CISA work experience: Penetration testing?

Hi everyone,

currently I'm considering studying for and then taking the CISA exam. So far I successfully passed the OSCP, OSCE and CISSP.

One of the questions I am still debating with the other voices in my head regarding whether or not I should take the CISA is: Will penetration testing experience satisfy ISACA's work experience requirements for CISA?

ISACA states:

A minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification.

The job practice areas read, in Domain 5 (Protection of Information Assets) as follows:

5.1
Evaluate the information security and privacy policies, standards and procedures for completeness, alignment with generally accepted practices and compliance with applicable external requirements.

5.2
Evaluate the design, implementation, maintenance, monitoring and reporting of physical and environmental controls to determine whether information assets are adequately safeguarded.

5.3
Evaluate the design, implementation, maintenance, monitoring and reporting of system and logical security controls to verify the confidentiality, integrity and availability of information.

5.4
Evaluate the design, implementation and monitoring of the data classification processes and procedures for alignment with the organization’s policies, standards, procedures and applicable external requirements.

5.5
Evaluate the processes and procedures used to store, retrieve, transport and dispose of assets to determine whether information assets are adequately safeguarded.

5.6
Evaluate the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.

The bullet points I made bold are definitely parts of the penetration tests I perform.

However, except for these aspects covered by my tasks as a penetration tester, I literally didn't do anything else mentioned in the 5 CISA job practice areas. So far, I supported two audits in big banks by validating the effectiveness of technical security controls, but except for that I only did technical testing, i.e. no real audits.

Which brings me back to my original question: Will 4 years of penetration testing experience (plus a Master's degree, which can substitute 2 years of experience) satisfy the CISA work experience requirements?

Any hints appreciated!

Find more posts tagged with

Comments

paul78

You are over-thinking it. The actual requirement is:

A minimum of 5 years of professional information systems auditing, control or security work experience (as described in the CISA job practice areas) is required for certification.

You don't actually have to have experience in all of the practice areas. And you can waive up to 3 years of the experience with certain conditions. Details here:

How to Become CISA Certified

Good luck in your studies. I'm intrigued that you actually want to get a CISA.

Info_Sec_Wannabe

paul78 wrote: »

I'm intrigued that you actually want to get a CISA.

Same here. Is this something required at work?

0b3lix

Long story short: No, it's for maximizing my employability within my field (penetration testing) when trying to find jobs in various countries.

My girlfriend is in academia in an inherently international field. In the next 5 to 6 years, we will be living in 4 different countries (two western European ones, the US, and one Middle Eastern one). Thus I need to be able to compete with the local workforce even though I don't speak the local language (English, unfortunately, isn't always sufficient).

I checked the requirements for pentesting jobs in typical job ads in the countries we will be in in the next 5 to 6 years and it seems that CISA, apart from the three certs I already have (OSCP, OSCE, CISSP, plus a Master's in CS), is the one that is demanded by employers the most. I assume that a lot of pentesting companies in these countries also offer audits.

If you have any other ideas on how to maximize my employability given these circumstances, I'd be more than happy to hear them! (maybe I should open a thread on this topic in the general Security area?)