Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISAStudy Guide

ISACA · 2026 Edition

CISA Study Guide — How to Pass CISA

A complete preparation guide written by ISACA-certified engineers. Covers the exam format,all 5 blueprint domains, a week-by-week study plan, and proven tips for passing first time.

4–6 months

Prep time

Advanced

Difficulty

150

Exam questions

450/1000

Pass mark

Exam OverviewPractice TestExam DomainsSample QuestionsStudy Guide

On this page

  1. 1. CISA Exam at a Glance
  2. 2. Why Earn the CISA?
  3. 3. Exam Domains & Weights
  4. 4. Study Plan
  5. 5. Exam Tips
  6. 6. Practice Questions

CISA Exam at a Glance

Exam code

CISA

Full name

CISA

Vendor

ISACA

Duration

240 minutes

Questions

150 items

Passing score

450/1000 (scaled)

Domains covered

5 blueprint domains

Recommended experience

5 years of IS audit, control, assurance or security work experience required

Typical prep time

4–6 months

Why Earn the CISA?

CISA is the gold standard credential for IS auditors. It is required or preferred for internal audit, external audit, and IT assurance roles at public accounting firms, financial institutions, and regulatory bodies globally.

Job roles this opens

IS AuditorIT AuditorInternal AuditorIT Compliance AnalystRisk Assurance Consultant

CISA Exam Domains

Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.

Governance and Management of IT
Information Systems Acquisition, Development and Implementation
Information Systems Operations and Business Resilience
Protection of Information Assets
Information System Auditing Process

Detailed domain breakdown with subtopics →

CISA Study Plan

Month 1

IS Audit Process (21%): audit standards, risk-based audit planning, audit evidence, audit reporting

Tip: CISA questions about the audit process focus on the auditor's professional standards. Know that ISACA IS Audit and Assurance Standards define what auditors must do; guidelines provide guidance on how. Know the audit planning process: define scope → assess risk → plan fieldwork → execute → report findings → follow up.

Month 2

Governance and Management of IT (17%): IT strategy, IT governance frameworks, IT investment decisions

Tip: CISA tests COBIT as the primary IT governance framework. Know COBIT 2019's governance vs management distinction: governance is the responsibility of the board (setting direction, evaluating, monitoring), management executes within the guidance the board provides. CISA questions often ask who is responsible for a governance decision.

Month 3

IS Acquisition, Development and Implementation (12%): SDLC audit, project management, testing controls

Tip: Auditing the SDLC is a core CISA skill. Know the waterfall SDLC audit checkpoints: feasibility study, requirements, design, development, testing, implementation, and post-implementation review. Know what documentation an auditor would request at each phase and what control weaknesses to look for.

Month 4–5

IS Operations, Maintenance and Service Management (23%): IT service management, change management, capacity management

Tip: Change management controls are consistently tested on CISA. Know the elements of a sound change management process: change request → impact assessment → approval (change advisory board) → testing in non-production → implementation → back-out plan → post-implementation review. Emergency change procedures (how to bypass normal approval for critical fixes) are also tested.

Month 5–6

Protection of Information Assets (27% — heaviest domain): access controls, encryption, network security, incident management

Tip: Information asset protection questions combine technical security knowledge with audit methodology. Know how to audit an access control system: request a list of all user accounts → verify that access follows least privilege → identify dormant accounts → verify that terminated employees are promptly disabled → confirm that privileged access has additional controls (MFA, logging).

CISA Exam Tips

CISA requires 5 years of IS audit/control/assurance experience. Up to 3 years can be substituted with qualifying education. Experience must be in the IS audit, control, or security field — general IT experience does not qualify.

CISA questions are from an auditor's perspective, not a security engineer's. When a question asks what to do first, the answer is almost always gather information and assess the situation before recommending or implementing anything.

Sampling techniques are tested on CISA: statistical sampling (results can be extrapolated to the population with a measurable confidence level) vs judgmental/non-statistical sampling (auditor selects items based on professional judgement, results cannot be extrapolated). Know when each is appropriate.

Business continuity planning audit: know the key BCP documents an auditor would review — BIA (business impact analysis), risk assessment, recovery strategies, the BCP document itself, and test results. Know that a BCP that has never been tested is an audit finding regardless of how well-written it is.

CISA is valid for 3 years and requires 120 CPE credits. At least 20 CPEs must be earned each year. ISACA's online learning portal, chapter events, and CSX conferences provide CPE opportunities.

Ready to practice CISA?

Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.

Free Practice TestStart Practising

CISA concept guides

Deep-dive explanations of the key topics tested on CISA — with exam key points and common misconceptions.

CISA Audit and Assurance

The CISA (Certified Information Systems Auditor) is one of the most respected credentials in IT governance and audit.

Related Study Guides

CISM

ISACA CISM

CRISC

ISACA CRISC