CISA exam passed, now the required experience

Update: I published a new post with the most frequently asked questions on this post.

Back in the summer 2013, I was interested to pass the CISA exam even if could not obtain the certification without experience. This was a way for me to demonstrate my interest in IT audit to future potential employers. I thought that I could have done the exam in December 2013, but I wasn’t enough sure that I was ready to pass the exam and considering the cost, I preferred to wait until the next date. Furthermore, it is possible to sit for this exam only three times per year in June, September and December; this is the same exam everywhere in the world at the same time. On June 14 2014, this was finally the date and I sat for the CISA exam here in Montreal. I’m not sure how to explain yet this experience. I read a lot on Internet about other experiences and how I could prepare myself to this day. People have normally read many books to study for this exam. For me, I really tried to read the official manual from ISACA and to be honest, I was sleeping on it after only the first few pages. However, I have practiced many hours with the CISA Review Questions, Answers & Explanations Database which, in my opinion, is the best resource that someone could use to study for this exam. Even if I didn’t have any experience in IT audit nor have read a book related to the CISA, my past technical experience in IT was really useful, but also knowledge of my different degrees. This is certainly an exam that requests a really broad set of general IT knowledge. The true challenge with this exam is to learn how to think like ISACA and their kind of questions. Of course, an exam with answer choices seems really simple to pass, but the right answer is always the best answer according to ISACA. It is easily possible to eliminate two on four choices, but the last two choices are always confusing because some choices could be the right one from a technical point of view and not an IT audit perspective. This is not the hardest exam, but stupid mistakes could rapidly occur during a four hour exam with 200 questions.

Now that I have passed the exam, I have to fulfill the experience requirements to officially obtain the CISA certification. Five years are normally required with tasks related to the five CISA domains, but some waivers are possible as much as three years when a candidate has done prior educations, experiences or other certifications. In my case, my bachelor and graduate degrees with IT general work experiences will waive up to three years.

63 responses to “CISA exam passed, now the required experience”

  1. Mohammad Khan says:

    Hi Jean

    I have passed my computer based CISA exam and need to have 5 years experience in order to gain the CISA certification.

    I am a Chartered Accountant and can forensic accounting be a good starting point for the CISA certification?

  2. Rathinavelu says:

    Hi Jean,

    Please suggest.

    I’ve passed CISA exami oknation. I’ve done my bachelor of science in regular and MCA in correspondence (distance education). I’ve done iso 27001 LA, certified ethical hacker v8 in 2013, cobit5 in 2018, itil in 2016, ISO 9001 & 14001. As of now working as CISO from 2016. So could you please tell me till how many years of experience I should show. Will ISACA accept my experience to proceed for certification

  3. […] d’obtenir un an de moins selon les études et autres certifications. J’ai aussi eu une situation similaire avec le CISA où il y a une exigence de 2 à 5 ans d’expérience […]

  4. […] possible depending on previous academic experience and other certifications. I also had a similar situation with the CISA where there is a 2 to 5 year […]

  5. Matt says:

    Hi Jean,

    I passed the CISA exam recently. I also obtained the CISM certifcation earlier in the year. My background for the past 2 years is in information security but before that I spent 8 years in IT working in support, infrastructure and sys admin roles. I have very limited experience in the audit world however. Do my experience above qualify me to submit my application for the CISA certification? I also have a 2:1 bachelors degree honors if that helps.

    Many thanks


  6. Muthiah g says:

    Hi Jean,

    I have did my masters in information security and have 2 yrs of work experience in BPO firm. currently am working in one of the CISA domain.
    so still how many yrs of experience I need to earn to get CISA certified

  7. […] August 2014, I published a post about my experience with the CISA exam and the required experience. Even 3 years later, it is still the most popular […]

  8. Mani says:

    Hi Jean, I am planning to appear for CISA exam end of 2018,
    I have 16 months of IT experience(Software development). I am an Information security aspirant .To gain experience what IT is and its process i worked for Software development. If i start preparing now for CISA exam, what will be the difficulties i may face with no Audit / IT Audit experience. What are the ways to overcome those difficulties ?

  9. Karthick Udayakumar says:

    I have seven years of experience in IT field as QA Analyst [Manual Testing]. I have planned to switch my career from Assurance to Information Security Domain. I also dont have any experience in Auditing. Guide me on the following points:

    Is it okay to take CISA ceritfication. If not, What should I start with in order to change my career towards Information Security.

    If it is okay to take CISA. How I need to approach towards in getting the relevant experience on CISA domain.

    How much waiver will I get for CISA certification [At present 7 years of IT Experience as a manual tester]

    With respect to CISA certification, What are all the roles I can apply?

    Do I have scope if I dont have CISA auditing experience but If I cleared CISA examination.

    • Jean-Philippe Rivard Lauzier says:

      1. It is not always simple to begin a career in information security. The CISA certification is an IT audit certification. For me, I started in IT audit since it was where it was possible to start which is close enough to information security. In IT audit, you have information security controls and you talk about IT risks. You could also do a certification like SSCP or Security+.

      2. Read about each CISA domain, and you will see that you don’t necessarily need to be an IT auditor to obtain the experience. However, the easy way is to do classic IT audit.

      3. Your IT experience is valid for 1 year waiver for general IT experience. After that, you could probably have 1-2 years waiver depending on your academic background.

      4. I would recommend for you to search on a website like Indeed for “CISA” and you will see the different roles. However, even if CISA is sometime requested for an information security role, I would not personally hire someone with a CISA for an information security position. CISA is for IT audit, compliance, risk, governance, etc. But, it is just a certification, you don’t learn the job with a certification. A certification is mainly to pass the HR checklist.

      5. You are able to pass the CISA exam without the experience and you would need the required experience in the following 10 years.

  10. devchand says:

    hi there I intend doing the cisa exams next year. I have a 4 year Btech degree and have worked as a senior internal auditor with over 10 years experience. I wanted to find out will I qualify for the 3 year waiver. 1 year for my experience and 2 years for my degree.

    Then I am left with 2years of experience to get. I think having the CISA exams passed it will be easy for me to find a job in the IT audit field given my past experience and education.
    Please advice?

    • Jean-Philippe Rivard Lauzier says:

      I think you will be fine and obtain the 3-year waiver. “non-IS auditing experience” seems to be all other audit experience. With 10 years working in internal audit, you will find something in IT audit without any problem. I would even try right now if I was you…

  11. Maria Rogers says:

    Hi Jean I have passed the exam and have a bachelors in computer engineering so that waives 2 years. I only have 1 year and 10 months of experience in IT auditing however. Can I still submit an application? I am still working at the job and will have the necessary experience soon enough but their wording confused me a bit so I wasn’t sure if I had to wait to apply until I had the 3 Years.
    Thank you!

    • Jean-Philippe Rivard Lauzier says:

      You have to send your application when you will have all required experience. Don’t forget that you can also have a 1-year waiver if you have worked in IT before.

  12. Mohammad Khan says:

    Hi Jean,
    I am an Chartered Certified Accountant from UK, having no real IT audit experience. I will like to break into this field. Can you advice me how can I gain the relevant work experience? It is extremely important even if one sits and passes the exams. I plan to appear for CISA in December 2017. I am working full time so it is not possible to go for an internship during the weekdays leaving weekends as the only viable option for me. Please help !!!

    • Hi Mohammad – To pass the exam will be the first step to show your interest toward this field. I would recommend reviewing all CISA domains and validate if you are maybe already performing some tasks in your current position. Once the exam passed, you could look for a position in IT audit. Many IT audit positions are not deeply technical and they will look for a certified accountant and/or CISA. You should not have a problem finding a position in this field since you already have auditing experience.

      • Mohammad Khan says:

        Hi Jean,

        Thanks for your reply.

        Getting your first job is always tough as the employers are always looking out for guys with solid work experience relating to the 5 domains, I dont think I perform any these tasks in my current workplace , but you are right that I need to get the exam out the way first.

        Do you think that I should get read registered with these recruitment agencies as soon as I pass so I can get headhunted more easily? What should be the first stepping stone?

        Kind Regards

        • It depends on your previous work experience. In my opinion, these recruitment agencies are more looking for people with some experience (3 years and more). Since you are a CPA, maybe you could find a job as an internal auditor, and most organizations also have IT internal auditors; you could switch after a few months. There are many positions related to IT audits that don’t really require deep technical knowledge and they often hire accountants. I would say that it is often more important to know how to audit in general. Obviously, it’s a start, there are also many positions related to a CISA that would be more technical.

  13. Hi Nitigya! Your tasks related to ISO 27001 compliance will be counted in your CISA experience. You don’t actually need to perform IT audit to have a valid experience. You need experience related to the CISA domains. Per my understanding, ISACA will review your application and validate that your tasks are aligned with the CISA domains. ISACA will be performing randomly selected CISA holders for a more detailed audit, but I am not sure about this process.

  14. Nitigya Sharma says:

    Hi Jean,
    This was really an informative article.
    Could you please tell me how one can prove that he has gain experience in IS auditing.
    I am currently working as a DevOps Engineer but I am also solely
    responsible for internal auditing of my company for ISO 27K compliance.
    I have gone through the application form .

    But I do not understand how will ISACA verify the experience in audting.

  15. Rishi Awasthi says:

    Hello Jean, Thanks for the article. I have 32 months experience in Information Technology (as an engineer), 4 years engineering degree in Computer Science, MBA in IT Business Management (2 Years) and 14 months experience in IT auditing (Working in a Big 4), how many years’ waiver can I get from ISACA for CISA certification ? Thanks in advance 🙂

  16. Sai Mohan says:

    Hi Jean,

    I am Chartered Accountant in India. I dont have graduation. I am planning for December 2017 CISA exam. I want to know the opportunities available in USA, UK, Canada,etc., after my CISA certification and the average salary.

    Also I am finding it difficult to join any organisation in India for getting the required work experience. Can you suggest any company which is hiring for getting the work experience?.

    Appreciate your help. Thank you.

    • Hi Sai, I would suggest you looking for different positions on Indeed and salaries on PayScale. There are many opportunities related to the CISA domains and any CISA holder is highly in demand e.g. IT auditor, IT compliance, IT security, etc. For salaries, too many variables would influence this. It is not always simple to get the first job in that field, but it depends also on your background. I started in a Big4 (Deloitte, PwC) and I recently switched to work for a bank.

  17. siji varghese says:

    Hi Jean,
    Nice article. I need some advice on certification front. Passed CISA in June 2017. I am a graduate B.Sc computer science(3yr course) and then MCA-Master in Computer Application(3 yr PG course). In this case do you think I am eligible for a 3yr waiver. I have 10+ years of IT experience in various capacity like IT coordinator, engineer, administrator. I have also worked in some of the task area mentioned as a requirement while preparing the org for SOX auditing. Do you think I can get certified. Please advice

  18. Pritish says:

    Thanks for the article.
    I am Indian CA and have done 3 year graduation course through distance education.
    Can I get certificate of CISA .
    Also what exemption can I realize.

  19. Tanvi Sharma says:

    Hi Jean,

    I passed the CISA exam in June waiting for official results.
    I am wondering if u can help with some certification questions.

    Bachelors of Business Management Masters of Science in Accounting


    10 months of IT internship
    1 year of internal Audit experience
    10 months of IT Jsox experience

    I switched my job after that
    And now currently working as IT Auditor with 2 months and counting

    How many years can I get waived and how many more would I need to get certified?

    Isaca website isn’t very clear in directions.

    Looking forward to hear from you.

    • I would say that you have a 2 years waiver with your education since you probably did a minimum of 120 credits with your bachelor/master. You also have a 1 year of experience in IT and non-IS auditing. So, you need 2 years of experience related to CISA domains. You already have 1 year (IT SOX/IT auditor). In my opinion, you would still need 1 year of experience before being eligible for the CISA certification. However, I would suggest you to read all CISA domains/activities and compare with the tasks that you have performed during your internal audit experience. Maybe your could have a few more months… Contact ISACA or your local chapter since they are the only one that would be able to confirm at 100% your experience 🙂

  20. Prashanthi says:

    Hi Jean.. wonderful article.. would like to seek your advice. I have passed june 2016 cisa exam and have a computer science engineering degree and one year experience in IT field and around 2 years experience in banking sector. What kind of job profile should i be searching next as i took a career break due to personal reasons.. please guide me

    • Well, since you have passed the CISA exam, you could try to find a job related to IT audit/compliance in the banking sector. What kind of job did you do before in the IT field? You could find something related to your past experience and still be related to the CISA certification.

  21. Shayan Dey says:

    Hi jean such a wonderful article i have a CA degree(equivalent to CPA)…so if i pass CISA exam can i get a job in IT Audit based on the cisa exam passed..i mean i will get the certification after 5yrs so will any employer hire me on the basis of just passing the exam? & what will be the proof that i can show my employer that i have passed the exam?

    • Passing the CISA exam will definitely help in your search for a job as an IT auditor, but it always depends on of what you did before. Many jobs as an IT auditor will ask for a CPA and/or CISA. IT audit is also a really large field… You will have positions that are more IT/technical and others, more IT/business. But again, passing the exam is the first step in your commitment and that you have the basic knowledge in that field, so it is always good when it is time to search for a job. Obtaining the certification after the required experiences proof that you have the actual experience performing IT audit. You will receive a letter from ISACA that will indicate your exam result.

  22. Milind Shinde says:

    Hi John,
    I have over 12+ years of experience as a Oracle DBA and Programming. I have Bachelors degree in commerce. how much years of waiver will I get?

  23. Ammar Khan says:

    Dear john phillipe , i have completed my electronics engineering degree in 2014 feb ..since then i am working as web developer …so am i also eligible for the 3 year waiver?

  24. Grey is a Lie says:

    Hi, thanks for the article.

    I sat for the 2016 CISA exam and I’m very hopeful I will pass. I have a question with regard to filing for the waivers.

    I have 4 years IT experience and a Bsc in IT. From the CISA rules on substitutions and waivers, I believe I’m eligible for 3 years off.

    Question – Do I need to first get the 2 years IS Audit experience before I apply for the waiver or will I still be able to apply for the waiver so it’s in my “file” while I’ll still have 2 years of IS Audit experience pending? Thanks.

  25. Stephan N says:

    Thanks for the article. I have passed the CISA June 2016 exam, I have an MBA, and years of business and governance experience. Any recommendations for how to get started into IT Audit?

    • I am sure your governance experience will help you to obtain a job in that field. If you don’t have so much experience in IT, I met many auditors obtaining those technical skills on the field because the market needs IT auditors. Having the CISA already should get you a job interview. For example, when I got my first job in IT audit, I only had a few years in IT, but nothing in business or audit.

  26. Nelson Vivar says:

    Hi Jean,

    Wonderful article.
    Would like to seek your advice. I am planning to take the CISA Exam but to be honest I don’t have the enough experience.
    My Bachelor’s Degree was Accountancy and passed the cpa exam.
    My experience is 2.5 years as fund accountant and 1 years as project accountant.

    Would you have any advice?

    Thank you.

  27. mark says:

    Hi jean, wonderful article. I have passed my cisa december 2015 exam, i don’t have any experience in IT audit but have bachelors and graduate degree.
    I know i would need 2 more years of experience to qualify for the certification.I couldn’t find all the info i wanted on isaca’s website.
    My question is do i need to be a isaca member and collect cpe hours before i get certified ?

    • Congratulations, Mark! You don’t have to be an ISACA member before being certified or even after. However, I would recommend it since it is possible to receive many discounts on products and events. You will need to do CPE hours only when you will be certified. For now, you just have to work toward your audit experience! In any case, I would recommend contacting ISACA to have an official response about your obligations.

  28. John says:

    hi Jean, thanks for sharing your experience. Can you share how similar was the practice quesitons with the actual exam? thanks.

    • The practice questions are really good to understand the structure of the CISA questions and how to answer them. Those questions cover many subjects that it’s possible to find in the exam, but it’s still necessary to learn about the new IT trends to be able to cover all topics.

Leave a Reply

Your email address will not be published. Required fields are marked *