To be eligible for the Certified Information Systems Auditor (CISA) certification, candidates must meet the experience requirements set by ISACA. You need a minimum of five years of professional work experience in information systems auditing, control, assurance, or security. This experience must be gained within a specific time window—typically within the last 10 years before applying or up to 5 years after passing the CISA exam.
However, ISACA allows experience waivers that can reduce the required work experience by up to three years. For example, a university degree, certain IT-related certifications, or relevant academic qualifications can substitute for part of the experience requirement. Even if you don’t yet meet the experience criteria, you can still appear for and pass the CISA exam first, and then complete the required experience later to earn the certification.