CISA Certification Requirements: Eligibility, Experience, Waivers and CISA Associate
If you are trying to understand whether you can pursue CISA now, the biggest thing to know is this: you can prepare for and take the exam before meeting the full work-experience requirement, but full CISA certification comes only after you meet ISACA’s experience, ethics, and application rules.

Quick answer
To become fully CISA certified, you must pass the CISA exam, apply within 5 years of passing, demonstrate 5 years of qualifying professional information systems auditing, control, or security work experience, follow ISACA’s ethics and standards, and maintain the credential with continuing professional education. You can take the exam before finishing the full experience requirement.
Key takeaways
- CISA exam eligibility and full CISA certification eligibility are not the same thing, and that distinction causes most candidate confusion.
- ISACA allows candidates to sit for the exam before completing the full work-experience requirement for full certification.
- Full certification requires 5 years of qualifying experience, although approved waivers can reduce the requirement by up to 3 years.
- CISA Associate can be relevant for exam passers who do not yet meet the full certification-experience requirement.
- If you want to prepare seriously now, the right next step is usually to clarify your experience position first, then map your exam plan around it.
What are the CISA certification requirements?
ISACA’s current CISA certification rules are clearer than many third-party pages make them sound. To become fully CISA certified, candidates must pass the exam, apply within 5 years of passing, pay the certification application fee, document the required qualifying experience, and comply with ISACA’s ethics, CPE policy, and audit standards.
The easiest way to understand CISA requirements is to stop treating them as one single checkpoint. In practice, there are two stages:
You prepare for the exam, register, sit the exam, and pass it. This stage does not require you to have already completed every year of qualifying experience.
You apply for the credential, document qualifying experience or approved waivers, and meet ISACA’s professional and maintenance rules before being recognized as fully CISA certified.
That difference matters because many candidates ask “Am I eligible for CISA?” when what they actually mean is one of two different questions: Can I start preparing and take the exam now? or Can I become fully certified right now? Those are not always the same answer.
| Requirement area | Current official meaning |
|---|---|
| Exam | Pass the CISA exam. |
| Application timing | Apply for certification within 5 years of passing the exam. |
| Experience | Show 5 years of qualifying professional information systems auditing, control, or security work experience. |
| Experience window | Experience must fall within the 10-year period before the application date. |
| Waivers | Approved substitutions can reduce the full requirement by up to 3 years. |
| Application fee | US$50 certification application processing fee. |
| Professional rules | Follow ISACA’s Code of Professional Ethics, CPE policy, and Information Systems Auditing Standards. |
Official references: ISACA Get CISA Certified, ISACA CISA credential page.
Can you take the CISA exam before meeting the full experience requirement?
Yes. This is one of the most important CISA clarification points, and it is where many candidates lose time. ISACA allows candidates to sit for the CISA exam before they have completed the full experience requirement for full certification. Passing the exam is not the same as already being fully certified.
That means a candidate can start early if the long-term career fit is right. This is especially helpful for professionals in internal audit, IT audit, GRC, technology risk, controls, or adjacent governance roles who are still building the full depth of experience that ISACA expects for final certification.
In practical terms, the exam-first route helps three broad groups:
- professionals with partial qualifying experience who want to accelerate their career path
- career switchers moving from audit, compliance, or controls-heavy work into information systems assurance
- younger candidates who want the exam completed while they continue building the experience required for full certification or the CISA Associate path
What you should not do is assume that an exam pass automatically means you can immediately use the full credential in the same way as a fully approved CISA certificant. The exam is a major milestone, but the credential award still depends on the application and experience stage.
How much work experience do you need for CISA certification?
For full CISA certification, ISACA requires 5 years of professional information systems auditing, control, or security work experience. The official rule is broader than many people expect. It does not only mean “I already hold the title IT Auditor.” It includes work that sits meaningfully inside information systems audit, controls, and security assurance.
The best way to read this is functionally, not just by job title. A candidate may have useful qualifying experience if their role involved control review, risk evaluation, technology governance, security oversight, evidence-based assurance work, IT process assessment, access review, resilience-related control review, or information systems risk and control work.
This matters because some candidates assume they are disqualified simply because their title says internal auditor, risk analyst, controls manager, GRC specialist, security governance analyst, or compliance professional instead of pure IT auditor. Often, the underlying work matters more than the label.
At the same time, not every technology job automatically qualifies. Deeply hands-on technical work by itself does not always translate cleanly unless it overlaps meaningfully with control, audit, risk, or assurance responsibilities.

IT audit, internal audit with systems scope, technology risk, GRC, IT controls, assurance, compliance oversight, governance-heavy security roles.
Finance or internal audit roles with strong ITGC, ERP, access, system-change, or third-party control responsibilities.
Pure engineering or technical roles without meaningful audit, risk, control, review, evidence, or governance responsibilities.
What experience actually counts for CISA certification?
The safest way to think about qualifying experience is to ask whether your work involved evaluating or supporting the effectiveness of information systems, controls, governance, resilience, or information asset protection. If the answer is yes, you may be closer to qualifying than you think.
Because CISA is an information systems audit and assurance credential, experience tends to align best with work such as:
- IT audit planning, testing, evidence gathering, reporting, and issue follow-up
- IT general controls review, access controls, change management controls, and system operations controls
- technology risk assessment, governance review, vendor risk, and control assurance
- security governance and oversight work tied to policy, protection, monitoring, resilience, or audit support
- internal audit work that materially evaluates enterprise applications, technology controls, privacy controls, or systems risk
This is also why CISA fits professionals from banking, fintech, telecom, consulting, large enterprise internal audit, and regulated industries. In those environments, titles vary, but the real work often sits right inside systems assurance and control evaluation.
Do not assume that “security experience” always means qualifying CISA experience in the same way. Some security work aligns well with CISA requirements, especially governance and assurance-heavy work. Some deeply technical execution work aligns less directly. When in doubt, assess the actual responsibilities, not just the broad security label.
What waivers or substitutions can reduce the CISA experience requirement?
ISACA allows approved waivers that can reduce the full experience requirement by up to 3 years. This is one of the most valuable CISA eligibility points for candidates with academic or adjacent professional background, but it is also one of the most misunderstood, because many pages mention the waiver idea without explaining its practical role.
The core point is simple: the five-year requirement is the headline rule, but the final qualifying experience needed may be lower if approved substitutions apply to your background. The exact waiver mix depends on the current official rules and how your education or related experience lines up with ISACA’s accepted criteria.
That means the smartest move is not to guess. It is to review your background against the official requirements carefully before assuming the full five years must always stand untouched in your case.
What is CISA Associate, and when does it help?
CISA Associate exists for eligible exam passers who have cleared the exam but do not yet meet the full experience requirement for complete CISA certification. This is not the main credential, but it is a very useful bridge for earlier-career candidates, career switchers, and professionals who want employer-facing proof of progress while they continue building qualifying experience.
That is why CISA Associate matters strategically. It answers the practical fear that many candidates have: “If I pass the exam before I reach the full experience threshold, does that achievement just sit in the background?” The associate path gives eligible candidates a more visible interim milestone.
| Point | What it means |
|---|---|
| Purpose | Supports exam passers who do not yet have the full required work experience for full CISA certification. |
| Exam | You must pass the CISA exam first. |
| Membership | Requires active ISACA membership. |
| Application fee | US$25 one-time application fee. |
| Validity | Valid for up to 4 years or until you become fully CISA certified. |
| CPE | No CPE requirement applies to the Associate designation itself. |
For a serious candidate, this makes the exam-first route easier to justify. It gives structure to the gap between passing the exam and crossing the full experience finish line. It should not replace the goal of becoming fully CISA certified, but it can make the journey more career-useful along the way.
Official reference: ISACA CISA Associate.
What happens after you pass the CISA exam?
Passing the exam is a major milestone, but it is not the last step. After passing, your next job is to make sure your certification path stays organized: confirm your experience position, use approved waivers where relevant, apply within the official time window, and avoid letting the pass result sit without a plan.
If you want the wider end-to-end order before diving into the details here, read How to Get CISA Certification for the full process-owner walkthrough.
Here is the simplest sequence to follow after a pass:
- Confirm your experience status. Decide whether you already meet the full requirement, partly meet it, or need more time.
- Check waiver eligibility carefully. If approved substitutions apply, your remaining experience gap may be smaller than you think.
- Choose the correct next step. Apply for full certification when eligible, or use the CISA Associate path if it fits and you are not yet ready for full certification.
- Do not lose the application window. ISACA states candidates must apply within 5 years of passing the exam.
Do you need continuing professional education after you become certified?
Yes. Full CISA certification is not a one-time event that stays valid without maintenance. ISACA’s current maintenance rule requires at least 20 CPE hours annually and 120 CPE hours over a 3-year period. This is not the most urgent concern when you are still deciding whether you qualify, but it is part of the real credential commitment.
This point matters for candidates who want the designation mainly for long-term credibility. CISA is respected partly because it is maintained. Employers and professional peers know it is not just an exam trophy. It comes with an ongoing professional standard.
The exception is the Associate route, where the designation itself does not carry the same CPE requirement. That is one reason CISA Associate works as an interim bridge, not as the full final credential.
What do candidates most often misunderstand about CISA eligibility?
The strongest information gain in this topic comes from clearing the most common mistakes. Many candidates are not blocked by the rules themselves. They are blocked by fuzzy interpretations of those rules, especially around exam timing, experience labels, and what “eligibility” really means.
Not necessarily. You can prepare for and take the exam before completing the full experience requirement for final certification.
Titles alone do not decide everything. The real question is whether your work meaningfully fits audit, control, governance, assurance, or qualifying security scope.
No. Passing the exam is necessary, but full certification still requires application, experience, and compliance with ISACA rules.
That is often assumed too quickly. Approved waivers can reduce the requirement by up to 3 years, so they are worth checking carefully.
This is also why a structured preparation plan can help even before you register. The goal is not only to study the domains. It is to understand where you stand in the credential path so you do not waste effort or make the wrong timing decision.
How should you prepare once you know where you stand?
Once your eligibility position is clear, the next step is straightforward: prepare for the exam with the current domains, question style, and audit mindset in view. A lot of candidates lose momentum because they keep circling around eligibility confusion instead of deciding whether their best move is to start studying now.
If your role and background point clearly toward IT audit, controls, technology risk, governance, or assurance, it usually makes sense to move from eligibility analysis into a proper exam-prep plan instead of waiting for “perfect timing.”
If you want a guided route with live classes, an AI-powered LMS, 3000+ practice questions, mock exams, recordings, and structured trainer support, explore EduDelphi’s Online CISA Course.
You may also want to read What Is CISA Certification? if you are still deciding whether this is the right audit-and-assurance path for you, the CISA Exam Cost guide if you are planning budget and official fees, or How to Pass CISA in First Attempt if you are already moving into study planning.
Frequently asked questions
Can I take the CISA exam before I complete 5 years of experience?
Yes. ISACA allows candidates to sit for the CISA exam before they complete the full experience requirement for full certification. Passing the exam comes first for many candidates, while full certification follows once the qualifying experience and application conditions are met.
How many years of experience are required for full CISA certification?
ISACA states that full CISA certification requires 5 years of professional information systems auditing, control, or security work experience. Approved waivers can reduce the requirement by up to 3 years depending on the candidate’s qualifying background.
What counts as qualifying CISA experience?
Qualifying experience is generally work that sits meaningfully inside information systems audit, control, assurance, governance, or relevant security scope. Titles vary, so the stronger test is the work itself rather than whether the role name says IT Auditor exactly.
What is the difference between passing the CISA exam and being fully CISA certified?
Passing the exam means you have cleared the testing stage. Full certification comes later after you apply within the official window, meet the work-experience requirement or approved waivers, and comply with ISACA’s ethics and standards.
What is CISA Associate?
CISA Associate is an ISACA designation for eligible candidates who pass the CISA exam before they have the full work experience required for complete CISA certification. It can help candidates show progress while they continue building qualifying experience.
How long do I have to apply for full CISA certification after passing the exam?
ISACA states candidates have 5 years from passing the CISA exam to apply for certification. That is why it is important to track your experience and eligibility position instead of treating the pass result as something you can leave unmanaged indefinitely.
Do I need continuing education after becoming fully CISA certified?
Yes. Full CISA maintenance currently requires at least 20 CPE hours each year and 120 CPE hours over a 3-year reporting period.
Looking for tailored CISA training in your country?
Explore Edudelphi’s live online CISA course pages for different markets if you want local fee guidance, country-specific positioning, or a route that is closer to your geography while still aligned with the same exam and certification path.
Dubai / UAEDubai-focused CISA training pathway.
Saudi ArabiaOnline CISA training for Saudi learners.
QatarQatar-focused live online CISA route.
KuwaitKuwait-oriented CISA training page.
BahrainBahrain-focused CISA training page.
OmanOnline CISA preparation for Oman.
KenyaKenya-focused CISA course page.
UgandaCISA certification support for Uganda.
TanzaniaTanzania-focused online CISA route.
BangladeshBangladesh-focused CISA training page.
IndiaIndia-focused CISA course page.
Accreditations and learning partners
Institutional trust behind the learning experience matters. Edudelphi’s broader quality credentials, approved-provider relationships, and learning partnerships support different programs across the portfolio, while CISA itself remains an ISACA-awarded certification.












Logos shown may represent accreditations, approved provider status, content partnerships, learning affiliations, or quality credentials depending on the program. CISA itself is awarded by ISACA.
Content verification and editorial review
This article was reviewed by the Edudelphi content and training team to keep the explanation aligned with current CISA credential rules, real learner confusion points, and the audit-and-assurance career path that CISA actually serves. We aim to separate official ISACA certification requirements from training-provider guidance so readers can make more confident decisions.
We reviewed current ISACA credential, certification, candidate-guide, associate, and maintenance references while preparing this article.
The structure intentionally separates exam timing, experience, waivers, and full certification so the decision path becomes clearer.
The page routes readers toward deeper guidance on what CISA is, exam format, study planning, and country-specific training options where needed.




















