Certified Information Systems Auditor (CISA)

CISA (Certified Information Systems Auditor) is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in IS auditing, control and security. The CISA certification has been earned by more than 50,000 professionals since inception and has grown to be a globally recognized symbol of achievement.

The CISA Exam is offered in June and December each year. Costs are $410 USD for ISACA Members and $530 USD for non-members, with early registrations costing $360 USD for ISACA Members and $480 USD for non-members. A pass score is 450 or higher on a scale of 200 to 800. The exam consists of 200 multiple choice questions from the following areas :

Content Area	%	Description
IS audit process	10	Provide IS audit services in accordance with IS audit standards, guidelines and best practices to assist the organization in ensuring that its information technology and business systems are protected and controlled.
IT Governance	15	Provide assurance that the organization has the structure, policies, accountability, mechanisms and monitoring practices in place to achieve the requirements of corporate governance of IT.
Systems and infrastructure life cycle	16	Provide assurance that the management practices for the development/acquisition, testing, implementation, maintenance and disposal of systems and infrastructure will meet the organization’s objectives.
IT service delivery and support	14	Provide assurance that the IT service management practices will ensure delivery of the level of services required to meet the organization’s objectives.
Protection of information assets	31	Provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets.
Business continuity and disaster recovery	14	Provide assurance that, in the event of a disruption, the business continuity and disaster recovery processes will ensure the timely resumption of IT services, while minimizing the business impact.

Recertification

The continuing professional education policy requires the individual to earn and submit a minimum of 20 CPE hours and to pay a maintenance fee each year. In addition, a minimum of 120 CPE hours must be earned and submitted during a fixed three-year certification period. To more easily meet the three-year cycle requirement of 120 hours, it is suggested that individuals earn an average of 40 CPE hours annually. Failure to comply with this policy will result in revocation of an individual’s certification.

More than 93 percent of all CISAs remain certified each year. This is an exemplary statistic that demonstrates the importance CISAs place on retaining the CISA credential.

 

  Certified Information Security Manager (CISM)

The Certified Information Security Manager® (CISM®) certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise’s information security (IS). The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services. Individuals earning the CISM certification become part of an elite peer network, attaining a one-of-a-kind credential. The CISM job practice also defines a global job description for the information security manager and a method to measure existing staff or compare prospective new hires.

The CISM Exam is offered in June and December each year. Costs are $410 USD for ISACA Members and $530 USD for non-members, with early registrations costing $360 USD for ISACA Members and $480 USD for non-members. A pass score is 450 or higher on a scale of 200 to 800. The exam consists of 200 multiple choice questions from the following areas :

Content Area	%	Description
Information security governance	23	Establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Information risk management	22	Identify and manage information security risks to achieve business objectives.
Information security program development	17	Create and maintain a program to implement the information security strategy.
Information security program management	24	Oversee and direct information security activities to execute the information security program.
Incident management and response	14	Plan, develop and manage a capability to detect, respond to and recover from information security incidents.

Recertification

The continuing professional education policy requires the individual to earn and submit a minimum of 20 CPE hours and to pay a maintenance fee each year. In addition, a minimum of 120 CPE hours must be earned and submitted during a fixed three-year certification period. To more easily meet the three-year cycle requirement of 120 hours, it is suggested that individuals earn an average of 40 CPE hours annually. Failure to comply with this policy will result in revocation of an individual’s certification.

Since its inception in 2002, more than 94 percent of all CISMs remain certified each year. This commendable statistic demonstrates the growing demand for qualified information security managers.