Light Dark
September 6, 2022 By Mike Elgan 3 min read
Intelligence & Analytics
Security Services

The globally-recognized Certified Information Systems Auditor (CISA) certification shows knowledge of IT and auditing, security, governance, control and assurance to assess potential threats. As you can imagine, it’s very much in demand. It can also be confusing.

Is CISA certification related to the cybersecurity and infrastructure security agency?

CISA, the certification, is related to CISA, the federal agency, right?

Wrong.

It’s an easy assumption to make. Both use the CISA acronym. Both are involved in cybersecurity. However, they are not related to each other.

CISA, the federal agency, is the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security. It has existed only since 2018. Its mission is to protect the U.S. government from cyber attacks.

On the other hand, the CISA certification has existed since 1978. It was marking its 40th year when the federal department using the same acronym began.

A CISA-certified professional is someone who independently verifies security controls and advises management, the board and the audit committee if there is one. They can inform on policies, procedures, infrastructure and more, and on whether or not security issues are being addressed and what the risks are for not addressing them.

The benefits of a CISA certification

Beyond security officers, the CISA certification is also great for compliance analysts, program managers, risk analysts, data protection managers and IT consultants. The average salary for IT auditors with a CISA certification is $128,086 per year, according to ISACA — an average 22% pay increase right away — which is far more than non-certified auditors make.

The certification puts you in high demand right away, Major consulting firms, financial groups and other businesses seek it out.

In fact, the demand is so high that there are currently more job openings that require the CISA designation than there are people who hold the credentials. Because the demand is so high, those who have it can switch industries and pick the kind of organization they would like to work for.

Because it’s a global certification, you can also choose the country you’d like to visit or live in. In the new world of remote work and digital-nomad living, holding a global and highly prized certification means you can live abroad and still advance your career. It’s also a gateway to engaging and varied work that deals with the newest tools and threats.

Employing a CISA-certified auditor helps business leaders understand and manage security risks. It’s also often extremely helpful for business partnerships. By telling prospective partners that you employ a CISA auditor, you’re providing assurance that you value security.

How do you get CISA certified?

The Information Systems Audit and Control Association (ISACA) is the best place to start your CISA journey, as they offer several ways to prepare for the exam. You can also get the prep systems from third-party companies and a range of schools.

Applicants for the four-hour, 150-question CISA exam need at least five years of professional auditing, controlling or information security work within the past 10 years. (You can get by with just three years in special cases involving education.)

The test covers five domains:

  • Information system auditing process
  • Governance and management of IT
  • Information systems acquisition, development and implementation
  • Information systems operations, maintenance and service management
  • Protection of information assets.

When you pass, you’ll be a certified information auditor. People with the certification refer to themselves as a “CISA” (pronounced either SIS-ah or SEES-ah).

You’ll have to maintain the certification by earning education credits every three years and paying a small annual maintenance fee.

Working as a certified systems auditor

If you do pass the CISA, you can expect to work on creating audit strategies for information systems based on a foundation of risk management, and then planning, running and following up on those audits. Afterward, you’ll take another look at the audits to establish whether or which suggested actions have been accomplished.

The work of a certified systems auditor involves elements of:

  • Risk management
  • Resource management
  • Business-IT alignment
  • IT policies
  • IT standards and procedures
  • Business continuity and disaster recovery
  • IT personnel management
  • IT organizational structure and controls.

In fact, you’ll be involved in all aspects of cybersecurity, as well as core aspects of the organization itself. CISA certification is one of the most valuable credentials for security pros, as well as for organizations, to have in their tool belts.

 |  | 
Mike Elgan

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature