PrerequisitesCISAISACA · Professional

CISA Prerequisites & Eligibility

The CISA is a gated certification: before ISACA awards it you must show five years of information-systems audit, control, or security experience. The good news is that substitutions can waive up to three of those years, and you are free to pass the exam first. Here is exactly what counts, what gets waived, and how to know if you qualify yet.

Updated June 202610 min readLevel: ProfessionalBy ExamCert Team

YesFormal prereqs

5 yearsExperience

Up to 3 yrsWaivers

IS auditField

5 yearsPass-first window

CISA prerequisites and eligibility requirements explained

01 The short answer

To earn the CISA you need a minimum of five years of professional experience in information-systems auditing, control, or security. Up to three of those years can be waived through education and related-experience substitutions, so the irreducible core is at least two years of direct IS audit, control, or security work. There is no education prerequisite to sit the exam — you can pass first and submit your verified experience later.

This is what separates the CISA from a book-it-and-sit IT exam. The exam itself is open to anyone, but the certification is gated behind experience that ISACA independently verifies. The five-year rule is the headline; the substitutions and the pass-first window are what make it achievable for people who are not quite there yet.

✓

Five years of IS audit / control / security work Required

Professional experience in information-systems auditing, control, or security — substitutions can cover up to three years, leaving a minimum of two direct years.

✓

Verified, recent experience Required

Your experience must be independently verified by employers and gained within the last ten years (or within five years of passing the exam).

★

A passing exam result Recommended first

You can register and pass the exam before you have the full five years — ISACA then gives you five years to submit the experience.

02 The experience requirement and its waivers

ISACA lets you substitute a maximum of three of the five required years using education and related experience. The remaining two years must always be direct information-systems audit, control, or security work — that part can never be waived. These are the standard substitutions; each line below waives the years shown.

Substitution	Years waived
One year of general information-systems experience (non-audit IS/IT work)	1 year
One year of non-IS auditing experience (financial or operational audit)	1 year
Two-year degree or 60 completed university semester credit hours	1 year
Four-year degree or 120 completed university semester credit hours	2 years
Master's degree in information security or information technology (accredited university)	1 year
Full-time university instructor in a related field (every two years taught)	1 year

The waivers stack — up to a ceiling. You can combine substitutions (say, a four-year degree for two years plus one year of general IS experience for a third), but the total waived can never exceed three years. So even with the maximum stack, you still owe at least two years of hands-on IS audit, control, or security experience.

Don't assume a substitution applies — confirm it. ISACA periodically updates its substitution list, and exact credit can vary by case. Treat the figures above as the standard published guidance and verify your specific path against ISACA's current experience requirements before you apply.

03 What counts as qualifying experience

The two years that can never be waived must be genuine information-systems audit, control, or security work. Here is what typically qualifies — and the verification rule that applies to all of it.

✓

IS auditing roles Counts

Planning, performing, or reporting on audits of information systems, IT general controls, or application controls — the core of the credential.

✓

IS control and assurance work Counts

Designing, implementing, or evaluating controls, risk, and governance over information systems, including IT risk and compliance roles.

✓

Information-security roles Counts

Security operations, governance, and protection of information assets fall within the audit, control, or security scope ISACA recognises.

✓

Employer verification Mandatory

Every year you claim must be confirmed in writing by an employer or supervisor — self-attested experience is not accepted.

Map your experience to the CISA domains. When you describe each role on the application, frame it against the CISA job-practice areas — auditing, governance, systems acquisition, operations, and protection of assets. Reviewers look for work that fits those domains, not just any IT job title.

04 The path from exam to certified

Because the exam and the experience are decoupled, most candidates pass first and complete the experience afterwards. Here is the full sequence.

Pass the exam

Gain & verify 5 years

Accumulate the experience (less any waivers) and get it confirmed by employers.

Apply for certification

Submit the certification application to ISACA with your verified experience and substitutions.

Pay & maintain

Pay the certification and annual maintenance fees, agree to the CPE policy, and you are CISA-certified.

Mind the five-year clock. Once you pass, you have five years to apply for certification with the required experience. Miss that window and you have to retake the exam, so plan your experience-gathering against the date you passed.

05 Do you qualify for the CISA yet?

Where you sit depends on how much qualifying experience you already have once the waivers are applied.

You can apply for full CISA

You have five years of IS audit, control, or security experience — including any waivers
At least two of those years are direct, non-substituted IS audit/control/security work
All of it falls within the last ten years and can be employer-verified
You have passed (or are about to pass) the exam

Pass the exam first

You are short of the five years even after applying the substitutions
You are early in an IS audit, control, or security career
Sit and pass the exam now — it needs no experience
Then gain and submit the required experience within five years of passing

Bottom line: the five-year rule is what gives the CISA its weight, but it is far more flexible than it first appears — up to three years can be waived, and you never have to wait to sit the exam. Pass first, qualify in parallel.

06 FAQ

What are the prerequisites for the CISA certification?

The CISA requires a minimum of five years of professional experience in information-systems auditing, control, or security. There is no formal education prerequisite to pass the exam, but the experience is mandatory before ISACA will award the certification. Substitutions can waive a maximum of three of the five years — for example a four-year university degree waives two years, and one year of general IS or non-IS auditing experience waives one year each. Your experience must be verified and gained within the ten years before you apply, or within five years of passing the exam.

Can you take the CISA exam without experience?

Yes. You do not need to meet the experience requirement before sitting the CISA exam — anyone can register and take it. The five years of information-systems audit, control, or security experience is required only to be awarded the certification. ISACA gives you five years from the date you pass to gain and submit the verified experience, so passing the exam first is a common and accepted route.

How much experience can be waived for the CISA?

ISACA allows substitutions for a maximum of three of the five required years, so at least two years must be direct information-systems audit, control, or security experience. Common substitutions include one year for general information-systems experience, one year for non-IS auditing experience, one year for a two-year degree or 60 university semester credit hours, two years for a four-year degree or 120 credit hours, one year for a master's degree in information security or IT, and one year for every two years spent as a full-time university instructor in a related field.

Does CISA experience have to be recent?

Yes. The qualifying experience must be verifiable and must have been gained within the ten years preceding your application for certification, or within five years of the date you passed the exam. Experience older than that window does not count, and all of it must be independently verified by your employers before ISACA grants the certification.

ExamCert TeamCertified audit & security pros helping you qualify and pass.