7.4 After the Exam and Next Steps

Passing the Exam vs. Earning the Credential

A passing exam score is necessary but not sufficient to use the CISA designation. ISACA grants the certification only after you verify relevant work experience: a minimum of five years of professional experience in information systems auditing, control, assurance, or security. The experience must generally be gained within the ten years before your application or within five years of passing the exam.

ISACA allows substitutions for up to two or three of the five years, with documented limits, for example:

The core takeaway: experience substitutions are capped so that you must still demonstrate genuine, verified hands-on IS audit/control/security work. A current employer or supervisor typically attests to your experience on the application.

Apply Within Five Years

Your passing exam score is valid for five years. You must complete the certification application — including experience verification and the certification fee — within that five-year window. If you let it lapse, the passing score expires and you would have to retake and pass the exam again before you could apply. So even if you are still accumulating experience, track the deadline and submit as soon as you meet the requirement.

Once certified, you agree to ISACA's Code of Professional Ethics and the CISA Continuing Professional Education (CPE) policy. Failing to meet ethics or CPE obligations can lead to revocation, so treat the credential as an ongoing commitment rather than a one-time achievement. Keep copies of your official score report, application confirmation, and certification certificate.

Maintaining CISA and Handling a Retake

To keep CISA active, you must meet Continuing Professional Education requirements: a minimum of 20 CPE hours annually and a total of 120 CPE hours over each rolling three-year reporting period, plus payment of the annual maintenance fee. CPE comes from training, conferences, ISACA chapter events, teaching, and qualifying self-study; you must retain documentation because ISACA conducts annual CPE audits of a random sample of certified professionals. Missing the annual 20-hour floor or the three-year 120-hour total puts the credential at risk.

If the on-screen status and official email show you did not pass, the path forward is structured:

• You may retake the exam up to four times within a rolling 12-month period from your first attempt, with required waiting/registration between attempts.
• Use the domain-level score report ISACA provides to see exactly which domains pulled you below 450 — almost always a weak Domain 4 or 5 given their 26% weights.
• Rebuild your study plan around those domains, redo full-length timed simulations, and re-drill the most-tested anchors (ITAF and risk-based planning, COBIT governance, SDLC controls, RTO/RPO and recovery sites, access control and cryptography).

Whether you pass or retake, connect CISA to the next move — a role in IT audit, GRC, or security assurance, or a complementary credential like CISM or CRISC — so the effort compounds into a career, not a one-off certificate.

Earning and Documenting CPE Hours

The CPE obligation is easy to satisfy if you plan it across the year instead of scrambling before the December deadline. One CPE hour generally equals 50 minutes of qualifying activity. Qualifying sources include ISACA training and webinars, ISACA chapter meetings, vendor and industry conferences, formal college courses, teaching or presenting (which can also count for preparation time), publishing articles, and qualifying self-study. Spreading roughly 40 hours per year comfortably clears the 20-hour annual floor and builds a cushion toward the 120-hour three-year total.

Documentation discipline is what protects you in an audit. For each activity, retain the certificate of attendance or completion, the agenda or course description, the date, and the number of hours claimed, and record them promptly in your ISACA profile. ISACA audits a random sample of certification holders each year, and being unable to substantiate claimed hours is treated as not having earned them — which can jeopardize the credential. Pay the annual maintenance fee on time as well; lapsing on fees is a common, avoidable cause of losing the certification.

Turning a Pass into Momentum

A fresh CISA pairs naturally with adjacent ISACA credentials. CISM targets information security management and governance, CRISC targets IT risk and controls, and CGEIT targets enterprise IT governance — all of which reuse the COBIT, risk, and controls foundation you just mastered. Because ISACA lets a single qualifying activity count toward multiple certifications' CPE in some cases, stacking credentials can make ongoing maintenance more efficient.

Set a concrete next milestone within a few weeks of passing, while the study habit and the material are still warm, so the certification becomes a launch point rather than a finish line. Update your resume and ISACA profile to reflect the credential, and note your CPE start date so the first annual reporting cycle does not catch you unprepared.