requires the attainment of CPE hours over an annual and three-year certification period. CISAs must comply with the following requirements to retain certification:

  • Attain and report an annual minimum of twenty (20) CPE hours. These hours must be appropriate to the currency or advancement of the CISA’s knowledge or ability to perform CISA-related tasks. The use of these hours towards meeting the CPE requirements for multiple ISACA certifications is permissible when the professional activity is applicable to satisfying the job-related knowledge of each certification.
  • Submit annual CPE maintenance fees to ISACA international headquarters in full.
  • Attain and report a minimum of one hundred and twenty (120) CPE hours for a three-year reporting period.
  • Respond and submit required documentation of CPE activities if selected for the annual audit.”

Is a CISA Certification Worth the Work?

Yes! 

A CISA certification helps with not only your career advancement, but also your general knowledge of IT controls and how to properly protect systems from compromise.  While not as security focused as the CISSP certification, it will go a long way to improve your knowledge of the security industry as a whole and why organizations must put into place certain controls to protect their computing platforms.

Tom DeSot
Tom DeSot, EVP & Chief Information Officer of Digital Defense, Inc. Tom DeSot is the Chief Information Officer of Digital Defense, Inc. He is charged with developing and maintaining relationships with influential industry and market regulators, identifying key integration and service partnerships and serving as the prime regulatory compliance resource for external and internal contacts. He also serves as the company’s internal auditor on security-related matters. Prior to joining Digital Defense, DeSot served as vice president of information systems for a mid-tier financial institution in San Antonio, TX. While there, he was responsible for managing numerous institution-wide projects ranging from information security initiatives, to the Y2K program and the installation and implementation of both home banking and bill pay products. DeSot also managed the institution’s ATM and debit card program, as well as all ATM network activities. DeSot holds a bachelor’s degree in applied arts and sciences from Texas State University and is a master’s candidate in information assurance at Southern New Hampshire University. He is heavily involved in San Antonio’s information security community and has served on the board of directors for the Alamo Chapter of Information Systems Audit and Control Association and was a founding board member of the Alamo Chapter of the Information Systems Security Association. He is also a former Supervisory/Audit Committee Chairman for a mid-tier financial institution and now serves on their Board of Directors as the chairman of their Governance Committee.  DeSot also serves on an information security curriculum advisory panel for Texas A&M University, San Antonio and is a member of the North San Antonio Chamber of Commerce IT Committee and has delivered classroom and symposium presentations on cybersecurity and cyber ethics at the University of Texas at San Antonio. He holds the National Security Agency’s INFOSEC Assessment Methodology Certification and is formally trained in the OCTAVE Risk Assessment Methodology.

Tom DeSot Web Site

In this article