ISACA · 2026 Edition
A complete preparation guide written by ISACA-certified engineers. Covers the exam format,all 5 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
150
Exam questions
450/1000
Pass mark
Exam code
CISA
Full name
CISA
Vendor
ISACA
Duration
240 minutes
Questions
150 items
Passing score
450/1000 (scaled)
Domains covered
5 blueprint domains
Recommended experience
5 years of IS audit, control, assurance or security work experience required
Typical prep time
4–6 months
CISA is the gold standard credential for IS auditors. It is required or preferred for internal audit, external audit, and IT assurance roles at public accounting firms, financial institutions, and regulatory bodies globally.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Month 1
IS Audit Process (21%): audit standards, risk-based audit planning, audit evidence, audit reporting
Tip: CISA questions about the audit process focus on the auditor's professional standards. Know that ISACA IS Audit and Assurance Standards define what auditors must do; guidelines provide guidance on how. Know the audit planning process: define scope → assess risk → plan fieldwork → execute → report findings → follow up.
Month 2
Governance and Management of IT (17%): IT strategy, IT governance frameworks, IT investment decisions
Tip: CISA tests COBIT as the primary IT governance framework. Know COBIT 2019's governance vs management distinction: governance is the responsibility of the board (setting direction, evaluating, monitoring), management executes within the guidance the board provides. CISA questions often ask who is responsible for a governance decision.
Month 3
IS Acquisition, Development and Implementation (12%): SDLC audit, project management, testing controls
Tip: Auditing the SDLC is a core CISA skill. Know the waterfall SDLC audit checkpoints: feasibility study, requirements, design, development, testing, implementation, and post-implementation review. Know what documentation an auditor would request at each phase and what control weaknesses to look for.
Month 4–5
IS Operations, Maintenance and Service Management (23%): IT service management, change management, capacity management
Tip: Change management controls are consistently tested on CISA. Know the elements of a sound change management process: change request → impact assessment → approval (change advisory board) → testing in non-production → implementation → back-out plan → post-implementation review. Emergency change procedures (how to bypass normal approval for critical fixes) are also tested.
Month 5–6
Protection of Information Assets (27% — heaviest domain): access controls, encryption, network security, incident management
Tip: Information asset protection questions combine technical security knowledge with audit methodology. Know how to audit an access control system: request a list of all user accounts → verify that access follows least privilege → identify dormant accounts → verify that terminated employees are promptly disabled → confirm that privileged access has additional controls (MFA, logging).
CISA requires 5 years of IS audit/control/assurance experience. Up to 3 years can be substituted with qualifying education. Experience must be in the IS audit, control, or security field — general IT experience does not qualify.
CISA questions are from an auditor's perspective, not a security engineer's. When a question asks what to do first, the answer is almost always gather information and assess the situation before recommending or implementing anything.
Sampling techniques are tested on CISA: statistical sampling (results can be extrapolated to the population with a measurable confidence level) vs judgmental/non-statistical sampling (auditor selects items based on professional judgement, results cannot be extrapolated). Know when each is appropriate.
Business continuity planning audit: know the key BCP documents an auditor would review — BIA (business impact analysis), risk assessment, recovery strategies, the BCP document itself, and test results. Know that a BCP that has never been tested is an audit finding regardless of how well-written it is.
CISA is valid for 3 years and requires 120 CPE credits. At least 20 CPEs must be earned each year. ISACA's online learning portal, chapter events, and CSX conferences provide CPE opportunities.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CISA — with exam key points and common misconceptions.