Dear Certmag: Considering CISA
I need some advice from you regarding the Certified Information Systems Auditor (CISA). I’ve been in software testing for past nine years and have tested critical applications for stock exchanges and SEC regulations as well. Keeping this in mind, would it be meaningful for me to do CISA? Will this help me in moving to IS audits?
The CISA program is a worldwide, well-known professional qualification when it comes to IS auditing. However, it is not an entry-level credential. See here: http://www.isaca.org/Template.cfm?Section=Requirements&Template=/ContentManagement/ContentDisplay.cfm&ContentID=20453.
According to ISACA: “A minimum of five years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification.”
It can be reduced down by up to two years in certain circumstances; however, that still leaves a minimum of three years of already working in the IS auditing field. There is nothing stopping you from sitting for the exam. However, just sitting for the exam does not give you the CISA credential.
There are other recognized professional certifications out there that are also based on international standards that are listed in job ads for IT/IS auditors:
The itSMF ISO/IEC 20000 range of certifications, while not dealing solely with auditing, does cover it. The 20000 range of certifications can be taken with the exam vendors ISEB or EXIN via the testing centers Prometric or PearsonVue.
The Certified Information Security Manager (CISM) from ISACA and the Certified Information Systems Security Professional (CISSP) from (ISC)2 are other certifications that can also be sought after in an IT/IS auditor’s role. Again, both certifications have a requirement of experience before the credential can be gained.
Last but not least, a lot of these types of jobs, depending on region, require a person to have a degree or a degree-level qualification in a related field.
Understanding whether or not the CISA is a good fit for your career plan starts with the CISA credential’s intent and audience. In the implementation of security controls for a given organization, it is critical that the organization regularly establish a system for determining whether their technology infrastructure meets the standards set out for the organization.
Unlike many credentials in the field, the CISA is not a credential that focuses on the tools of the trade or how to break into a system, etc., but rather ensures that the candidate understands the business processes to build effective security controls and then audit the enforcement of the policies and implementations that would protect the enterprise and ensure the security of the data residing therein.
Focus on a building-block credential such as the GIAC Security Essentials Certification (GSEC), which would allow you to build a more complete understanding of the foundations of the security discipline while you continue to build your experience in testing and auditing existing information systems. Once you have obtained both an underlying recognized security credential to complement anything that would be audit-specific and some additional more relevant experience, that might be the point at which it would make sense to seek the CISA credential.