CISA Requirements

The Certification Information Systems Auditor (CISA) certification awarded by ISACA® was established in 1978 and is the internationally recognised standard. This blog showcases the essential requirements in pursuing CISA Certification.

What are the requirements for obtaining a CISA certification?

Candidates who complete a comprehensive written test and have at least five years of related work experience are awarded the CISA certification.

ISACA has defined five CISA domains that you will be evaluated on:

  • Domain 1 - Information System Auditing Process (21% of exam)
  • Domain 2 - Governance and Management of IT (17% of exam)
  • Domain 3 - Information Systems Acquisition, Development and Imp. (12% of exam)
  • Domain 4 - Information Systems Operations and Business Resilience (23% of exam)
  • Domain 5 - Protection of Information Assets (27% of exam)

Domain 1 - Information System Auditing Process

There are seven areas that you need to understand in Domain 1.

1) IS Audit Function Management

  • You must be aware of the audit charter and what it entails.
  • You'll need to comprehend how to plan an audit. Take a quick look at Exhibit 1.2 on page 34 of the CISA analysis manual to understand the steps.
  • "Gain awareness of the business's mission, goals, intent, and processes," This is relevant because it appears to be around 3-4 questions on the test. Examine the section titled "The Effect of Laws and Regulations on IS Audit Planning," paying special attention to the Basel II Accord on page 35.

2) ISACA IT Audit and Assurance Guidelines and Standards

  • S1, S2, S4, S9, and S10 are all essential things to note.  Standards S12 through S16 are new updates to CISA, and you should be familiar with S12, S13, and S14. Standards S12 through S16 are new updates to CISA, and you should be familiar with S12, S13, and S14.
  • G5, G10, G18, and G19 can all be noted. G41 and G42 are new updates to CISA, and ROSI is gaining a lot of attention.  So learn how to measure and understand the idea of Return on Security Investment.  
  • P2, P5, P7, and P10 can all be noted.
  • ITAF (Information Technology Assurance Framework), especially section 3000 on IT Assurance Guidelines, should be familiar to you. 

3) Risk Analysis

  • Understand the meaning of risk.
  • Know the various approaches to remediation. (Accept, Mitigate, Transfer, Avoid)

4) Internal Controls

  • Understand the distinctions between preventative, detective, and corrective controls.
  • Learn how CobiT blends into ISACA's vision of IT governance and management support.
  • Understand the distinction between IT management and internal control goals.

5) Conducting an IS Audit

  • Understand the differences between auditing and IS auditing.
  • Think about the various forms of audits and how to interpret carefully integrated and forensic audits.
  • Memorize Exhibit 1.5 on page 53 to learn about the various stages of an audit.
  • Understand the principle of risk-based auditing, particularly the risks that are intrinsic, controllable, and detectable.
  • You should be able to include explanations of both enforcement and substantive testing.
  • Sampling is a part of the Review Manual that you really need to memorise. Go to page 60 of the CISA manual and memorie it.

6) Control Self-Assessment

  • Your job description is "facilitator."

7) The Evolving IS Audit Process

  • Integrated auditing entails collaborating with the financial analyst for a risk-based audit.
  • Recognize the distinctions between continuous monitoring and continuous auditing.

The first domain serves as a foundation for recognising the whole field of Certified Information Systems Auditor, and without a firm grasp of the basics, you will struggle to succeed in the subsequent domains.

 Become a CISA Certified professional by learning this HKR CISA Certification Training !

CISA Certification Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

Domain 2 - Governance and Management of IT

The CISA materials have been updated by ISACA, and this domain now includes the Business Continuity portion that was previously included in Domain 6. Domain 2 is divided into 13 sections that you must master.

1) Corporate Governance

  • Understand the meaning of corporate governance.
  • Get familiarity with ISO 26000 (30,000 foot view).
  • Get to know the OECD Principles of Corporate Governance, published in 2004.

2) IT Governance (ITG)

  • ITG is interested in two issues: what they are and what motivates them?

3) Practices for Board and Senior Management of Information Technology Monitoring and Assurance

  • Who is responsible for ITG?
  • Describe ITG's five primary focus areas.
  • Learn about the various mechanisms for IT governance (COBIT, ISO27001, ITIL, IBPC, ISM3, AS8015 and ISO38500)
  • Understand the role of audit in ITG.
  • Know what the IT Planning Committee and the IT Steering Committee's duties are (this is another one of those charts you'll need to memorise).
  • Know the relationships between Protection Governance results and Management Roles using another memory chart.
  • Examine the Zachman Framework, as well as the Federal Enterprise Architecture's (FEA) hierarchy of five reference models.

4) Strategy for Information Systems

  • Recognize the significance of IT strategic planning and the Steering Committee's primary role.

5) Models for Process Improvement and Maturity

  • Understand the meanings of CMMI, TSP, and PSP.
  • ISACA is taking a keen interest in SEI's IDEAL concept.

6) IT Allocation and Investment Practices

  • Download and read the ValIT text from the ISACA website.
  • What can companies do for IT Portfolio Management that the Balanced Scorecard can't?

7) Policies and Procedures

  • The company's information management strategy is the most significant.
  • Data classification, appropriate utilisation, end-user computing, and access management are some of the other security measures that should be implemented.
  • When reviewing the information security policy, consider what to look for.
  • Procedures are essential, and they must be followed “step by step” – that's a clue!!!!

8) Risk Management

  • What are management’s options?  Avoid, Mitigate, Transfer, Accept.
  • Know the different levels that IT Risk Management needs to operate at:  Operational, Project, and Strategic.
  • Understand the difference between Qualitative Analysis, Semiquantitative analysis and Quantitative analysis.
  • Know how to calculate Annual Loss Expectancy (ALE).

9) Management Practices in IS (You'll need to know about five sub-areas.)

  • Human Resources Management (before, during and after).
  • Sourcing Practices (Insourced, Outsourced, Hybrid as well as the concepts and definitions for Onsite, Offsite and Offshore).
  • Management of organisational change – nothing is done without management consent.
  • Chargeback is an important term to consider in financial management.
  • Quality Control – You should be familiar with QM and ISO9000, but ISACA does not test specific ISO requirements.

10) IS Responsibilities and Organizational Structure

  • Roles and responsibilities – the CISA manual contains a chart called the Segregation of Duties Control Matrix, which is another aspect to MEMORIZE.
  • There are several definitions that are unique to DBAs and QA staff that you will need to learn about.

11) Examining the Structure and Implementation of IT Governance

  • You must understand that the first thing you must do in this environment is “Gain an Understanding of the Business” means familiarising yourself with the Information Security Policy.
  • Then go grab your organisation charts, job descriptions, and your Memorized Segregation of Duties Control Matrix and see if there are any inconsistencies.

12) Planning for Business Continuity (It is a new division that replaced the former Disaster Recovery and Business Continuity Planning Domain 6.)

  • To begin, a Market Effect Review of all business functions is required, accompanied by certain assessment criteria to decide which ones are important.
  • Memorize the definitions of each of the four system classifications (Critical, Vital, Sensitive, and Nonsensitive).
  • What motivates you to purchase insurance? Of course, to transfer risk.
  • Testing is another important aspect of BCP, and you should be aware of the various categories, which involve preparation and complete operational testing.

13) Business Continuity Auditing

  • Evaluate the BCP.
  • Evaluate the test results; we assume they measured the BCP, and they should have reported “Lessons Learned” – Another hint: this is a word that ISACA prefers.

Subscribe to our youtube channel to get new updates..!

Domain 3 - Information Systems Acquisition, Development and Implementation

The aim of this CISA component is to ensure that candidates can ensure the smooth operation of the IS acquisition, production, and implementation processes. 

  • Developing the business case
  • IT supplier selection
  • project management
  • system development
  • implementation readiness
  • post implementation review

Developing the business case
The organisation should ensure that it is cost-effective and follows the IS Strategy. It should also determine what services it would have, such as cost savings or increased system efficiency. This data is compiled in a business case, which is accepted by senior management and reviewed during the process.

The project may be requested by the portfolio, and a feasibility report will be undertaken to test the solution, with the findings being used in the business case. The candidate must be familiar with the method of designing a business case and investment assessment strategies such as return on investment (ROI).

IT supplier selection
Candidates must understand how vendors are selected and handled. A Request for Proposal (RFP) is the first step in engaging a provider. It includes market and IS specifications, as well as details about the supplier and contractual terms. The RFP is a crucial document, and when evaluating it, the auditor should make the following


  • Interviews and desk research are used to verify the completeness and consistency of the specifications.
  • Confirm that legitimate, senior IS, and business managers have given their full approval to the RFP, and
  • Ensure that a sufficient number of high-quality vendors have been invited to respond.

Project management
Candidates must be able to demonstrate how project management methods and strategies are used to handle the risks involved with the procurement, development, deployment of information technology and be able to assess whether programs are on target to meet their objectives and achieve the incentives outlined in the business case.

Many organisations customise project management methodologies to suit their own requirements, so auditors can become acquainted with them before beginning a study. Governance is an integral part of the project management process, and the inspector should look for proof that risks, problems, and dependencies are being actively handled, and that the project is under the supervision of a steering committee or project board.

System development
In response to the need for speed, mobility, versatility, and cost savings, various device architecture methodologies have arisen over time. Auditors must be able to define the various types of measures used by the SDLC, determine their efficiency, and ensure that they have been adequately tested. There are various kinds of controls:

  • Application controls – Input, processing, and output functions are all regulated by this system.
  • Input controls – To ensure that only reliable data or other inputs are used.
  • Processing controls – For ensuring that inputs are handled in compliance with specifications and design logic, producing the intended result, and
  • Output controls – Ensure the device outputs are delivered safely and in a reliable, functional format to consumers.
  • Controls can be tested using plan documentation, user manuals, evaluation results, and user feedback.

Implementation readiness
Testing must be done before adoption, and an implementation plan must be settled upon. Until implementation begins, auditors can report that an implementation plan comprising the following has been approved:

  • Criteria for determining whether the implementation can proceed or be postponed
  • Activities and timeline for implementation; there may be a minute-by-minute, step-by-step activity list.
  • To ensure that the implementation has been performed, success criteria will be used.
  • Backout plans, which can be used if the implementation stalls in the middle.
  • Arrangements for assistance during implementation and then for normal business operations.
  • Communication and staff training.

Post-implementation review
The PIR is a useful method for recording lessons learned and other input from the project team, both of which can be used to develop the next implementation. It should also state whether or not the project's goals were achieved, as well as a plan for closing any open actions, reducing funding, and closing the finances.

It will require a review and final statement on benefits realisation, depending on the timing for implementation of the benefits; otherwise, it would be reported as an open intervention.

Domain 4 - Information Systems Operations and Business Resilience 

This domain is structured to ensure that the applicant has a comprehensive knowledge of information systems operations, service management, and disaster recovery processes.

IS Operations is at the core of the IS wheel, ensuring that processes, software, and technology perform as planned and meeting the specifications on which they were designed. Services may be delivered by internal or external teams.

Based on the scale of the company and the corporate sense, the breadth of IS operations can vary. However, hardware and device maintenance, power management, work scheduling, data management, device performance control, and customer service are usually supported. Any auditor should begin by obtaining a detailed understanding of the scope and services in use.

Hardware and software management
Asset management
Companies may save money by redeploying or withdrawing non-essential information assets if they have an accurate inventory. Auditors can ensure that a robust procedure is in place to recognize all assets, as well as their last identified location, recovery priority, security/risk classification, and owner.

Maintenance and release management
Auditors can ensure that a formal, authorised planned maintenance is in place, which includes pre-deployment testing, backup and restore plans, priority processing arrangements, and user interaction.

Software releases, whether as part of routine maintenance or as part of a market improvement programme, must be deliberately designed to mitigate risk and effects on the business. Each release demands careful deployment preparation. Since they aren't given enough attention, 'simple' releases have brought some companies to a halt.

Capacity management
Both computing and infrastructure services must be designed to ensure optimum usage, with allocation increases or decreases if required. Auditors should ensure that a capacity management strategy is in effect, and that it is updated at least once a year, unless major internal reform necessitates a more regular update.

Data management
The auditor should be familiar with database architecture, database administration, potential transaction processing issues, and database management system security concerns.

The auditor must ensure that data retention measures, such as data integrity confirmation, data backup and restore processes, user access, and administration rights, are in place based on the type and value of data.

Service Management
The compilation of processes, procedures, and tasks used to control IS operations is known as service management. The majority of companies will follow industry-wide service management systems like ISO20000-1:2011 and ITIL. Candidates should have a clear understanding of the material and implementation of both systems due to their widespread adoption. They should also know how to create and track Service Level Agreements (SLAs), particularly where third-party vendors are involved. 

Problem and incident management
Any event that disrupts or degrades the level of service is referred to as an incident. Auditors should be familiar with event and problem response best practises to ensure that the company has procedures in place to track, report, handle, and address incidents as efficiently as possible. Processes for incident handling can also be checked and trained on on a frequent basis.

The opportunity to easily determine the incident's urgency and effect, and therefore the focus for resolution, is an important aspect of the IM process. Auditors should review previous incidents in addition to the IM procedure to ensure that the process was implemented and incidents were properly resolved.

Disaster Recovery
Disaster recovery plan includes roles and responsibilities, management policy, recovery point and recovery period priorities, coping plans, and the communication process. The recovery point objective (RPO) is the maximum time a computer, system, network, or application can be down after an event happens, and the recovery time objective (RTO) is the maximum time a computer, system, network, or application can be down after an incident.

Auditors must be able to assess the completeness and accuracy of the DR plan's contents, as well as ensuring that the conditions and process for invoking DR are clearly specified.

CISA Certification Training

Weekday / Weekend Batches

Domain 5 - Protection of Information Assets

This is the final and most relevant domain in the CISA certification field. According to ISACA, this domain accounts for 30% of the CISA exam, which consists of roughly 60 questions. This segment contains eight topics that you must master in order to clear the CISA exam.

1) Significance of Information Security Management

To ensure the continued availability of information services, information security management is critical.
Information Security Management is crucial for ensuring the confidentiality of all stored and moving data (in transit) also the sensitive data.
There’s the old CIA triad again (Confidentiality, Integrity, Availability).
Key Elements in Information Security Management are:
Senior Management Commitment and support
Policies and Procedures
Security Awareness and Training
Monitoring and compliance, and
Incident handling and response
Each of these key elements should be known.
Information Security Management roles and responsibilities, you must know the IS Security Steering Committee's duties in this area like the back of your hand. 
Comprehend the distinction between mandatory access controls (MACs) and discretionary access controls (DACs).
Data crime challenges and exposures are discussed in one of the last sections of Information Security Management. The CISA manual's Exhibit 5.8 lists over 30 different Traditional Attack Methods and Techniques. ISACA has preferred a variety of topics for their exam, ranging from botnets to war chalking.

2) Logical Access

This is the most common approach for handling and safeguarding information properties. Take note of the stress on the word PRIMARY!
There are only two points of access – central and remote – and how do you identify local users and their privileges, as well as identify and authenticate remote users?
Something you know (password), something you have (token), and what you are are the three types of authentication (biometrics).
Palm, hand geometry, Iris, retina, fingerprint, face, and speech recognition are all biometrics. Which one has the highest user rejection rate and costs the most? HINT: It involves the eye.

3) Network Infrastructure Security

You should be aware of some of the benefits and pitfalls of virtualization.
Wireless networking protection threats and risk control mechanisms, such as WEP, WPA, WPA2, authentication, nonrepudiation, transparency, and network availability, must be understood.
You must be aware of the various types of firewalls (router packet filtering, application firewall systems, stateful inspection)
You'll need to be familiar with firewall configurations (Screened-host, dual-homed, DMZ or screened-subnet)
Is there a distinction between NIDS and HIDS, and will they replace firewalls? NO is the answer.
To encrypt records, you'll need to learn how a digital signature works.
You'll need a good understanding of viruses as well as a working knowledge of some of the management protocols that should be in operation.

4) Framework for Information Security Management Auditing

Examine the policies, practises, and standards in writing.
Pay close attention to the security policies for logical entry.
Ascertain that everybody has undergone current security training.
Why are you so concerned with data ownership? Because the data owner is the person who decides who has access to and uses their data.
Then you'll need to check the logical access to ensure that the guidelines are being enforced. Pay special attention to "JOB TRANSFERS," since there is a tendency to implement access but not delete it.
Examine the access records to make sure that someone else is looking at them and taking action if there are any unsuccessful authentication attempts.

5) Network Infrastructure Security Auditing

Is there someone with remote access, and has it been approved?Why do vendors have full access to the network in order to fix a network device? Has management provided their approval to the unrestricted access?
Now comes the exciting part: as auditors, you should be allowed to do Pen Testing; just make sure you have permission before beginning this part of the audit. HINT: PRIOR APPROVAL
Ensure that all network modifications, including emergency changes, go into change control.
This is where forensics comes into action, so make sure you understand the four main factors in the sequence of events when it comes to facts (Identify, Preserve, Analyze, Present)

6) Environmental Exposures and Controls

  • Understand the distinctions between a blackout (total failure), a brownout (severely reduced voltage), and a whiteout (snowstorm)... You've gotten it if you've read this far.
  • The use of halon is now prohibited. What would be a fine replacement?
  • Is security awareness training needed for staff who will have to use hand-held fire extinguishers, and where should they be located, how frequently should they be inspected? All good test questions.
  • Surge protectors are used for power spikes.
  • Is a UPS used for power cleansing? Yes… As if you were wiping your hands with soap. Uninterruptible power supplies (UPSs) are used to transform dirty power to clean power. Notice this: power sags, spikes, and fluctuations are all called dirty power. A UPS guarantees that the wattage and voltage are constant, flatlined, and steady, among other things.
  • Environmental detection equipment, such as smoke detectors and moisture detectors, must be understood.

7) Physical Access Exposures and Controls

  • Unauthorized access, principle of least privilege is permitted only if the work demands it, and no guest is allowed to enter alone. The reality that it is PERIOD.
  • Mantraps, deadman doors, and visitor escorts are all important features in this area.

8) Mobile Computing

  • Encryption of hard drives.
  • Backups are made on a regular basis.
  • Team that responds to thefts.
  • Defending against malicious code necessitates extra caution. HINT:  Is there a way to get behind the company's firewall? Carry a laptop into the office by hand from a distant location. You can see how important it is to have strong malicious code protections now.

CISAs that stick to the continuing professional education would be best prepared to analyse information systems and technologies, as well as offer leadership and value to their organisations. The CISA Certification Board is responsible for establishing continuing technical education standards and overseeing the processes and requirements to ensure their applicability.

Related Blog: 

Find our upcoming CISA Certification Training Online Classes

  • Batch starts on 27th Sep 2023, Weekday batch

  • Batch starts on 1st Oct 2023, Weekend batch

  • Batch starts on 5th Oct 2023, Weekday batch

Global Promotional Image


Request for more information

Saritha Reddy
Saritha Reddy
Research Analyst
A technical lead content writer in HKR Trainings with an expertise in delivering content on the market demanding technologies like Networking, Storage & Virtualization,Cyber Security & SIEM Tools, Server Administration, Operating System & Administration, IAM Tools, Cloud Computing, etc. She does a great job in creating wonderful content for the users and always keeps updated with the latest trends in the market. To know more information connect her on Linkedin, Twitter, and Facebook.