CISA (Certified Information Systems Auditor) has specific eligibility requirements that are more complex than some certifications because ISACA allows you to earn the credential through either exam-first or experience-first approaches. Let me break this down clearly.
The fundamental requirement is 5 years of professional information systems auditing, control, or security work experience. This must be gathered within the 10-year period before you apply for certification. The experience must involve activities that fall under ISACA's job practice areas: information systems audit process, IT governance and management, information systems acquisition/development/implementation, information systems operations and resilience, and protection of information assets.
One thing that makes CISA flexible is that there's NO requirement to pass the exam first. You can work and accumulate experience first, then take the exam, then apply for certification. Or you can take the exam and become an "Associate of ISACA" while gaining experience, then upgrade to full CISA after meeting the 5-year requirement. This flexibility is helpful for people building careers gradually.
However, ISACA does allow experience waivers and substitutions. You can substitute up to 3 years of the 5-year requirement with:
- One year of information systems experience can substitute for one year of the auditing requirement
- One year of non-IS auditing can substitute for one year
- One year of full-time university teaching in an auditing-related discipline can substitute for up to two years
The exam itself has NO prerequisites. You don't need prior certifications or even a degree. However, the exam is challenging and covers deep knowledge of auditing, so most candidates prepare for 2-4 months.
You can apply for CISA within five years of passing the exam. So you could take the exam today, work for five years, then apply, rather than necessarily working first.