Most candidates I meet want the CISA designation but don’t know the exact steps beyond “study and pass the exam.” The real process has five distinct stages—miss one, and you’ll wait months to fix it.
To get CISA certified, you must apply and be approved for the exam, pass the CISA exam (150 questions in 4 hours, passing score 450 out of 800), meet the 5-year professional experience requirement, and agree to ISACA’s code of ethics and continuing education. The exam covers five domains with Audit (21%), Governance (16%), Acquisition (18%), Operations (20%), and Protection (25%). Only about 50-55% of first-time test-takers pass, so structured preparation is essential.
| Stage | What You Do | Typical Timeline |
|---|---|---|
| 1. Confirm eligibility | Review experience & education requirements; you may substitute up to 1 year | Before you register |
| 2. Register & schedule | Apply online with ISACA, pay the exam fee, pick a test date | 2–4 weeks processing |
| 3. Prepare for the exam | Study all five domains systematically; take timed practice tests | 3–4 months recommended |
| 4. Pass the exam | Sit for 150 multiple-choice questions within 4 hours | Exam day |
| 5. Apply for certification | Submit verified work experience and pay the application fee | Within 5 years of passing the exam |
Passing the CISA exam is only one piece. You need the right experience and a complete application, or your passing score is worthless after five years.
The most critical decision rule is this: if you don’t yet have the full 5 years of IS audit, control, or security experience, map out your substitution options immediately. You can substitute up to 1 year with a related bachelor’s or master’s degree, or with other ISACA certifications like CISM or CRISC. Not all IT roles qualify. A candidate I mentored had three years in IT general controls monitoring, but ISACA rejected half that time because the work lacked audit engagement components like evidence gathering and reporting. He spent months chasing revised verification letters before his application window expired.
What are the CISA certification requirements?
ISACA requires a minimum of 5 years of professional work experience in information systems auditing, control, or security. The experience must be verifiable and gained within the 10-year period prior to your application. You can substitute up to 1 year with:
- A bachelor’s or master’s degree (any discipline) that includes 2 or 3 years of full-time study, respectively.
- A degree in a related field (e.g., computer science, accounting) may count differently.
- Active CISM, CRISC, or other ISACA certifications.
- Work as a full-time university instructor in a related field (2 years may substitute for 1 year of experience).
If you hold an active CISA certification from a prior cycle, the experience requirement is reduced to 3 years when upgrading.
After passing the exam, you have 5 years to submit your verified experience application. The certification application fee is separate from the exam fee and must be paid at that time.
How do I register for the CISA exam?
Register through ISACA’s website. Create an account, complete the exam application, and pay the registration fee. ISACA processes most applications within 2–4 weeks. Once approved, you receive an eligibility window (usually a 12-month testing period) during which you must schedule and sit the exam.
Scheduling is done through PSI, ISACA’s global testing partner. You can choose a testing center near you or, in many regions, an online proctored session. The online option requires a stable internet connection, a webcam, and a quiet room. I recommend testing your setup a week before the exam to avoid technical disqualifications.
How should I prepare for the CISA exam?
Many candidates fail because they treat the CISA exam like a technical test. It’s a management-level audit exam. Think like an auditor, not a practitioner.
The exam has 150 multiple-choice questions covering five domains:
- Domain 1 – Information Systems Auditing Process (21%)
- Domain 2 – Governance and Management of IT (16%)
- Domain 3 – Information Systems Acquisition, Development, and Implementation (18%)
- Domain 4 – Information Systems Operations and Business Resilience (20%)
- Domain 5 – Protection of Information Assets (25%)
Each question tests your ability to apply audit methodology, evaluate controls, and make risk-based decisions. You won’t be asked to configure a firewall; you’ll be asked to assess whether the firewall configuration meets the organization’s risk appetite.
Early in my own certification journey, I made the mistake of under-preparing for Domain 5. My cybersecurity background made me overconfident. The exam didn’t care what I knew about encryption algorithms—it wanted me to evaluate whether the encryption strategy was appropriately designed, implemented, and monitored from an audit perspective. I had to refocus my study on the IS auditor’s mindset, not the technical details.
A practical 12-week study schedule that works for most working professionals:
- Weeks 1–3: Read the official CISA Review Manual, focusing on Domain 1 and Domain 2. Take a diagnostic practice test to identify weak areas.
- Weeks 4–6: Deep dive into Domain 3 and Domain 4. Use a question bank to review 20–30 questions daily, reading every explanation.
- Weeks 7–9: Master Domain 5 and integrate cross-domain questions. At this stage, do full 150-question simulations under timed conditions twice a week.
- Weeks 10–12: Intensive review of missed questions, concept drills, and final full-length exams. Aim to consistently score above 70% on practice tests.
During an IS audit engagement I led for a financial client, we discovered that half the access controls we assumed were in place had been overridden by an IT operations team trying to speed up batch processing. That real-world scenario became a study anchor for me: whenever a CISA practice question involved operational effectiveness vs. control weakness, I remembered that room and the surprised faces at the audit committee meeting. Connecting study material to lived audit experiences crystallizes the exam’s thought process.
What happens on CISA exam day?
You have 4 hours to answer 150 questions. There are no scheduled breaks, but you can take unscheduled restroom breaks (the clock keeps running). Most test-takers finish with 30–45 minutes to spare. Use that time to review flagged questions.
The scaled score ranges from 200 to 800, with 450 required to pass. Because the exam is based on a psychometric model, raw percent-correct doesn’t directly map to scores. But internally, candidates who answer roughly 65–70% of questions correctly tend to clear the 450 threshold.
After finishing, you receive a preliminary pass/fail result on screen. ISACA releases official results by email within 10 business days.
How do I apply for CISA certification after passing?
Once you pass, collect your experience verification documents. ISACA requires certification holders to attest to the accuracy of their reported experience. A supervisor or a currently certified CISA must sign off on the verification form. If you are self-employed, a client can verify your work.
Submit the application along with the certification fee. ISACA typically processes applications within 4–6 weeks. Once approved, you’ll receive your digital badge and certificate, and you become part of the 150,000+ CISA-certified professionals worldwide.
Remember: your passing score is valid for only 5 years. If you don’t apply for certification within that window, the score expires and you must retake the exam.
FAQ
How hard is the CISA exam?
The CISA exam demands a broad understanding of audit, IT governance, system acquisition, operations, and protection. The global first-time pass rate sits around 50–55%. That tells you half the people who sit for it go home without a passing score. The difficulty stems not from technical depth but from the need to consistently apply an auditor’s judgement to every scenario. Candidates with strong test-taking strategies and at least 3 months of structured preparation tend to beat the odds.
How long does it take to prepare for CISA?
Most candidates I work with need 12–16 weeks of consistent study. That translates to roughly 150–200 total hours, depending on your existing knowledge. Someone with 5 years of audit experience might need less; an IT practitioner transitioning into audit often needs more because the exam mindset differs from day-to-day operations. I recommend blocking out 90 minutes per day, 5 days a week, plus a longer weekend session to do full practice sets and detailed review.
What is the CISA exam pass rate?
ISACA does not publish an official pass rate, but industry consensus and candidate surveys place it at 50–55% for first-time test-takers. That figure has held steady over several years and aligns with the fact that 150,000+ professionals globally hold the certification despite a high failure rate on first attempts.
Can I take the CISA exam without experience?
Yes. ISACA allows anyone to register and sit for the exam, regardless of experience level. If you pass, you remain exam-passed but are not certified until you meet the experience requirement. You then have a 5-year grace period to accumulate or verify the necessary 5 years of work experience. Many candidates take this route early in their careers to lock in the exam score while building their experience profile.
How much does CISA certification cost?
Costs vary depending on ISACA membership status. For members, the exam registration fee is approximately $575 USD; for non-members, around $760 USD. The certification application fee is $50 for members, $100 for non-members. Practice resources and training add variable costs. Budget $1,000–$1,500 total for exam fees, study materials, and application.
What is the CISA retake policy?
If you fail the exam, you must wait 90 days before retaking it. You must repay the full registration fee for each attempt. There is no limit on the number of attempts, but the 90-day cooling-off period applies every time. I advise candidates who fail to use that time for targeted remediation, not just more practice questions. Identify the domains where you scored weakest and rebuild your conceptual foundation before retrying.
How do I maintain CISA certification?
Once certified, you must comply with ISACA’s continuing professional education (CPE) policy and pay an annual maintenance fee. The requirement is 20 CPE hours each year and 120 CPE hours every 3-year reporting cycle. Acceptable activities include attending training, presenting, publishing articles, and participating in IS audit-related professional activities. Failure to meet CPE requirements can lead to suspension or revocation of your certification.
The step-by-step process you read at the top of this post isn’t just a checklist—it’s the framework I’ve used to help candidates cross from “I plan to get CISA” to holding the designation in hand. The gap between planning and doing is measured in weeks of focused study and one solid application. To see where you stand right now, try our free CISA practice test. When you’re ready to commit, our full CISA prep course walks you through every domain with realistic exam questions and auditor-level explanations.
