Dear Certmag: Should I get the CISA?
I am looking for some sound advice regarding CISA and the IT auditor. I am considering moving into IT auditor as a career option. I have been working in IT for the last eight years, but mostly in network support. I would like your opinion on whether IT audit would be a wise career move; and furthermore, judging from my work experience, would I be able to apply for CISA certification? Thanks for your time.
Regards, Donald Chodeva
To become a certified IT auditor, I would recommend an auditing certification such as the CISA. However, there are more general audit qualifications such as the Certified Internal Auditor offered by the Institute of Internal Auditors. Or there’s a more specialized qualification program offered by (ISC)2 that includes the CAP, the SSCP or the higher CISSP certification. Combine any of the above certification programs with other IT professional certifications and this will only enhance your chances of entering the field.
The CISA is internationally recognized, and it’s reinforced by the fact that you can’t just sit for the exam at a normal testing center, but at set ISACA-named centers only at set periods. Getting CISA status is not as easy as just passing an exam. ISACA says: “A minimum of five years of professional information systems auditing, control or security work experience (as described in the job practice areas) is required for certification. Substitutions and waivers of such experience may be obtained if certain education and general IS or audit experience requirements are met.”
I must point out that you are moving from one area of IT where you have eight years experience to another field of IT: Do not expect an easy or smooth transition. You’ll be moving from a hands-on job to one where you’ll be assessing systems and then handing over your findings.
Plus, your salary may drop as you’ll be entering the field at an entry-level position. While the IT auditing field isn’t everyone’s cup of tea, it is still a good field to get into, especially since it is one that is rapidly growing due to companies’ increasing awareness of security and the need for legal compliance.
No matter your level of experience with information security, I would encourage you to start preparing in this area. One of the key things about a certification is that part of the credential is to certify your experience in the subject matter. I would advise starting with a lower level certification (or two, depending on your budget and time available) and working up to the CISA.
My recommendation for your first credential in this space would either be the CompTIA Security+ or the GSEC from GIAC. Security+ is one of the worst-written exams I have sat for in terms of the lack of polish; however, it has a more comprehensive set of material than many credentials that have a more senior placement in the industry.
You are building a solid footing to make sure this is something you have a basic understanding of and something you will be interested in long term. The CISA has a cost both in terms of sitting for the exam and the extensive study required. At the same time, the rewards of the CISA credential also could be significant, depending on your expectations. Certification Magazine’s 2007 Salary Survey indicated that individuals with the CISA earned, on average, $98,740.
CISA-certified folks are in demand, too. At the time of this writing, a search on the keyword “CISA” on each of the major search engines turned up voluminous results, including 1,277 listings on one first-tier employment site. I would caution you to temper your enthusiasm with the knowledge that using the CISA to get a job will only help you go after one of these positions in combination with experience. Until then, expect your CISA to be a key to entry-level positions that will pay off in the long run with increased salary and desirability as an experienced employee.