1. Business Ideas
  2. Business Plans
  3. Startup Basics
  4. Startup Funding
  5. Franchising
  6. Success Stories
  7. Entrepreneurs
  1. Sales & Marketing
  2. Finances
  3. Your Team
  4. Technology
  5. Social Media
  6. Security
  1. Get the Job
  2. Get Ahead
  3. Office Life
  4. Work-Life Balance
  5. Home Office
  1. Leadership
  2. Women in Business
  3. Managing
  4. Strategy
  5. Personal Growth
  1. HR Solutions
  2. Financial Solutions
  3. Marketing Solutions
  4. Security Solutions
  5. Retail Solutions
  6. SMB Solutions
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Build Your Career Get Ahead

ISACA Certification Guide: Overview and Career Paths

ISACA Certification Guide: Overview and Career Paths
Credit: Gorodenkoff/Shutterstock

Anyone interested in a career in IT governance, risk assessment, systems auditing and security management should check out the certifications offered by ISACA. ISACA is a global nonprofit association focused on IT governance. The organization was formerly known as the Information Systems Audit and Control Association, but now goes by ISACA to "reflect the broad range of IT governance professionals it serves."

In 1967, ISACA was formed by a group of like-minded individuals seeking centralized information and guidance regarding computer system auditing. Today, ISACA has more than 200 membership chapters in over 185 countries, with more than 140,000 members. In addition to its membership, ISACA boasts more than 15,000 nonmembers who hold ISACA credentials. ISACA also offers professional certifications, publishes the ISACA Journal and hosts conferences worldwide.

ISACA offers four professional certifications geared toward information systems auditors, risk management and IT governance professionals, and managers:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Certified in Risk and Information Systems Control (CRISC)

A fifth certification – the CSX Practitioner, or CSX-P – was introduced in 2015 and falls outside the general framework that applies to the four credentials mentioned above. It aims at security practitioners who plan for, respond to and deal with security incidents. The CSX-P and its parent program will be described and explored in a later section of this article.

ISACA requires candidates to pass a written exam for each of its four primary certifications, and exams are offered only three times a year. You must also adhere to the ISACA Code of Professional Ethics and agree to meet continuing professional education requirements.

To maintain certification, credential holders must earn 120 continuing professional education (CPE) credits during a three-year period following certification or after renewal (earning a minimum of 20 CPEs annually) and pay an annual maintenance fee ($45 for members and $85 for nonmembers). Otherwise, certification holders must retake the exam to retain their certified status.

The American National Standards Institute (ANSI) has accredited the CISA, CISM, CGEIT and CRISC credentials as meeting ISO/IEC 17024 General Requirements for Bodies Operating Certification Systems of Persons. ISO/IEC 17024 specifies requirements that organizations must follow when certifying individuals against specific requirements.

The focus of IT governance in enterprise organizations is to ensure that IT resources and systems are utilized effectively to meet business goals. IT governance professionals must have a good understanding of how (and why) to align IT goals with those of the organization. This involves strategic management, risk management and resource optimization, all of which are part of preparation for the CGEIT credential.

If you have experience as an information systems auditor and want to move up (or over), consider acquiring the Certified Information Systems Auditor (CISA) certification. The CISA credential recognizes individuals who are skilled in auditing, controlling and assurance of enterprise IT systems. The CISA is by far the most popular ISACA certification, with more than 115,000 credentials granted since the program began.

As of the June 2016 CISA exam, ISACA implemented these five domains as its job practice areas:

  • Process of auditing information systems (21 percent)
  • Governance and management of IT (16 percent)
  • Information systems acquisition, development and implementation (18 percent)
  • Information systems operations, maintenance and service management (20 percent)
  • Protection of information assets (25 percent)

To achieve the CISA certification, candidates must pass a 150-question exam, provide proof of work experience (a minimum of five years of professional-level information systems auditing, control or security) and complete the application.

ISACA lets candidates substitute education for some work experience. For example, a two-year or four-year degree counts toward one or two years, respectively, of work experience.

The Certified Information Security Manager (CISM) certification has become a leading credential for the management side of information security, with more than 27,000 such credentials awarded. The CISM recognizes individuals who design, develop and oversee an enterprise's information security.

The exam focuses on topics such as information security governance, information risk management and compliance, information security incident management, and information security program development and management.

To achieve CISM certification, candidates must pass a 200-question exam, provide proof of work experience (a minimum of five years of professional-level information security; three years must be as a security manager in at least three of the job practice areas) and complete the application. Reported experience must be current (within five years of passing the exam or within 10 years preceding the application date).

The exam covers four job practice areas:

  • Information security governance (24 percent)
  • Information risk management and compliance (30 percent)
  • Information security program development and management (27 percent)
  • Information security incident management (19 percent)

If you're short on the information security work experience requirement, a current CISA, Certified Information Systems Security Professional (CISSP) or postgraduate degree substitutes for two years of experience. The SANS Global Information Assurance Certification (GIAC), CompTIA Security+, Microsoft Certified Systems Engineer (MCSE), Disaster Recovery Institute Certified Business Continuity Professional (CBCP) or ESL IT Security Manager credentials count as one year of experience. Other substitutions also apply.

Although they are not many in number (6,000 and counting), folks who have achieved the Certified in the Governance of Enterprise IT (CGEIT) certification hold senior-level positions in their organizations. The CGEIT is designed for professionals who are deeply entrenched in enterprise governance and assurance. They know how to align business with IT, follow best practices and standards for IT operations and governance, manage IT investments, and foster environments that continuously improve on processes and policies.

The CGEIT exam has five domains:

  • IT governance framework (25 percent)
  • Strategic management (20 percent)
  • Benefits realization (16 percent)
  • Risk optimization (24 percent)
  • Resource optimization (15 percent)

To achieve CGEIT certification, candidates must pass a 150-question exam, provide proof of work experience (a minimum of five years of professional-level enterprise management, or serving in an advisory or governance support role) and complete the application.

The work experience requirement for the CGEIT is more specific than for other ISACA certifications. One year of experience must be related to enterprise IT governance frameworks, and the other years must be related to strategic management, benefits realization, risk optimization or resource optimization (pick two). College instructors who teach IT governance-related subjects can count two full-time years toward every one year of the CGEIT work requirement.

More than 18,000 people have earned the Certified in Risk and Information Systems Control (CRISC) credential. This certification identifies IT professionals who are responsible for implementing enterprise-wide information risk management programs.

The CRISC exam has four domains, which play an important role in determining eligibility for the cert:

  • Risk identification (27 percent)
  • Risk assessment (28 percent)
  • Risk response and mitigation (23 percent)
  • Risk and control monitoring and reporting (22 percent)

To achieve the CRISC certification, candidates must pass a 150-question exam, provide proof of work experience (a minimum of three years of cumulative, professional-level risk management and control, and perform the tasks of at least two CRISC domains) and complete the application.

Unlike with other ISACA certifications, you can't substitute education or other certifications for the work experience requirement. ISACA gives you up to 10 years to gain experience after applying for certification or five years from the date you passed the exam.

While ISACA has no formal certification ladder, where one certification is a prerequisite for a higher-level certification, we suggest a progression of certifications for candidates on a C-level executive path aiming at CIO, CSO, CTO or CEO. As security, risk and governance credentials, ISACA's offerings probably work most directly toward CIO and CSO roles.

Acquiring the CISM initially, then the CGEIT, and finally the CRISC would be both potent and valuable in the workforce. The CISM is great for general security management in the enterprise, and the CGEIT and CRISC certifications cover the governance and risk side. Remember, these certifications have stringent experience requirements beyond simply passing an exam, so the hard work and seasoning is done by the time you achieve certification.

In 2015, ISACA launched a new certification venture called the Cybersecurity Nexus, abbreviated as CSX. ISACA plans to add specialist and expert credentials to its list of offerings; currently, the single CSX credential available is the CSX Practitioner, or CSX-P.

The CSX-P credential recognizes individuals who can act as first responders for security incidents. These professionals can follow established procedures and defined processes, and work primarily with known problems on a single system. Candidates must demonstrate skills and knowledge in working with firewalls, patching and antivirus responses, and be able to implement common security controls, perform vulnerability scans, and complete basic threat and breach analysis tasks.

Requirements for the CSX-P include passing a four-hour, performance-based exam available through Prometric testing centers. As with other ISACA certifications, holders of the CSX-P must adhere to the organization's code of ethics and comply with its continuing education and retesting policies. Here is where a major departure from other ISACA credentials occurs: CSX-P holders must accrue 30 CPE hours annually, 24 of which must involve skill-based training or labs, plus six more hours in traditional training activities. In the third year, a CSX-P holder must retake and pass the current exam for this credential. See the CSX-P CPE Policy document for further details.

The CSX certifications cover five domains, all related to security incident handling and response:

  1. Identify (13-15 percent)
  2. Protect (33-37 percent)
  3. Detect (21-25 percent)
  4. Respond (16-18 percent)
  5. Recover (10-12 percent)

The CSX-P's use of performance-based testing means that candidates are faced with simulated security incidents or situations and must conduct analyses, make diagnoses, or perform various repairs and responses to address them. The credential's three-year testing interval also stresses current, hands-on working skills and knowledge of best professional processes and practices.

The CSX-P has not been available long enough to register significantly on the jobs radar. However, it's starting to garner inclusion in job postings and gaining traction with employers and IT professionals alike.

The CISA aims clearly and directly at the job of security auditor, a person whose job is to investigate, analyze and report on the security policies, security infrastructure, security tools and technologies, and actual security practices and procedures in modern organizations. They may be involved with ongoing security departments within the organizations that employ them (inward-focused) or work for audit firms that conduct security audits per se, or in the context of compliance reviews for such regimes as HIPAA, Sarbanes-Oxley and PCI DSS.

With a CISM credential under your belt and the right experience, you can fill a variety of security management roles. A CISM might be considered for jobs such as (senior) information security manager, director of information or cybersecurity, chief security officer (CSO), or security consultant or trainer.

Individuals who hold the CGEIT typically fill senior, executive-level jobs such as chief information security officer and chief risk assurance officer. Also, IT governance typically falls within the chief information officer (CIO) or chief technology officer (CTO) roles, or their direct reports – often called enterprise architects or security architects – who oversee prioritization and implementation of IT initiatives.

Many organizations prefer or require candidates for certain positions to hold CRISC certification. Typical positions that call for CRISC include security operations center analyst, security engineer, security architect and senior information technology auditor.

Those who earn the CSX-P and who might climb that emerging certification ladder are out-and-out security practitioners. Such individuals are most likely to work as security analysts, senior security analysts, incident responders, incident handlers and so forth. As individuals climb the CSX ladder, they would move into more senior positions in IT security or IT security management.

ISACA offers official curriculum training to its member organizations and through a variety of training partnerships. The organization also maintains an official press that publishes study guides for its four primary certifications (at present, no such publication is available for the CSX-P). Links to official training courses are available on each of the individual certification pages (including the CSX-P, which also includes access to online virtual labs for hands-on practice and learning as part of those offerings).

ISACA also operates its own online bookstore, where links to resources for the various exams are easily accessible. Those resources include exam review manuals and review questions for the four primary credentials, and study guides for the CSX Security Fundamentals as well.

The aftermarket for ISACA certifications is vigorous, in keeping with the popularity and perceived value of those credentials. The best-known credentials – namely the CISA and the CISM – receive the lion's share of attention and coverage, but you can find study guides and practice tests for CGEIT and CRISC as well. Aftermarket coverage for the CSX-P, however, still falls into the slim-to-none category, primarily because that credential is so new and mostly still unknown and unrecognized in the marketplace.

Ed Tittel

Ed is a 30-year-plus veteran of the computing industry, who has worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written for numerous publications, including Tom's IT Pro, and is the author of more than 140 computing books on information security, web markup languages and development tools, and Windows operating systems.