Certified Information Systems Auditor

[1] Certified Information Systems Auditor (CISA) is a professional certification for Information Technology Audit professionals sponsored by ISACA, formerly the Information Systems Audit and Control Association. Candidates for the certification must meet requirements set by ISACA.

Contents

History

The CISA certification was established in 1978[2] for several reasons:

  1. Develop and maintain a tool that could be used to evaluate an individual's competency in conducting information system audits.
  2. Provide a motivational tool for information systems auditors to maintain their skills, and monitor the success of the maintenance programs.
  3. Provide criteria to help aid management in the selection of personnel and development.

The first CISA examination was administered in 1981, and registration numbers have grown each year. As of 2010, over 79,000 candidates worldwide have earned the CISA designation since its inception.[2] It is one of the few certifications formally approved by the US Department of Defense in their Information Assurance Technical category (DoD 8570.01-M).[3] In 2009, SC Magazine named the CISA designation winner of the Best Professional Certification Program.[4]

In 2011, the CISA examination underwent its most significant update in a decade. The exam was revised from 6 domains to 5. All domains were revised and updated in this process. [5]

Examination

The exam consists of 200 multiple-choice questions that must be answered within 4 hours. Candidate scores are reported as a scaled score. A scaled score is a conversion of a candidate's raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. For example, the scaled score of 800 represents a perfect score with all questions answered correctly; a scaled score of 200 is the lowest score possible and signifies that only a small number of questions were answered correctly. A candidate must receive a score of 450 or higher to pass the exam. As of 2011, the exam will cover 5 Content Areas:[6]

Certification Subject Matter

The CISA certification covers subject matter in a variety of Information Security topics. The CISA examination is based a series of job practices. Effective June 2011, ISACA has identified the new CISA job practice which reflects the vital and evolving responsibilities of IT auditors to be[7]:




Domain 4—Information Systems Operations, Maintenance and Support (23%)


Domain 5—Protection of Information Assets (30%)

Requirements

As of 2011, Candidates for the CISA must meet several requirements[8]: A minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification. Substitutions and waivers of such experience, to a maximum of 3 years, may be obtained as follows:

A maximum of 1 year of information systems experience OR 1 year of non-IS auditing experience can be substituted for 1 year of experience. 60 to 120 completed university semester credit hours (the equivalent of an 2-year or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience. A bachelor's or master's degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if three years of experience substitution and educational waiver have already been claimed. A master's degree in information security or information technology from an accredited university can be substituted for 1 year of experience. Exception: 2 years as a full-time university instructor in a related field (e.g., computer science, accounting, information systems auditing) can be substituted for 1 year of experience.

See also

References

  1. ^ "2011 CISA Job Practice Areas". ISACA. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Prepare-for-the-Exam/Job-Practice-Areas/Pages/2011-CISA-Job-Practice-Areas.aspx. Retrieved 1 October 2011. 
  2. ^ a b "CISA Certification". Information Systems Audit and Control Association. http://www.isaca.org/Template.cfm?Section=CISA_Certification&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=16&ContentID=43558. Retrieved July 28, 2008. 
  3. ^ "CISA and CISM among approved certifications for the new US DoD policy". Net-Security.org. June 1, 2006. http://www.net-security.org/secworld.php?id=4012. Retrieved September 29, 2009. 
  4. ^ "Best Professional Certification". SC Magazine. April 22, 2009. http://www.scmagazineus.com/best-professional-certification/article/130888/. Retrieved November 4, 2010. 
  5. ^ "Overview of 2011 CISA Domains". InfoSec Institute. March 16, 2011. http://resources.infosecinstitute.org/the-cisa-domains-an-overview/. Retrieved March 29, 2011. 
  6. ^ ISACA. CISA Review Manual 2011. Rolling Meadows, IL, 2010, p. v
  7. ^ "2011 CISA Job Practice Areas". Information Systems Audit and Control Association. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Prepare-for-the-Exam/Job-Practice-Areas/Pages/2011-CISA-Job-Practice-Areas.aspx. Retrieved October 1, 2011. 
  8. ^ "How to Become CISA Certified". ISACA. http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx. Retrieved 1 October 2011.