Most people who ask about the ISACA certification path are really asking the wrong question. They want to know which cert is "best." But ISACA has five credentials, and they're not ranked — they're specialized. Picking the wrong one costs you six months of studying for a credential your future employer doesn't actually care about.
So before getting into the five certs, the more useful framing: ISACA is the governance, risk, and assurance lane of cybersecurity. If your job is mostly hands-on security engineering, ISACA isn't your tribe — you probably want ISC2 or offensive certs. If your job involves auditing, evaluating, governing, or managing IT and security from a control or business standpoint, ISACA is exactly your tribe. That distinction matters more than people realize.
The Five Certs, Briefly
Here's the lineup. I'll go deeper on the two most people actually pick (CISA and CISM) and lighter on the rest.
| Cert | Focus | Who picks it |
|---|---|---|
| CISA | IT auditing and assurance | Auditors, GRC, compliance |
| CISM | Security program management | Security managers, CISOs |
| CRISC | IT risk identification and control design | IT risk officers |
| CGEIT | Enterprise IT governance | IT directors, CIOs |
| CDPSE | Privacy engineering | Privacy engineers, DPOs |
All five run the same exam format: 150 multiple-choice questions, four hours, scored 200–800 with 450 to pass. All five require professional experience (more on that below). All five demand 120 CPE hours every three years to keep active.
CISA: The One Most People Should Start With
CISA — Certified Information Systems Auditor — has been around since 1978 and is held by over 200,000 people. It's the credential for anyone whose job touches auditing, control testing, or compliance assessment.
The exam covers five domains: the IS audit process, governance and management of IT, systems acquisition and implementation, operations and resilience, and protection of information assets. Domain 5 (protection of information assets) is the largest — about 27% of the exam — and it's where most non-auditors struggle, because it leans technical in a way that audit-track candidates aren't always comfortable with.
One pattern I've watched repeatedly: people coming from internal audit do well on the audit-process and governance domains and underperform on Domain 5. People coming from security engineering have the opposite problem — they crush Domain 5 and bomb the governance questions because they keep picking technically correct answers when the exam wants you to pick the answer that aligns with audit standards. If you score consistently in the 80s on practice exams but keep missing questions in one domain area, that's the gap to close before you book the real test.
CISA holders typically earn around $145,000 in the US, though that varies wildly by industry and city. Big four consulting, financial services, and federal contracting tend to pay the most. If you want a deeper breakdown of timing, the how long to study for CISA guide covers that in detail.
CISM: The Leadership Track
CISM is for people who want to manage security, not just do it. Four domains: governance, risk, program development, and incident management. The exam is shorter on technical detail than CISA and heavier on judgment — what does a security manager do when they discover the CFO is pressuring the audit team to soften findings? What does a CISO do when the budget request gets cut by 40% and the board still expects the same risk posture?
The candidates who fail CISM usually fail it for the same reason: they're great security engineers who haven't yet developed the management instinct the exam tests for. The questions look like they have a right answer based on what's secure, but the right answer is often based on what's governance-appropriate given the role context. That shift trips people up.
A common scenario I've seen: a senior security engineer with eight years of hands-on experience gets pushed toward CISM by their manager because "you're ready for leadership." They study hard, take the exam, and miss the cut by 30 points. Almost always, they were answering as a senior engineer would, not as a CISO would. The fix isn't more studying — it's reframing how they approach the questions.
CISM salaries land around $118,000 on average, but that number is misleading. CISM holders disproportionately end up in director and VP roles where total comp is much higher than the "average certified holder" figures suggest. The cert tends to compound with experience.
If you're weighing CISA against CISM specifically — which is the most common ISACA crossroads — read the CISA vs CISM comparison. That's the more useful decision tool than this overview.
CRISC, CGEIT, CDPSE — The Three That Need Less Explaining
CRISC is for IT risk professionals. If you spend your days thinking about likelihood, impact, control effectiveness, and risk treatment — and you don't fit neatly into the audit lane (CISA) or the security management lane (CISM) — CRISC is your home. It's especially common in financial services and any heavily regulated industry. Salaries run roughly $120,000+.
CGEIT is the senior credential. It's not a starter cert. Most CGEIT holders earned it after another ISACA cert and 5+ years of governance work. If you're an IT director advising the board on IT investment strategy or sitting on an IT steering committee, CGEIT is the credential that matches what you actually do. If you're not in that seat yet, this isn't the one.
CDPSE is the newest, focused on privacy engineering and privacy-by-design. It pairs well with anything else — CISA + CDPSE for compliance-leaning roles, CISM + CDPSE for security leadership at companies handling sensitive personal data. As privacy regulations multiply (GDPR, CCPA, the patchwork of US state laws), this one's getting more relevant fast.
I'm intentionally light on these three. They're real credentials with real value, but most people reading a guide like this are picking between CISA and CISM. If you already know CRISC or CGEIT is your target, you don't need me to talk you into it.
So Which One?
Use these two questions, in order. The first one matters more than the second.
What does your day-to-day actually look like? Not your job title — what you spend your hours doing. If you spend most of your time evaluating whether something works as designed, you're an auditor; CISA fits. If you spend most of your time deciding what should be built, what risks to accept, and how to staff the team, you're a manager; CISM fits. If you spend most of your time quantifying risk and recommending controls, that's CRISC.
Where do you want to be in three years? This filters the answer. An auditor who wants to stay in audit picks CISA and adds CRISC later. An auditor who wants to switch to security leadership might skip CISA entirely and go straight to CISM (yes, this is allowed, and it's not a bad move if your experience qualifies you).
A frequent mistake: picking the cert your boss recommends without checking whether it matches your trajectory. Bosses often recommend the cert they hold, which makes sense for them but might not match where you're trying to go. Ask the question: who has the role I want in five years, and what cert do they hold?
The Experience Requirement (Yes, It's Real)
This is the part where ISACA's path differs most from CompTIA or even ISC2. You can't just pass the exam and walk away with the credential. Each cert has a verified work experience requirement:
- CISA: 5 years of audit experience (waivers available — a relevant bachelor's takes it down to 4, a master's or another major cert can take it down to 2)
- CISM: 5 years in info security, with at least 2 in a management capacity
- CRISC: 3 years across at least two of the four CRISC domains
- CGEIT: 5 years of governance-related experience
- CDPSE: 4 years in privacy work
The good part: you don't need the experience before the exam. Pass first, then you have five years to accumulate the qualifying hours. ISACA calls this being an "associate" or having a passed but uncertified status — your transcript shows you passed; you just can't use the cert designation until experience clears.
A small but useful tactical note: ISACA's experience verification is genuinely strict. They will check. Don't inflate your years. People have had certifications revoked over this.
Stacking Certs (And When Not To)
Here's a question I get a lot: should I get more than one ISACA cert? The honest answer is probably one, maybe two, rarely three.
The combinations that actually pay off in the job market are narrow. CISA + CRISC is real — auditors who can also speak risk-and-control design fluently are valuable. CISM + CRISC is real for security leaders at large enterprises. CISA + CISM exists but is rarer than people think; you're essentially saying you can audit security programs and manage them, which is a small lane (mostly Big Four consulting and large internal audit shops).
What doesn't pay off: collecting all five. I've seen resumes with CISA, CISM, CRISC, CGEIT, and CDPSE on them, and they often hurt the candidate. It signals exam-collecting more than depth in any one area. Hiring managers in this space can usually spot it.
If you're early in your ISACA journey, get one. Use it for at least two years. Then evaluate whether a second one actually maps to a real role you want.
How LearnZapp Fits In
Quick disclosure on what we cover: LearnZapp's adaptive practice platform handles CISA and CISM. We don't currently offer CRISC, CGEIT, or CDPSE prep — there are decent options elsewhere for those (the official ISACA review materials are dense but thorough; QAE is the standard supplement).
For CISA and CISM, the platform pulls from the ISACA item-bank-style question pool and adapts based on which domains you're weak in. The free diagnostic gives you a per-domain accuracy breakdown in about 25 minutes — useful even if you don't end up subscribing, because it tells you which domains you actually need to focus on instead of guessing.
If CISA or CISM is the path you've landed on, run the free diagnostic before you start studying. Most people who've spent years in the field discover their weak domain isn't where they expected, and finding that out before week one of studying saves real time.