How many questions are on the CISA exam and what is the passing score?

The CISA exam consists of 150 multiple-choice questions with a 4-hour time limit. ISACA uses a scaled scoring system ranging from 200 to 800, and the passing score is 450. Raw correct answers are converted to this scaled score, so the number of correct answers needed to pass depends on the difficulty weighting of the specific questions presented.

What is the difference between CISA and CISM certifications?

CISA (Certified Information Systems Auditor) focuses on IS auditing, control, and assurance — it is designed for audit and compliance professionals who assess and report on IT systems. CISM (Certified Information Security Manager) focuses on managing and governing an enterprise information security program — it is designed for security managers and directors. CISA tests technical audit knowledge while CISM tests strategic security management skills.

What frameworks does ISACA use across its certifications?

COBIT 2019 (Control Objectives for Information and Related Technologies) is the primary governance framework tested across CISA, CISM, and CRISC. Candidates should understand the distinction between COBIT's governance domain (evaluate, direct, monitor) and its management domains. ISO/IEC 38500 for IT governance and NIST frameworks for risk assessment also appear in exam questions, particularly for CISM and CRISC.

Can I use this ISACA PDF to study for any of the four certifications?

Yes. The PDF includes practice questions drawn from concepts that span CISA, CISM, CRISC, and CGEIT exam domains, including IT governance, risk management, audit processes, security controls, and BCP/DRP. While each certification has its own domain weighting, many foundational concepts overlap. We recommend using this PDF alongside the official ISACA exam candidate guide for your specific target certification.

ISACA Certification Practice Test PDF (Free Printable 2026)

Download a free ISACA certification practice test PDF. Print and study offline for CISA, CISM, CRISC, and CGEIT certification examinations from ISACA.

ISACA - Information Systems Audit and Control Association CertificationMay 4, 20264 min read

ISACA Certification Practice Test PDF

ISACA offers four globally recognized IT governance and security certifications: CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), and CGEIT (Certified in the Governance of Enterprise IT). Each exam tests deep knowledge of auditing, risk management, security governance, and enterprise IT control frameworks. Our free ISACA practice test PDF lets you study offline, revisit challenging questions, and build exam-day confidence at your own pace.

Whether you are targeting the CISA's 150-question audit process exam, the CISM's security governance domains, the CRISC's risk assessment methodology, or CGEIT's enterprise IT governance scope, this printable PDF covers the core concepts across all four certifications.

📄Download Free ISACA PDF

ISACA Certifications Fast Facts

What the ISACA Exams Cover

CISA — Certified Information Systems Auditor

CISA is ISACA's most widely held certification, focusing on IS audit, control, and assurance. The exam spans five domains: Information System Auditing Process (audit standards, risk-based audit planning, evidence types, control testing, and audit reporting); Governance and Management of IT (COBIT 2019, ISO/IEC 38500, IT strategy alignment, organizational structures, and HR management of IT); Information Systems Acquisition, Development and Implementation (business case development, SDLC phases, change management, testing types including unit, integration, regression, and UAT); Information Systems Operations and Business Resilience (IT operations, incident management, BCP/DRP concepts, RTO vs. RPO, BIA, and backup strategies); and Protection of Information Assets (access controls, network security, cryptography, data classification, and incident response).

CISM — Certified Information Security Manager

CISM targets information security management rather than technical auditing. Its four domains cover Information Security Governance, Information Risk Management, Information Security Program Development and Management, and Information Security Incident Management. CISM holders are typically security managers and consultants responsible for enterprise-wide security strategy.

CRISC — Certified in Risk and Information Systems Control

CRISC focuses on IT risk identification, assessment, response, and monitoring. The four domains test IT Risk Identification (risk scenarios, threat modeling, risk appetite), IT Risk Assessment (qualitative vs. quantitative methodologies, risk registers), Risk Response and Mitigation (control selection, residual risk, cost-benefit analysis), and Risk and Control Monitoring and Reporting.

Key Cross-Exam Concepts

Across all ISACA exams, candidates should understand COBIT 2019 governance vs. management domain separation, control types (preventive, detective, corrective), audit evidence standards, IS audit independence requirements, and risk assessment frameworks. Strong familiarity with the difference between inherent risk, control risk, and residual risk is essential for all four certifications.

Free ISACA Practice Tests Online

In addition to this printable PDF, you can take our full ISACA practice test online with instant scoring, detailed answer explanations, and domain-by-domain performance tracking. Online practice helps you simulate the real exam environment and identify weak areas before test day.

Join the Discussion

Connect with other students preparing for this exam. Share tips, ask questions, and get advice from people who have been there.

View discussion (1 reply)