Thinking of CISA cert next.... good idea?

Hi - I'm a IT Security Professional with 20 years of IT experience now. Have had a diverse background of experiences over the years. I passed CISSP in January and starting to think of what's next.
I've become interested in the GRC - Risk Assessment/Compliance lane of security and think I may want to specialize.
I believe I may like the role of an IT auditor. Had an interview with E&Y earlier this year - Did not get an offer - but was impressed with org and culture of the organization and job itself. I like the travel/remote aspect of these jobs.

Anyway, I'm thinking CISA may be a good next step to get me into this type of a job/lifestyle.
Does anybody have any other input/thoughts/ideas that may re enforce or change my mind?

Thanks in advance everyone!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

SteveLavoie

To apply for CISA, you need to have real audit experience... So get an auditor job, then get your CISA..

wd40

SteveLavoie wrote: »

To apply for CISA, you need to have real audit experience... So get an auditor job, then get your CISA..

No you don't need IT Audit experience to become a CISA.

Once a CISA candidate has passed the CISA certification exam and has met the work experience requirements, the final step is to complete and submit a CISA Application for Certification. A minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification. Substitutions and waivers of such experience, to a maximum of 3 years, may be obtained as follows:

A maximum of 1 year of information systems experience OR 1 year of non-IS auditing experience can be substituted for 1 year of experience.
60 to 120 completed university semester credit hours (the equivalent of an 2-year or 4-year degree) not limited by the 10-year preceding restriction, can be substituted for 1 or 2 years, respectively, of experience.
A bachelor's or master's degree from a university that enforces the ISACA-sponsored Model Curricula can be substituted for 1 year of experience. To view a list of these schools, please visit www.isaca.org/modeluniversities. This option cannot be used if 3 years of experience substitution and educational waiver have already been claimed.
A master's degree in information security or information technology from an accredited university can be substituted for 1 year of experience.

E Double U

djasonslick wrote: »

I've become interested in the GRC - Risk Assessment/Compliance lane of security and think I may want to specialize.

How about CGEIT?

CGEIT Exam Job Practice: 2013

yoba222

I'm considering going for this cert early next year. From what I've gathered, it should be relatively easy to pass for a person with related work experience and it seems very popular among job postings. I normally spend several months studying for a cert and I may only slate 6-8 weeks for this one. I could be wrong.

beads

I no longer work as a dedicated auditor so I let it drop off my hamster wheel of constant CPEs and annual dues. Really, its not about the number of acronyms after the name but how effective you are at the position at hand.

- b/eads

UnixGuy

Since you passed CISSP, and are interested in GRC, CISA is a great choice! so is CISM

beniisan

I think if you want to work as an auditor, the CISA will help you to get that job.
But as you already has the CISSP cert, it won't give you a bug burst in knowledge...