What Is the Average CISA Salary?

One way to advance your career and qualify for higher-paying jobs is to seek a certification. For an information systems auditor, the globally recognized Certified Information Systems Auditor (CISA) credential offered by ISACA, previously known as the Information Systems Audit and Control Association, is a highly respected credential that demonstrates your expertise in IT auditing. 

Explore the CISA certification, including the eligibility requirements, exam format, and the content you can expect to see on the exam, as well as what kind of CISA salary you can expect to earn. 

What is the CISA certification?

The CISA credential is a globally recognized certification that demonstrates expertise in IT and business systems auditing. It is ranked among the top 15 IT certifications available in North America, according to a recent Skillsoft report based on average salary[1]. Holding this credential will designate you as someone who understands the IT auditing process, governance and managing IT, and the operations, development, and implementation of IT systems. 

With a CISA certification, you may hold various job titles, including internal auditor, IS analyst, IT audit manager, IT security officer, IT consultant, IT risk and assurance manager, or privacy officer. 

Eligibility criteria for CISA certification

You will need to have an advanced knowledge of the topics on the CISA exam before you take the test. You don’t need to have verified work experience prior to taking the exam. This means you can prepare for the CISA exam in the time it takes you to learn the material. In order to get officially CISA certified, you will need to have five or more years of experience in IT systems auditing. 

You will have five years from passing your exam to earn this work experience, but you can also count relevant work experience from the last 10 years. You may also choose to gain five years of experience in the field before taking the certification exam. You may be able to waive some of the experience requirements if you’ve worked in a related field or have a traditional degree, such as an associate’s degree or bachelor’s degree. 

CISA exam format and content

Once you register for the CISA exam, you will have 12 months to take the test. You will have four hours to complete the exam, which includes 150 multiple-choice questions. Your score will be calculated from the lowest score of 200 to the highest score of 800. You must receive a score of at least 450 to pass.

The content of the CISA exam has five main parts: the information system auditing process; governance and management of IT; information systems acquisition, development, and implementation; information systems operations and business resilience; and protection of information assets. 

• Information system auditing process: In the first part of the CISA exam, you will cover both the planning and execution of IT auditing, including standards, guidelines, and code of ethics, as well as how to conduct auditing project management, testing, evidence collection, and data analytics. 

• Governance and management of IT: In the second part of the exam, you’ll demonstrate your knowledge of IT governance, such as the laws, regulations, and industry standards that guide your work, as well as managing enterprise risk and setting IT policies. You’ll also demonstrate your knowledge of managing IT resources, vendors, and quality assurance. 

• Information systems acquisition, development, and implementation: In the third section, you’ll demonstrate your knowledge of conducting feasibility analysis, methods for developing systems, control identification and design, and implementation of information systems, such as system readiness and testing, implementation configuration, and post-implementation review. 

• Information systems operations and business resilience: In the fourth section, you’ll test your knowledge of IS operations, including IT components, IT asset management, system interfaces, operational log management, and database management. You’ll also demonstrate your knowledge of business resilience, including business impact analysis, business continuity plans, and disaster recovery plans. 

• Protection of information assets: In the last section of the exam, you’ll demonstrate your knowledge of information asset security and control, such as managing access, network and end-point security, data loss prevention, data encryption, and security testing, monitoring logs, tools, techniques, and incident response management. 

Average salary for CISA professionals

The average salary for a CISA professional in the United States ranges from $86,214 to $118,000, according to three salary aggregate websites. Explore how the data breaks down across Glassdoor, Payscale, and ZipRecruiter [2, 3, 4]: 

Another way to compare the salary of a CISA professional is to look at what the average salary is for an IT auditor in the United States without specifying which certifications they might hold. According to all three websites, CISA pays more than the average salary for an IT auditor: 

*All salary data as of January 2025

The exact amount you can expect to earn will vary based on factors like your job title, your experience in the field, and where you live. 

Factors that impact salary

You will find that certain factors make a difference in how much you can expect to earn as a CISA professional. For example, the experience you have in the field, where you live and work, and the company you work for can all impact your salary. 

Experience

You can find insight into how much experience will impact your salary by looking at Glassdoor’s estimates. They report that the average CISA salary will vary as follows [2]: 

• 0–1 years: $61,687

• 1–3 years: $69,135274

• 4–6 years: $76,126 

• 7–9 years: $81,2985 

• 10–14 years: $88,548

• 15+ years: $100,114

Location

Another factor that can change your average salary is where you live and work. So far, you’ve explored the average salaries across the United States, but consider how salaries break down across some of the highest-paying cities for CISA professionals [4]: 

• Nome, AK: $136,099

• Berkeley, CA: $134,337

• Sitka, AK: $132,169

• San Francisco, CA: $129,261

• Palo Alto, CA: $128,970

• Santa Clara, CA: $128,851

• Sunnyvale, CA: $128,765

• Livermore, CA: $128,692

• San Jose, CA: $128,583

• Daly City, CA: $127,124

Job title

You may hold a CISA certification and work in a job title or role that differs from IT auditor. Your job title can be a factor that affects how much you can expect in average salary. For example, Payscale lists several jobs you might hold as a CISA and what you can expect in your average salary [3]: 

• Information systems audit manager: $123,007

• Internal auditing manager: $113,327

• Information security analyst: $101,645

• Senior internal auditor: $95,905

• Information security officer: $124,008

• Senior manager auditor: $142,851

• Cybersecurity analyst: $105,190

Company

Payscale also offers insight into how different companies pay CISA professionals. Explore a few examples [3]:

• EY (Ernst & Young): $95,550

• Deloitte: $121,000fd

• RSM McGladrey Incorporated: $93,000

• PricewaterhouseCoopers: $85,000

• Booz, Allen, and Hamilton: $135,985

• KPMG, LLP: $165,848

• Wells Fargo Bank: $125,000

• Grant Thornton Llp: $94,900

• Stryker Corp.: $87,000

• JP Morgan Chase: $174,086

Learn skills for CISA on Coursera

A CISA credential is a way to demonstrate to your employer and other professionals that you are an expert in the area of information systems auditing. To prepare for your exam, you can learn many of the skills you’ll need on Coursera. For example, you could enroll in the Security Analyst Fundamentals Specialization from IBM to learn about computer security incident management, or you could learn about information systems with the Information​ ​Systems Specialization offered by the University of Minnesota.