Skip to main content
CISA Exam Prep

CISA Certification Requirements: Eligibility & Prerequisites

By Avinash Bajaj··8 min read

Learn the three essential CISA certification requirements: the exam, work experience, and ethics. Understand waivers and plan your path to becoming a certified IS auditor.

Most candidates I talk to assume the CISA exam is the hard part. They’re wrong.

The real challenge isn’t passing 150 multiple‑choice questions. It’s proving you actually understand information systems auditing before ISACA awards the certification. The eligibility rules separate people who simply study well from those who’ve done the work.

To earn the CISA certification, you must satisfy three interconnected requirements: pass the CISA exam, demonstrate five years of professional experience in IS auditing, control, or security, and agree to ISACA’s Code of Professional Ethics. You can sit for the exam with zero prerequisites, but certification won’t be granted until the experience requirement is met. Waivers exist—up to three years can be substituted with education, other certifications, or related experience—so even early‑career professionals have a clear runway.

I’m Avinash Bajaj, a chartered accountant, CISA, and practicing IS auditor. I’ve mentored dozens of candidates through eligibility gaps and waiver strategy. Here’s exactly how the requirements work and where most candidates stumble.

CISA certification requirements at a glance

Requirement Key Detail
Exam 150 questions, 4 hours, passing score 450/800
Work experience 5 years in IS audit, control, or security
Experience substitutions Maximum 3 years (education, other certifications, related experience)
Ethics Adhere to ISACA Code of Professional Ethics
Continuing education 20 CPE hours per year, 120 hours per 3‑year cycle

The exam is just 21% Audit process, 16% Governance, 18% Acquisition, 20% Operations, and 25% Protection of Information Assets—nobody passes by memorizing one domain. But even a perfect score won’t certify you without the experience.

"You can ace the exam in four hours and still wait years for the certification if you haven't planned your experience accordingly."

The work experience requirement is the real gatekeeper

ISACA defines qualifying experience as hands‑on work in IS auditing, control, or security. That means performing, supervising, or managing risk‑based audits, IT governance assessments, system implementation reviews, or information protection activities. General IT administration or helpdesk roles rarely count.

Here’s the tactical decision rule I give every candidate: if your direct IS audit experience is under two years, you’ll need the full three‑year substitution to qualify. That forces you to stack a degree waiver (max 2 years), another ISACA certification or equivalent (1 year), and possibly non‑IS audit experience (1 year). Without at least two years of direct, verifiable audit work, certification isn’t possible.

If you have five solid years without gaps, skip the waiver math entirely. Most candidates I see are in the middle—three or four years of mixed experience plus a degree—and they just need to verify one or two substitution years.

A real IS audit scenario with waiver arithmetic

A compliance manager at a healthcare organization once asked me to assess her CISA eligibility. She had three years working in IT control oversight, a master’s in accounting, and no direct audit title. Her master’s degree could substitute two years of experience (education waiver maximum). One year from her controls oversight could apply as a related experience substitution. That left her needing two more years of direct IS audit work.

She rotated into the internal audit department part‑time, built those years, and certified without re‑taking the exam. That’s the practical math every candidate should run before booking a test date.

The self‑defeating study mistake I see too often

I made a classic mistake as a candidate—not a technical one, but a planning one. I passed the exam first, then realized I hadn’t documented enough qualifying experience. The pass was valid for five years, but I still had to wait before I could use the credential. I’ve since watched candidate after candidate follow the same path: celebrating a passing score, then spending months scrambling to piece together audit‑related work the employer never formally labeled as auditing.

Use ISACA’s experience calculator early. Map every project, every audit engagement, every controls review to the job practice domains. If a former supervisor needs to attest to your experience, get that confirmation while memories are fresh, not three years later.

How the CISA exam fits into the certification requirements

Anyone can register for the exam. There are no educational prerequisites. Worldwide, 150,000+ professionals hold the CISA today, but the exam pass rate hovers between 50 and 55 percent. That’s a stark filter.

The exam covers five domains, each weighted:

  • Domain 1: Information Systems Auditing Process (21%) — audit planning, risk assessment, sampling, evidence, reporting.
  • Domain 2: Governance and Management of IT (16%) — IT strategy, policies, organizational structures, risk management.
  • Domain 3: Information Systems Acquisition, Development, and Implementation (18%) — project management, SDLC, business cases, testing.
  • Domain 4: Information Systems Operations and Business Resilience (20%) — IT service management, disaster recovery, operations controls.
  • Domain 5: Protection of Information Assets (25%) — access controls, network security, cryptography, physical and environmental security.

No domain stands alone. An examiner will ask you to evaluate a security control (Domain 5) through the lens of the audit process (Domain 1) while considering governance implications (Domain 2). Study in silos, and the exam will expose you.

What a reasonable study schedule looks like

For candidates working full‑time, I recommend a 14‑to‑16‑week preparation timeline for the exam:

  • Weeks 1–2: Baseline with a full‑length practice test. Identify weak domains.
  • Weeks 3–8: One domain per week of deep study plus 50‑question domain quizzes.
  • Weeks 9–12: Mixed‑domain practice, two 75‑question blocks per week.
  • Weeks 13–16: Full‑length mock exams, review incorrect answers, drill weak areas.

Focus your final two weeks on Domain 1 and Domain 5—together they represent 46 percent of scored questions.

A common self‑sabotage: candidates retake the same practice questions until they’ve memorized the answers, then wonder why they fail the real exam. Rotate through multiple question banks and always analyze why each distracter is wrong.

Frequently asked questions

What are the CISA certification requirements?

The CISA credential requires passing the 150‑question exam with a score of at least 450 out of 800, documenting five years of professional IS auditing, control, or security experience, and agreeing to ISACA’s Code of Professional Ethics. Experience waivers can substitute up to three years. No education prerequisites prevent you from taking the exam, but certification only follows when all requirements are verified.

Do I need work experience before taking the CISA exam?

No. Anyone can register for and sit the CISA exam regardless of experience. However, certification will not be awarded until the five‑year experience requirement is satisfied or waivers are applied. Your passing score remains valid for five years from the exam date, giving you a window to gain the necessary experience.

How many years of experience do I need for CISA?

ISACA requires five years of full‑time professional experience in IS auditing, control, or security. Substitutions can reduce this requirement by a maximum of three years, leaving at least two years of direct experience that cannot be waived. Acceptable substitutions include a two‑year degree waiver, one year for other certifications like CIA or CISSP, or one year of non‑IS audit experience.

What is the CISA exam passing score?

The exam is scored on a scale of 200 to 800, with a minimum passing mark of 450. This is not a raw percentage but a scaled score reflecting the difficulty of the specific exam form you received. Each of the 150 questions carries equal weight in the preliminary scoring, and ISACA uses a standard‑setting methodology to ensure consistency across exam versions.

Can I substitute education for work experience?

Yes. A master’s degree in information systems, accounting, or a closely related field can substitute for one year of experience, while a bachelor’s degree can substitute for two years if combined with additional requirements—ISACA’s policy limits total education waivers to two years maximum. Foreign degrees are evaluated for equivalency. The education waiver must be supported by transcripts and is just one piece of the overall substitution limit.

How long does it take to prepare for CISA?

Most full‑time professionals need 14 to 16 weeks of consistent study. The exam covers five domains, with Domain 1 (21%) and Domain 5 (25%) carrying the most weight. A candidate with strong hands‑on audit experience may shorten this to 10 weeks, while someone new to the field may require 20 weeks. Starting with a diagnostic practice test is the best way to gauge your timeline.

Does the CISA certificate expire?

No, the CISA certification does not expire as long as you comply with continuing professional education (CPE) requirements. ISACA mandates a minimum of 20 CPE hours each calendar year and 120 hours over a rolling three‑year period. Reporting is done annually, and failure to meet CPE requirements can lead to suspension or revocation of the certification.

What happens if I fail the CISA exam?

If your score falls below 450, you must wait 90 days before re‑registering and paying the full exam fee again. ISACA does not offer free retakes. Many candidates I’ve worked with regroup by focusing on the two or three domains where they scored lowest, using a fresh question bank to avoid pattern recognition. The wait period is mandatory, so use it for deliberate improvement.

Is the CISA worth it without a degree?

You do not need a degree to register for or pass the exam. If you lack a degree entirely, you’ll need five full years of direct IS audit, control, or security experience—no education waivers apply. For professionals with verified, hands‑on experience, CISA remains valuable and attainable. Many IT auditors without formal degrees have successfully certified by documenting their work in the required domains.

Most candidates I meet are fixated on the exam, but the experience requirement is where plans go sideways. Map your work history against ISACA’s domains, secure your verifications early, and only then lock in your test date. If you want to see where your knowledge stands against the actual 150‑question exam, try our free CISA practice test. For structured, domain‑by‑domain preparation, our full CISA course mirrors the exam blueprint and audit mindset you’ll need on test day.

Ready to practise CISA questions?

Original scenario-based questions · Full mock exam · AI weak-concept analysis
Built by experienced IS auditors from Big 4s and finance industry

View the CISA Course →
Browse the CISA Glossary →

Related Posts

CISA Exam Near Me: Test Center vs Online Proctoring

Where to take the CISA exam: PSI test centers near you or online proctoring from home. Learn requirements, scheduling, and what to expect on exam day.

Read more →CISA Certification Jobs: Roles, Salaries, and Employers

Discover top CISA certification jobs—IT auditor, GRC analyst, info security manager—with salary ranges, employers, and career impact of CISA.

Read more →How to Get CISA Certification: A Step-by-Step Guide

Step-by-step guide to earning CISA certification: from eligibility and experience requirements to passing the exam and applying. Walkthrough from a certified IS auditor.

Read more →
Avinash Bajaj — Founder of PaperLabs, CISA certified IS auditor

Avinash Bajaj

Founder — Paper Labs Classroom

Chartered Accountant (India) · CISA · SOX Certified · Cyber Security Certified

avinashbajaj145@gmail.com