How to Pass ISACA CISA (Certified Information Systems Auditor) in 2026: Study Guide

# How to Pass ISACA CISA (Certified Information Systems Auditor) in 2026: Study Guide The ISACA CISA (Certified Information Systems Auditor) is one of the most respected certifications in IT audit and assurance. If you work in internal audit, compliance, risk, or IT governance, CISA signals to employers that you understand how to assess, control, and report on information systems — and that you do it according to internationally recognized standards. This guide covers everything you need to know: who the exam is for, what's on it, how it's structured, which resources to use, and how to plan your study over 10 weeks. --- ## Who Should Take the CISA? The CISA is designed for professionals who audit, control, monitor, or assess enterprise IT systems. Common job titles that benefit from CISA include: - **IT Auditor / Internal Auditor** — the primary target audience - **Compliance Analyst** — especially in regulated industries (finance, healthcare, energy) - **Risk Manager** — focusing on IT risk identification and control assessment - **IT Governance Professional** — working with frameworks like COBIT or ISO 27001 - **Security Analyst** — expanding into audit and assurance roles - **Public Accounting Associate** — at firms where IT audit is a service line CISA is not a deeply technical certification. It tests your ability to think like an **auditor**: objective, evidence-based, control-focused, and aligned with standards. If you want a hands-on offensive security credential, look elsewhere. If you want to prove you can evaluate whether controls work as intended, CISA is the right choice. --- ## CISA Exam Facts | Factor | Detail | |--------|--------| | Questions | 150 multiple-choice | | Time limit | 4 hours (240 minutes) | | Exam fee | $760 (ISACA members: $575) | | Passing score | 450 out of 800 | | Delivery | Online (remote proctored) or in-person at Pearson VUE | | Languages | English, plus several others (check ISACA website) | | Experience requirement | 5 years of IS audit/control/security work (substitutions allowed) | The 450/800 score is not a percentage — ISACA uses a scaled scoring method. Roughly, you need to answer around 56–60% of questions correctly, but the exact threshold varies by exam form. Aim for 70%+ in practice to build a safe margin. Note: You can sit the exam before fulfilling the experience requirement, but ISACA will not award the certification until you submit verified experience. --- ## The 5 CISA Domains CISA covers five domains. Each has a specific weight in the exam — meaning more questions come from high-weight domains, and you should allocate your study time accordingly. ### Domain 1: Information Systems Auditing Process (21%) This is the foundation of the credential. It covers how IS audits are planned, executed, and reported — following ISACA's IS Audit Standards and Guidelines. **Key concepts:** - ISACA IS Audit and Assurance Standards (mandatory) vs Guidelines (optional guidance) - Audit planning: understanding the audit universe, risk-based prioritization - Types of audit evidence: observation, inquiry, inspection, re-performance, analytical procedures - Audit risk model: inherent risk × control risk × detection risk - Sampling methods: statistical vs non-statistical; attribute vs variable sampling - Audit findings, opinions, and recommendations - Working paper documentation and retention - Follow-up audits and tracking remediation **Weight implication:** With 21% of questions, you will see roughly 31–32 questions from this domain. Do not skip it — it underpins everything else. ### Domain 2: Governance and Management of IT (17%) This domain tests your understanding of IT governance frameworks and how IT strategy aligns with business objectives. **Key concepts:** - IT governance vs IT management distinction (governance = direction-setting; management = execution) - COBIT 2019: governance system, design factors, focus areas, objectives - Roles and responsibilities: board, executive management, CIO, IS auditor - IT policies, procedures, and standards hierarchy - IT strategic planning and portfolio management - IT performance measurement (KPIs, scorecards) - Vendor management and third-party risk **Weight implication:** ~25 questions. COBIT 2019 is ISACA's own framework — expect it to appear frequently. ### Domain 3: Information Systems Acquisition, Development and Implementation (12%) This domain covers the systems development lifecycle (SDLC) from an audit perspective, plus acquisition of software and infrastructure. **Key concepts:** - SDLC phases: feasibility, requirements, design, development, testing, implementation, maintenance - Audit checkpoints at each SDLC phase - Feasibility study types: technical, operational, economic, legal - Project management controls: scope, schedule, budget, quality - Change management: RFC (Request for Change), CAB (Change Advisory Board), emergency changes - Testing types: unit, integration, system, UAT (user acceptance testing), regression - Post-implementation review - Software acquisition alternatives: build vs buy vs outsource **Weight implication:** ~18 questions. This is the lowest-weight domain — cover it well but don't over-invest. ### Domain 4: Information Systems Operations and Business Resilience (23%) This domain tests operational IT controls and how organizations protect continuity of services. **Key concepts:** - IT operations controls: job scheduling, incident management, problem management - Hardware and network infrastructure controls - IT asset management and configuration management (CMDB) - Business Continuity Planning (BCP) vs Disaster Recovery Planning (DRP) - BIA (Business Impact Analysis): identifying critical processes, MTD, RTO, RPO - BCP testing types: checklist review, structured walkthrough, simulation, parallel, full interruption - Backup strategies: full, incremental, differential; offsite storage - Cloud computing models and audit considerations (IaaS/PaaS/SaaS) **Weight implication:** ~34 questions — this is the second-largest domain. Strong knowledge of BCP/DRP and the RTO/RPO/MTD hierarchy is essential. ### Domain 5: Protection of Information Assets (27%) The largest domain. It covers the technical and administrative controls used to protect information. **Key concepts:** - Access control types: preventive, detective, corrective; logical vs physical - Identity and access management: authentication factors, SSO, privilege access management - Network security: firewalls, IDS/IPS, DMZ, VPN, network segmentation - Cryptography: symmetric vs asymmetric encryption, hashing, PKI, digital signatures, certificates - Data classification and handling - Security monitoring: SIEM, log management, anomaly detection - Vulnerability management and penetration testing - Privacy regulations and data protection requirements **Weight implication:** ~40 questions — more than a quarter of the exam. Allocate proportionally more study time here. --- ## CISA vs CISM vs CISSP: Which Is Right for You? | Factor | CISA | CISM | CISSP | |--------|------|------|-------| | Focus | IT audit and assurance | Security management | Security architecture/management | | Primary audience | IT auditors, compliance professionals | Security managers, CISOs | Security architects, senior practitioners | | Questions | 150 | 150 | 125 | | Time | 4 hours | 4 hours | 3 hours | | Fee | $760 | $760 | $749 | | Passing score | 450/800 | 450/800 | 700/1000 | | Experience required | 5 years IS audit/control | 5 years IS management | 5 years security | | Technical depth | Low-medium | Low (management-focused) | High | | Issuing body | ISACA | ISACA | ISC2 | **Choose CISA** if your role involves auditing IT systems, evaluating controls, or compliance assessment. **Choose CISM** if your role is managing an information security program or team. **Choose CISSP** if you need broad security architecture and technical depth, especially for senior practitioner roles. Many professionals hold both CISA and CISM, as they complement each other well. --- ## Recommended Study Resources ### Primary Resources - **ISACA CISA Review Manual (2024/2025 edition)** — the official study guide. Dense but comprehensive. Use it as your reference, not your first read. - **ISACA CISA QAE (Questions, Answers & Explanations)** — official question bank with 1,000+ questions. Essential for exam-style practice. - **CertLand CISA Practice Exam** — 340 exam-style questions covering all 5 domains with detailed explanations. ### Supplemental Resources - **Hemang Doshi (Udemy)** — highly rated CISA video course; explains concepts in plain language with real-world examples. Particularly strong on governance and audit process. - **Mike Chapple** — well-regarded for CISA and CISSP; clear writing style with good exam-tip content. - **ISACA's free resources** — ISACA provides IS Audit Standards and Guidelines free on their website. Reading the actual standards (even briefly) helps you understand how ISACA thinks. ### Practice Questions Do not underestimate the importance of volume practice. Target 1,500–2,000 questions before exam day. ISACA-style questions test your ability to select the "best" answer among options that are all technically correct — the distinction is often about what an auditor should do first, or which action is most appropriate. --- ## 10-Week Study Plan This plan assumes roughly 10–12 hours of study per week (about 1.5–2 hours per day on weekdays, plus a longer session on weekends). | Week | Focus | Activities | |------|-------|------------| | 1 | Domain 5 (Part 1) | Read Review Manual Ch. 5 (access control, IAM, network security). 30 practice questions. | | 2 | Domain 5 (Part 2) | Cryptography, PKI, monitoring, vulnerability management. 40 practice questions. | | 3 | Domain 4 (Part 1) | IT operations, asset/configuration management, BIA. 30 practice questions. | | 4 | Domain 4 (Part 2) | BCP/DRP, testing types, cloud audit. 40 practice questions. | | 5 | Domain 1 | Audit standards, evidence types, audit risk model, sampling. 40 practice questions. | | 6 | Domain 2 | COBIT 2019, IT governance vs management, vendor management. 30 practice questions. | | 7 | Domain 3 | SDLC phases, change management, project controls, acquisition. 30 practice questions. | | 8 | Full review | Weak areas from Weeks 1–7. Re-read key sections. 50 practice questions. | | 9 | Timed mock exams | 2–3 full 150-question timed exams. Score analysis. Target 70%+ per domain. | | 10 | Final review | Quick-reference summaries only. Light practice (20–30 questions/day). Rest before exam. | ### Study Tips **Think like an auditor, not a technician.** CISA questions often present a technical situation and ask what an auditor should do. The answer is almost always: gather evidence, assess controls, follow standards, and report to management. Avoid answers that involve the auditor taking corrective action — that's management's job. **Learn the ISACA answer hierarchy.** When multiple answers seem correct, ask: (1) What does an auditor do first? Usually: plan, assess risk, review policies, then test. (2) Who has authority? Senior management authorizes risk decisions. (3) What is most objective? Re-performance > inspection > observation > inquiry. **Memorize the BCP/DRP hierarchy.** MTD (Maximum Tolerable Downtime) > RTO (Recovery Time Objective) > RPO (Recovery Point Objective). This relationship appears frequently. **Use COBIT 2019 language.** ISACA frames governance and management questions using COBIT. Know the difference between governance (board/executives set direction) and management (CISO/CIO executes). --- ## Final Thoughts The CISA is not the hardest exam you will ever take, but it demands a specific mindset. You are not answering as a developer, network engineer, or security analyst — you are answering as an **independent IS auditor** who evaluates controls objectively and reports findings according to standards. If you study consistently, practice extensively, and internalize the auditor's perspective, 10 weeks is a realistic timeline. The $760 investment pays off quickly: CISA holders consistently command $15,000–$30,000 salary premiums over non-certified peers in audit and compliance roles. Start with Domain 5 (the largest), work through the others proportionally, and hit 1,500+ practice questions before exam day. You've got this. --- *Practice for the CISA exam on CertLand with 340 exam-style questions covering all 5 domains.*