1.2 Eligibility, Application, and Scheduling

Exam First, Certification Second

A crucial point many candidates miss: passing the CISA exam and earning the CISA designation are two distinct milestones. Anyone may register for and sit the exam — there is no prerequisite to test. The work-experience requirement applies only when you apply to be certified. You have five years from the date you pass to submit your certification application and document the required experience, so it is entirely normal to pass the exam early in a career and certify a year or two later.

The experience requirement

To certify, you must document a minimum of five years of professional experience in information systems auditing, control, assurance, or security. That experience must be gained within the ten years preceding the application or within five years of passing the exam. The experience must be verified by an employer, supervisor, or another qualifying source on the application.

Substitutions and Waivers

ISACA allows you to reduce the five-year requirement by a maximum of three years through the substitutions below — meaning at least two years must always be direct IS audit/control/assurance/security experience.

The biggest single lever is a master's degree in information systems or a related field, which waives a full three years on its own. Substitutions cannot stack past the three-year ceiling. So a candidate with a master's in IS plus two years of hands-on IS audit work meets the requirement; a candidate using a one-year IS substitution plus a one-year non-IS audit substitution plus a two-year degree credit has used the full three years and still needs two years of direct experience.

Code of ethics and CPE

Beyond experience, certification requires agreeing to the ISACA Code of Professional Ethics and the IS Auditing Standards, and committing to the continuing professional education program once certified.

Registering and Scheduling

CISA registration is continuous — there are no fixed testing windows, and you may register any time of year. After paying the registration fee (US$575 for members, US$760 for non-members), you receive a 12-month eligibility window in which to take the exam; if you do not test within that window the fee is forfeited.

The exam is delivered through PSI, ISACA's testing partner, and you choose between a physical PSI test center and a remote-proctored online session at the time of booking. Key scheduling facts:

• You can book an appointment as early as 48 hours after payment.
• Appointments open up to 90 days in advance; if your preferred date is further out, check back closer to the date.
• Remote proctoring requires a quiet, private room, a working webcam and microphone, a stable internet connection, and a government-issued photo ID.
• Bring a valid, unexpired government-issued photo ID whose name matches your registration exactly; no personal items or notes are allowed in the testing space.

Rescheduling and retakes

You can reschedule within your eligibility window subject to PSI's notice rules (fees may apply for late changes). If you do not pass, ISACA permits multiple retakes per year, each requiring a new registration and fee. Use the domain breakdown on your score report to target the retake rather than re-studying everything.

Continuing-education commitment begins at certification

When you submit the certification application you also agree to the ongoing continuing professional education (CPE) program — a minimum of 20 CPE hours each year and 120 hours over each rolling three-year cycle — plus an annual maintenance fee. It is worth planning for this obligation up front so the credential does not lapse shortly after you earn it; the maintenance requirements are covered in detail in the study-plan section.

Documenting and Verifying Experience

The experience portion of the application is where candidates most often stumble, so prepare it carefully. ISACA requires that your qualifying experience be independently verified — typically by a current or former supervisor, an HR representative, or another professional who can confirm the work. Each verifier signs off on the role, dates, and the nature of the IS audit/control/assurance/security duties.

A few practical rules govern how the years are counted:

• The five years can be cumulative, not necessarily continuous, as long as they fall inside the ten-year look-back window or within five years after passing.
• Substitution credits must each be documented with supporting evidence — a transcript for degree-based waivers, for instance.
• The three-year substitution ceiling is hard: combine waivers however you like, but at least two years must be direct, verified IS audit/control/assurance/security work.

Application timing

Because you have five years after passing to apply, many candidates pass early and accumulate the remaining experience afterward. If you already meet the requirement when you pass, submit promptly — the designation is only conferred once ISACA approves the application and the verifier confirms the experience. Until then you may state that you have passed the CISA exam but you are not yet CISA-certified and must not use the designation.