More than 207,000 professionals worldwide have earned the ISACA CISA, and it’s still the credential hiring managers list first for IT audit and compliance roles. That’s not nostalgia (it’s market reality. With the 2024 exam update folding in AI governance, cloud security, and expanded incident management, the CISA now maps directly to what organizations are actually wrestling with. If you’re building a career at the intersection of IT risk and enterprise governance, this is the credential that opens doors.
What Is CISA Certification?
The Certified Information Systems Auditor (CISA) is issued by ISACA, a global professional association founded in the early days of electronic data processing auditing. The credential launched in 1978 and has grown to more than 207,000 holders worldwide, making it one of the most widely recognized credentials in IT audit and information security.
What separates CISA from general security certifications is its audit-first orientation. Where credentials like CISSP emphasize security architecture and management, CISA trains professionals to evaluate, test, and report on IT systems from an independent assurance perspective. That’s a distinct skill set (one that regulators, boards, and external auditors specifically seek out. The current exam content outline took effect August 1, 2024, incorporating cloud computing, data privacy frameworks, and AI-driven systems into a modernized five-domain structure.
Who Should Get CISA Certified?
Four profiles consistently get the most value from this credential.
IT Auditors and Internal Audit professionals are the core audience. If you’re already executing audits and want the credential that makes you competitive for senior roles or leadership tracks, CISA is the direct path.
Compliance and Risk Managers who need to evaluate IT controls against SOX, HIPAA, or GDPR requirements will find CISA’s governance and risk domains map directly to their daily work.
Information Security professionals moving toward advisory or GRC roles benefit from the audit perspective CISA builds (it’s a different lens than pure technical security work, and one that’s increasingly valued.
Big 4 and consulting professionals at early-to-mid career stages often pursue CISA to anchor their advisory credibility in regulated industries like financial services and healthcare.
Who shouldn’t pursue it: entry-level candidates without a realistic path to five years of relevant experience, and technical practitioners who want hands-on penetration testing or architecture work rather than governance and assurance. CISA is a practitioner credential for experienced professionals (it’s not a career-starter.
CISA Exam Domains and Weights
The CISA exam covers five domains weighted to reflect what IT auditors actually spend their time on. Domains 4 and 5 carry the most weight at 26% each, meaning that roughly half the exam focuses on operational resilience and information asset protection. Domain 1 accounts for 18%, Domain 2 for 18%, and Domain 3 for 12%. The widget below breaks down every domain with topics, difficulty ratings, and real-world tasks.
[tj-dbe]
CISA Exam Cost, Format, and Pass Score
The CISA is a 150-question, linear, multiple-choice exam delivered over four hours through PSI testing centers or remote proctoring. The passing score is 450 on a 200–800 scale. Total investment runs from roughly $670 (member exam fee plus application) to over $4,000 for a non-member boot camp path. The widget breaks down every cost tier.
[tj-ecc]
CISA Salary and Job Outlook 2026
CISA holders earn a national median around $115,600 according to Infosec’s October 2025 aggregation of Payscale, Salary.com, and Glassdoor data, with senior professionals in high-demand markets reaching $130,000–$150,000. The U.S. BLS projects 29% growth for Information Security Analysts through 2034. Financial services, government, and healthcare lead hiring demand. The widget shows the full salary landscape by role and region.
[tj-smt]
CISA Requirements: Experience and Eligibility
The core requirement is five years of professional experience in information systems auditing, control, or security, with at least two of those years in a recognized CISA job practice domain. You can sit for the exam before meeting the experience requirement, but you have five years post-exam to complete it. As of July 2025, ISACA introduced a CISA Associate designation for exam passers who are still building their experience hours.
ISACA allows up to three years of substitutions, which makes the credential more accessible than the five-year headline suggests:
- 2-year waiver: Master’s degree in IS, computer science, or a related field
- 2-year waiver: Bachelor’s degree in information systems or IT
- 1-year waiver: Associate’s degree equivalent (60 semester hours)
- 1-year waiver: IT Audit Fundamentals certificate or CCAK
- 1-year waiver: Non-IS auditing experience or general IS work experience
Honest timeline: if you’re starting from scratch with a relevant bachelor’s degree, you’re realistically three to four years away from eligibility (two years of experience after a two-year waiver. If you already have three to five years in the field, you’re likely within reach now.
How to Study for CISA: Resources and Plan
Most candidates invest around 100 study hours before sitting, with a first-attempt pass rate of approximately 50%. The key decision isn’t which book to read (it’s whether you need structure. Self-study works for disciplined candidates with relevant experience; boot camps (two weeks, ~40 hours/week) suit experienced professionals on a deadline. The resource navigator and study plan builder below cover every option.
[tj-prn]
[tj-spb]
What Changed in the CISA 2024 Update
The August 1, 2024 exam content outline is the current version. No further updates have been announced as of early 2026.
The most significant structural change was Domain 4 (Information Systems Operations and Business Resilience) increasing from 23% to 26%, and Domain 1 (Information System Auditing Process) decreasing from 21% to 18%. Domain 5 stayed at 26%. The practical effect: operational resilience questions now receive more emphasis than the audit methodology fundamentals that anchored earlier versions of the exam.
Content additions focused on cloud computing, data privacy (GDPR, CCPA), AI-driven systems, automation, and expanded incident management. No domains were eliminated (the update redistributed emphasis within the existing five-domain structure. Study materials published before August 2024 cover the fundamentals but will be misaligned on domain weights and miss the AI/cloud content additions. The Sybex study guide covering 2024–2029 objectives and ISACA’s own 28th Edition Review Manual are the current-aligned options.
How AI Is Changing IT Audit Careers
AI is hitting the IT audit profession from two directions at once. On the upside, AI-powered tools are enabling continuous monitoring and more sophisticated anomaly detection, raising the ceiling for what a lean audit team can cover. On the downside, AI introduces a new category of audit risk: opaque model decision-making, inaccurate outputs, and “Shadow AI” deployments that bypass IT controls entirely.
That second category is why ISACA flagged AI governance as a top priority for internal audit functions in 2025. Organizations need professionals who can evaluate AI systems against governance frameworks, assess explainability and accountability controls, and identify risks that traditional audit approaches weren’t built to catch. The 2024 CISA update added AI-driven systems and automation explicitly to the exam content (a signal that ISACA is treating this as a core competency, not a specialty topic.
The honest outlook: AI won’t replace IT auditors. It will replace auditors who don’t develop AI literacy. CISA holders who build working knowledge of AI governance frameworks are positioned to take on higher-value advisory work as organizations struggle to govern systems they don’t fully understand.
Is CISA Worth It in 2026?
Yes (if you’re targeting IT audit, GRC, or compliance leadership roles. The median salary premium is real, the credential is required (not just preferred) for a significant share of senior IT audit postings, and the 2024 update keeps it current. CISM is the closest competitor for professionals weighing lateral moves. The widget compares both head-to-head.
[tj-ccw]
How to Get CISA Certified: Step by Step
- Confirm you meet (or have a path to) the five-year experience requirement at isaca.org.
- Join ISACA to access member pricing ($575 vs. $760 for the exam).
- Build your study plan (100 hours average, 12 weeks at 8 hours/week is a common working-professional track.
- Register and schedule your exam through PSI.
- Pass with a score of 450 or higher, then submit your certification application with the $50 non-refundable processing fee.
- Maintain the credential with 20 CPE hours annually and annual maintenance fees ($45 for members, $85 for non-members).
The CISA is a serious credential that rewards serious preparation. If you’ve got the experience and the discipline to study, the return is there.
This article was written under GAIO Integrity Lock. All statistics and cost figures are sourced from the citations listed below. Salary figures represent multi-source aggregations and vary by employer, location, and experience level. Verify current exam fees, eligibility requirements, and CPE policies directly at isaca.org before making decisions, as ISACA policies are subject to change without notice.
Reference Resource List
- ISACA CISA Certification Overview
- ISACA CISA 2024 Exam Update Press Release
- ISACA CISA Costs FAQ
- Infosec Institute: Average CISA Salary
- ZipRecruiter: CISA Salary
- Cybrary: CISA Certification Salary Insights
- Payscale: CISA Salary Research
- KnowledgeHut: CISA Salary Guide
- Coursera: CISA Salary Overview
- U.S. Bureau of Labor Statistics: Employment Projections 2024–2034
- ISACA Now Blog: IT Certifications and Salaries
- Cyberkraft: ISACA Official CISA Boot Camp
- Career Camps: ISACA Official CISA Certification Camp
- Udemy: CISA Cert Masterclass
- MeasureUp: CISA Practice Test
- Wiley/Sybex: CISA Study Guide 2024–2029
