CISA Certification Guide 2026: Exam Format, Domains, and Study Plan

CISA Certification: The Complete Guide for IT Audit Professionals

The CISA (Certified Information Systems Auditor) is ISACA's flagship credential for professionals working in IT audit, information security, risk management, and governance. It's been awarded since 1978, making it one of the oldest specialized IT certifications in existence, and it remains the most widely recognized credential specifically for the IT audit function. If your career involves auditing information systems, assessing IT controls, ensuring compliance with regulations, or advising management on IT-related risks, the CISA is the standard credential that signals professional competency in those areas.

Unlike many cybersecurity certifications that focus on technical offensive or defensive skills, the CISA tests a combination of technical knowledge and audit methodology. You're expected to understand how information systems work AND how to assess and test the controls around them. A CISA-certified professional isn't primarily a system administrator or a security engineer — they're an independent assessor who evaluates whether IT systems are designed, controlled, and operated effectively. This auditor mindset — asking not just "does this work?" but "how do we know this works reliably and securely?" — is what distinguishes CISA candidates from purely technical certifications like CISSP or CCSP.

The CISA exam consists of 150 questions delivered over 4 hours, with scores reported on a 200–800 scale and a passing threshold of 450. The exam tests five content domains weighted differently across the question pool. Information Systems Auditing Process carries 21% of the exam and tests the IS audit methodology, planning, execution, and reporting process. Governance and Management of IT accounts for 17% and tests IT governance frameworks (COBIT, ITIL), risk management, and management oversight of IT functions. Information Systems Acquisition, Development, and Implementation covers 12% of exam questions. IS Operations and Business Resilience covers 23%, testing operational IT controls, change management, and business continuity. Information Asset Security and Control carries 27%, the heaviest weight, covering logical and physical access controls, network security, and data protection. Build familiarity with the network and infrastructure security content by working through a cisa network security practice test that mirrors the control-assessment framing CISA uses across security-related questions.

Work experience is a non-negotiable component of CISA certification. You must have 5 years of professional work experience in IS auditing, control, assurance, or security — and this experience must be verified. ISACA allows substitutions: a bachelor's degree substitutes for 1 year; a master's degree in information security or IT substitutes for 1 year; and some related certifications substitute for 1 year. This means the minimum qualified candidate with a master's degree still needs 3 years of relevant work experience. The experience requirement isn't just bureaucratic gatekeeping — it reflects ISACA's intent that CISA certifies practitioners who can do IS audit work, not just people who passed an exam. You can pass the exam first and then complete the experience requirement within 5 years of passing, but certification isn't issued until the full experience is verified.

Five years of work experience is a significant requirement that makes CISA a mid-to-senior career credential. Most CISA candidates already work in IT audit, internal audit, risk management, or compliance roles before beginning exam preparation. The exam tests applied knowledge in a context that assumes professional audit exposure — questions are framed as scenarios where an IS auditor must make a judgment call about scope, evidence, risk materiality, or control assessment adequacy. Understanding data management controls at an audit level — what controls should exist, how to test whether they operate effectively, and how to evaluate exceptions — is tested across multiple domains. Review cisa data management practice test questions to build comfort with the audit-framing of data management questions before encountering them under exam time pressure.

CISA Exam Strategy: How to Study Across Five Domains

CISA exam preparation requires a different mindset than technical certification study. You're not learning how to exploit a system or configure a firewall — you're learning how to evaluate whether controls around these functions are adequate, operate as intended, and address relevant risks. Every CISA question that asks what an IS auditor should do has an answer rooted in this assessment orientation: the correct response is almost always the one that gathers evidence, assesses risk, applies professional skepticism, and documents findings objectively. Questions that offer shortcuts — concluding without adequate evidence, taking management's word without verification, or choosing a finding that's more damaging than the evidence supports — are wrong answers.

Domain 5 (Information Asset Security and Control) carries 27% of the exam and deserves proportional study time. The security control questions test conceptual knowledge of control categories and their effectiveness rather than deep technical configuration knowledge. You should understand access control models (DAC, MAC, RBAC), know what network security controls should look like at the architectural level, understand encryption concepts without needing to implement them, and be able to assess whether physical controls are adequate for the sensitivity of information being protected. The system development and implementation domain tests similar applied judgment — whether controls built into the SDLC are adequate, whether testing is sufficiently rigorous, and how to evaluate vendor-developed systems against organizational requirements. Review cisa system development questions and answers to practice the audit judgment required in acquisition and development scenarios.

COBIT (Control Objectives for Information and Related Technologies) is ISACA's own governance framework, and it appears throughout CISA exam content. Understanding COBIT's structure — governance objectives, management objectives, and how they connect to specific IS audit objectives — is important for Domain 2 questions. You don't need COBIT expertise at the practitioner level for the CISA, but you do need to understand its purpose, its domain structure (Evaluate, Direct, Monitor — EDM — and Align, Plan, Organize — APO — among others), and how it relates to IT governance and risk management. CISA questions frequently require you to identify which COBIT objective or control category is most relevant to a given audit situation.

Business continuity and disaster recovery content in Domain 4 is consistently tested and well-defined. The key concepts: Recovery Time Objective (RTO) is how quickly a system must be restored after failure; Recovery Point Objective (RPO) is how much data loss is acceptable. Business Impact Analysis (BIA) is the process for determining which business functions are critical and setting RTO/RPO requirements. DRP tests should include tabletop exercises, walk-through tests, parallel tests, and full interruption tests — and audit questions often ask which type of test is most appropriate for a given situation or resource level. The privacy controls aspect of data management intersects with governance requirements and is increasingly important as regulations multiply. Practice with cisa privacy controls practice test questions to build familiarity with how privacy control assessments are framed across ISACA's domain structure.

Time management during the CISA exam is tighter than many candidates expect. 150 questions in 240 minutes gives you an average of 96 seconds per question. Most straightforward knowledge questions take 30–60 seconds. Complex scenario questions with long vignettes can take 2–3 minutes. Doing the math: if 30 questions are complex scenarios and you average 2.5 minutes each, that's 75 minutes spent on 20% of the exam. You need to move through simpler questions efficiently and allocate remaining time to harder scenarios. Practice under timed conditions — not just for content familiarity but for developing the pacing discipline the 4-hour exam demands. Working through a focused cisa practice test set in timed format is the most realistic way to calibrate your actual pacing before exam day.