ISACA Certs: Grow in Demand and Importance

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

With a new U.S. Department of Defense (DoD) program in May and the 50,000th certified professional earning the Certified Information Systems Auditor (CISA) certification in late September, 2006 has turned out to be a milestone year for the Information Systems Audit and Control Association (ISACA).

According to Kent Anderson, managing director of Network Risk Management and five-year ISACA member, ISACA reached 50,000 CISA certifications and 6,000 CISM certifications in 2006. He said the CISM milestone is especially impressive.

“That’s just in the first three years that cert has been available,” Anderson said. “Obviously, it is very popular.”

Partially driving this popularity is a new program from the DoD, which was announced in May. Under the DoD’s Information Assurance Workforce Improvement Program, both CISA and CISM have been named as approved certifications for the DoD’s information assurance professionals. Under the DoD’s directive, up to 80,000 professionals are required to earn one of 13 certifications offered by five organizations.

The DoD’s information assurance professionals are classified into two categories — information assurance technical (IAT) and information assurance managerial (IAM) — that are each divided into three levels. CISA is among the four approved baseline certifications for professionals in IAT Level III, and CISM is among the three approved certifications for professionals in IAM Levels II and III.

In addition to these professionals, assistant examiners employed by the U.S. Federal Reserve Banks must pass the CISA examination before they are eligible for commissioning; the National Stock Exchange of India has recognized CISA as a requirement to conduct systems audits; and in Singapore, CISA was accredited under the Critical IT Resource Program of the National Infocomm Competency Centre (NICC), the national body that oversees the accreditation of IT-related certifications. Additionally, CISM is a recognized credential in the Security Solutions Competency of Microsoft’s Partner Program.

Since the DoD began the program, demand for CISA and CISM has continued to increase, Anderson said.

“We’ve seen continuous growth, and it’s been a fairly steep climb,” he said. “Requests for information about our certification and for registration for future testing, more and more people are signing up.”

Anderson said this increased demand is a sign of the CISA and CISM’s growing importance.

“The Department of Defense has made both the CISA and CISM one of the mandatory certifications, so both of those will grow significantly,” Anderson said. “I think there are two things (increasing demand). Organizations like the DoD are beginning to require some level of certification. Also, there have been some studies. Foote Partners did an independent review and has labeled both CISA and CISM as some of the most-valued certifications. There is a strong desire among the individuals who seek these certifications to distinguish themselves.”

Anderson said part of the reason the CISA and CISM certifications are valuable is because they are experience-based.

“There are lots of certifications based on technical skill, where you can just sit for an exam and become certified,” he said. “The value of both of these certifications is the experience requirement. It helps professionals become better prepared for the positions they hold.”

ISACA’s Beginnings
ISACA got its start in 1967, when a small group of individuals with similar jobs — auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations — sat down to discuss the need for a centralized source of information and guidance in the field.

In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976, the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.

Today, ISACA’s membership — more than 50,000 strong worldwide — is characterized by its diversity. Members live and work in more than 140 countries and cover a variety of professional IT-related positions, including information systems (IS) auditor, consultant, educator, security professional, regulator, chief information officer and internal auditor.

Since 1978, the CISA program has been a globally accepted standard of achievement among IS audit, control and security professionals.

To earn the CISA designation, candidates are required to:



  • Successfully complete the CISA examination, which is offered twice annually at more than 200 locations.
  • Adhere to ISACA’s Code of Professional Ethics and agree to comply with a continuing professional education policy.
  • Submit evidence of a minimum of five years of professional IS auditing, control or security work experience.


A 2003 survey of ISACA members revealed 70 percent of CISAs and members in the process of becoming CISAs think the certification helped advance their careers. When all ISACA members, CISA or not, were asked whether they thought gaining the CISA would help their careers, the positive response was even greater: 77 percent.

According to ISACA, more than 400 CISAs are employed in organizations as CEOs or CFOs. More than 900 CISAs serve as CIOs or IS security directors, more than 2,300 CISAs serve as audit directors or audit partners and more than 8,500 CISAs are employed in managerial or consulting positions in IT operations, security or auditing.

In addition to CISA’s demand in U.S. government agencies, it also has reached international prominence.

In Hong Kong, ISACA members who have held a CISA certification for at least four years have the right to vote for the city’s legislative counselors as representatives of the IT category among the functional constituencies.

CERT-IN, the Indian Computer Emergency Response Team, has recognized CISA as one of the requirements to conduct security audits.

In Romania, banks desiring to implement distance or electronic payment instruments are required by law to be certified by CISA-holding auditors.

The CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise’s information security.

The CISM certification promotes international practices and provides executive management with assurance that those earning the designation have the required experience and knowledge to provide effective security management and consulting services.

To earn the CISM designation, candidates are required to:



  • Pass the CISM examination.
  • Adhere to ISACA’s Code of Professional Ethics and agree to comply with a continuing professional education policy.
  • Submit proof of five years of IS work experience with at least three years as an information security manager. A 2006 study by Foote Partners LLC named CISM one of the highest-paying IT certifications and a hot tech skill certification (indicating an annual growth of greater than 11 percent).


According to ISACA, more than 1,000 CISMs serve as a chief information officer, chief executive officer or IS security director. More than 2,000 CISMs serve as an information security manager or in a related information security position, and nearly 1,000 CISMs are employed in security consulting or training positions.

Anderson said ISACA probably will see much of its growth within with CISM certification over the long term. “CISA is a fairly mature certification, and it’s always under review. However, the CISM is probably where the highest future growth is,” he said. “ISACA has been working with some of t

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone


Posted in Archive|