- To become a CISA, candidates must have at least five years of relevant experience. According to ISACA, CISA candidates should have experience in the audit process, assigning best practices to protect a company's IT and business systems; help companies develop structures and accountability of corporate governance of IT; and provide assurance that businesses have recovery measures in place for IT in the event of a disaster.
- Candidates must pass a four-hour exam consisting of 200 multiple-choice questions. Exams are offered twice a year, in June and December. ISACA provides a list of reference materials to help candidates prepare for the exam. The examining body also provides a range of courses that lead to the exam, including online courses, webcasts and meetings with industry experts (see Resources).
- CISAs, along with other members of ISACA, are required to comply with ISACA's Code of Professional Ethics. The code requires members to perform their duties with objectivity, and to maintain the privacy of information they receive.
- Certification holders are required to take part in ongoing education. ISACA's Continuing Professional Education Policy requires CISAs to take no less than 20 hours of relevant education each year.
- CISA professionals must also follow ISACA's Information Systems Auditing Standards, which provide a framework for IT assurance.
