ISACA Certification Guide: Overview And Career Paths

ISACA Certification Guide: Overview And Career Paths
By , Mary Kyle

ISACA offers certifications in systems auditing, security management and IT governance and risk. This certification guide covers ISACA's CISA, CISM, CGEIT and other certifications can related career paths.

Anyone who is interested in a career in IT governance, risk assessment, systems auditing, and security management should check out the certifications offered by ISACA. ISACA is a global nonprofit association focused on IT governance. The organization was formerly known as the Information Systems Audit and Control Association, but now goes simply by ISACA to "reflect the broad range of IT governance professionals it serves."

In 1967, ISACA was formed by a group of like-minded individuals seeking centralized information and guidance regarding computer system auditing. Today, ISACA has over 200 membership chapters in over 85 countries, with over 125,000 members. In addition to its membership, ISACA also boasts more than 15,000 non-members who hold ISACA credentials. ISACA also offers professional certifications (the focus of this article), publishes the ISACA Journal and hosts conferences worldwide.

ISACA Certification Program Overview

ISACA offers four professional certifications geared toward information systems auditors and managers:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified in Risk and Information Systems Control (CRISC)

ISACA requires candidates to pass a written exam for each certification, and exams are offered only three times a year. You must also adhere to the ISACA Code of Professional Ethics and agree to meet continuing professional education requirements.

To maintain certification, credential holders must earn 120 continuing professional education (CPE) credits over a three-year period following certification or after renewal (earning a minimum of 20 CPEs annually), and pay an annual maintenance fee ($45 for members and $85 for non-members). Otherwise, certification holders must retake the exam to retain their currently certified status.

The American National Standards Institute (ANSI) has accredited the CISA, CISM, CGEIT and CRISC credentials as meeting ISO/IEC 17024, General Requirements for Bodies Operating Certification Systems of Persons. ISO/IEC 17024 specifies requirements that organizations must follow when certifying individuals against specific requirements.

MORE: IT Career Paths & Certification Guides
MORE: Best IT Certifications
MORE: Best IT Training
MORE: All IT Careers Content

What Is IT Governance?

The focus of IT governance in enterprise organizations is to ensure that IT resources and systems are utilized effectively to meet business goals. IT governance professionals must have a good understanding of how (and why) to align IT goals with those of the organization. This invovles strategic management, risk management and resource optimization, all of which are part of preparation for the CGEIT credential. IT governance typically falls on the chief information officer (CIO) or chief technology officer (CTO) and those who oversee the prioritization and implementation of IT initiatives. 

CISA Certification

If you have experience as an information systems auditor and want to move up (or over), consider acquiring the Certified Information Systems Auditor (CISA) certification. The CISA credential recognizes individuals who are skilled in auditing, controlling and assurance of enterprise IT systems. The CISA is by far the most popular ISACA certification, with over 115,000 credentials granted since the program began.

Beginning with the June 2016 CISA exam, ISACA will implement new job practice areas consisting of five domains:

  • Process of auditing information systems (21 percent)
  • Governance and management of IT (16 percent)
  • Information systems acquisition, development and implementation (18 percent)
  • Information systems operations, maintenance and service management (20 percent)
  • Protection of information assets (25 percent)

To achieve the CISA certification, candidates must pass a 150-question exam, provide proof of work experience (a minimum of five years of professional-level information systems auditing, control or security) and complete the application.

ISACA lets you substitute education for some work experience. For example, a two-year or four-year degree counts toward one or two years, respectively, of work experience.

CISM Certification

The Certified Inforamtion Security Manager (CISM) certification has become one of the leading credentials for the management side of information security, with over 27,000 credentials awarded. The CISM credential recognizes individuals who design, develop and oversee an enterprise's information security. With the CISM credential under your belt and the right experience, you can be considered for jobs like senior information security manager, chief security officer (CSO), or security consultant or trainer.

The exam focuses on topics such as information security governance, information risk management and compliance, information security incident management, and information security program development and management.

To achieve the CISM certification, candidates must pass a 200-question exam, provide proof of work experience (a minimum of five years of professional-level information security; three years must be as a security manager in at least three of the job practice areas) and complete the application. Reported experience must be current (within 5 years of passing the exam or within 10 years preceding the application).

The exam covers four job practice areas:

  • Information security governance (24 percent)
  • Information risk management and compliance (33 percent)
  • Information security program development and management (25 percent)
  • Information security incident management (18 percent)

If you're a bit shy on the information security work experience requirement, a current CISA, Certified Information Systems Security Professional (CISSP) or postgraduate degree substitutes for two years of experience. The SANS Global Information Assurance Certification (GIAC), CompTIA Security+, Microsoft Certified Systems Engineer (MCSE), Disaster Recovery Institute Certified Business Continuity Professional (CBCP) or ESL IT Security Manager credentials count as one year of experience. Other substitutions apply as well.

CGEIT Certification

Although not large in numbers (6,000 and counting), folks who have achieved the Certified in the Governance of Enterprise IT (CGEIT) certification hold senior-level positions like chief information security officer and chief risk assurance officer. The CGEIT is designed for professionals who are deeply entrenched in enterprise governance and assurance. They know how to align business with IT, follow best practices and standards for IT operations and governance, manage IT investments, and foster environments that continuously improve on processes and policies.

The CGEIT exam has five domains that cover:

  • IT governance framework (25 percent)
  • Strategic management (20 percent)
  • Benefits realization (16 percent)
  • Risk optimization (24 percent)
  • Resource optimization (15 percent)

To achieve the CGEIT certification, candidates must pass a 150-question exam, provide proof of work experience (a minimum of five years of professional-level enterprise management, or serving in an advisory or governance support role) and complete the application.

The work experience requirement for the CGEIT is more specific than for other ISACA certifications. One year of experience must be related to enterprise IT governance frameworks, and the other years must be related to strategic management, benefits realization, risk optimization or resource optimization (pick two). College instructors who teach IT governance-related subjects can count two full-time years toward every one year of the CGEIT work requirement.

CRISC Certification

More than 18,000 people have earned the Certified in Risk and Information Systems Control (CRISC) credential, which identifies IT professionals who are responsible for implementing enterprise-wide information risk management programs. Many organizations prefer or require candidates for certain positions to have CRISC certification, such as security operations center analyst, security engineer architect, senior information technology auditor and many more.

The CRISC exam has four domains, which play an important role in determining eligibility for the cert:

  • Risk identification (27 percent)
  • Risk assessment (28 percent)
  • Risk response and mitigation (23 percent)
  • Risk and control monitoring and reporting (22 percent)

To achieve the CRISC certification, candidates must pass a 150-question exam, provide proof of work experience (a minimum of three years of cumulative, professional-level risk management and control, and perform the tasks of at least two CRISC domains), and complete the application.

Unlike other ISACA certifications, you can't substitute education or other certifications for the work experience requirement. ISACA gives you up to 10 years to gain experience after applying for certification or five years from the date you passed the exam.

ISACA Certification Ladder

While ISACA has no formal certification ladder, where one certification is a prerequisite for a higher level cert, we suggest a progression of certifications for the candidate on the CIO, CSO, CTO or CEO path.

Acquiring the CISM initially, then the CGEIT, and finally the CRISC would prove to be both potent and valuable in the workforce. The CISM is great for general security management in the enterprise, and the CGEIT and CRISC certifications cover the governance and risk side. Remember, these certifications have stringent experience requirements rather than simply verify that you passed an exam, so the hard work and "seasoning" is done by the time you achieve certification.

MORE: IT Career Paths & Certification Guides
MORE: Best IT Certifications
MORE: Best IT Training
MORE: All IT Careers Content