What experience is required for CISA?

5 years of IS audit experience with substitutions available for degrees and certifications. Maximum substitution is 3 years.

No. CISA is entirely multiple-choice. Questions are scenario-based but without simulations.

Yes. Requires 20 CPE hours annually (120 over 3 years) and $45-$85 annual maintenance fee.

How Many Questions Are on the CISA Exam? A Complete 2026 Guide

Q: How many questions are on the CISA exam?

The CISA exam contains 150 multiple-choice questions with a 240-minute (4-hour) time limit.

Q: What is the CISA passing score?

The passing score is 450 on a scaled score of 200-800. ISACA uses a scaled scoring model.

Q: How hard is CISA compared to CISSP?

CISA focuses on IT auditing (5 domains), while CISSP covers broader security (8 domains). Most find CISSP harder due to wider scope.

Q: How long should I study for CISA?

8-12 weeks at 2-3 hours daily for experienced auditors. 12-16 weeks without audit background.

Q: How much does CISA cost?

$575 for ISACA members, $760 for non-members, plus $50 application fee.

The ISACA Certified Information Systems Auditor (CISA) exam contains 150 multiple-choice questions with a generous 240-minute (4-hour) time limit. The passing score is 450 on a scale of 200-800, utilizing ISACA's scaled scoring model. CISA is recognized globally as the gold standard for IT auditing, control, and assurance professionals, currently held by over 151,000 experts worldwide.

With an average of 1 minute and 36 seconds per question, time pressure is rarely the primary challenge on the CISA exam. Instead, the real difficulty lies in grasping ISACA's distinctive questioning style, which heavily emphasizes the "best" or "most important" auditor action in complex, ambiguous scenarios. Passing CISA requires adopting a strict audit and risk-based mindset.

150

Questions

240 min

Time Limit

450/800

Passing Score

$575-$760

Exam Cost

CISA Domain Breakdown (5 Domains)

The CISA exam evaluates your competence across five distinct job practice domains. Understanding this distribution is crucial for focusing your study efforts:

Domain	% of Exam	~Questions	Key Topics
1. IS Auditing Process	21%	~32	Audit planning, risk-based auditing, execution, reporting, follow-up, evidence gathering
2. Governance and Management of IT	17%	~26	IT governance frameworks, strategic alignment, policies, enterprise architecture, risk management
3. IS Acquisition, Development, Implementation	12%	~18	SDLC, project management, post-implementation reviews, change management
4. IS Operations and Business Resilience	23%	~35	IT service management, database admin, disaster recovery (DRP), business continuity (BCP)
5. Protection of Information Assets	27%	~41	Access controls, network security, encryption, physical security, PKI, cyber attacks

Strategic Focus: Notice that Domain 5 (27%) and Domain 4 (23%) together represent exactly 50% of the exam (75 questions). Mastering information asset protection and business resilience/operations is an absolute requirement for passing.

Question Format and ISACA's Testing Philosophy

The CISA exam is entirely multiple-choice with exactly four options per question. There are no performance-based questions (PBQs), simulations, or drag-and-drop elements. However, ISACA questions are famously tricky. You must adapt to the "ISACA way":

The Audit Mindset

"Best" and "Most Important": Often, 3 or even all 4 answers are technically correct actions. You must identify what ISACA considers the optimal action based on audit standards and risk management.
Auditor vs. Manager: A CISA candidate must think like an auditor. The correct answer is usually to recommend, report, or advise, rather than to implement or configure. If a question asks what to do about a missing patch, an auditor notes the deficiency in the report; an IT admin installs the patch.
Risk dictates action: The answer that addresses the highest risk to the business is almost always the right choice.
Independence: An IS auditor must remain independent. They do not design systems they will later audit.

Time Management Strategy

With 240 minutes for 150 questions, rushing is unnecessary. A structured approach works best:

First pass (120-150 minutes): Answer every question. Flag questions where you are debating between two options. Do not leave any blank.
Break (10 minutes): Step away from the screen, stretch, and clear your head. Reading ISACA questions is mentally exhausting.
Second pass (45-60 minutes): Review all flagged questions. Re-read the scenario carefully. Pay attention to qualifiers like "FIRST", "GREATEST", or "PRIMARY".
Final review (20 minutes): Ensure all questions are answered.

CISA vs. Other Governance & Security Certifications

Certification	Questions	Time Limit	Passing Score	Cost	Primary Focus
CISA (ISACA)	150	240 min	450/800	$575-$760	IS Auditing & Assurance
CISM (ISACA)	150	240 min	450/800	$575-$760	Security Management
CRISC (ISACA)	150	240 min	450/800	$575-$760	IT Risk Management
CISSP (ISC)²	125-175	240 min	700/1000	$749	Broad Information Security
CIA (IIA)	125 (per part)	150 min	600/750	Varies	Internal Auditing (Broad)

CISA vs. CISM: CISA is designed for auditors who evaluate and report on IT controls. CISM is for managers who design and oversee security programs. If your job involves checking compliance and evaluating risk controls, pursue CISA. If you build security strategies, pursue CISM.

Study Preparation Guide

Candidates typically need 8-12 weeks of study at 2-3 hours daily. Preparation is heavily reliant on practice questions:

ISACA QAE Database: The official Questions, Answers, and Explanations database is widely considered the most vital resource. Complete all questions, and more importantly, read the explanations for why the incorrect options are wrong.
CISA Review Manual (CRM): ISACA's official textbook. It is dense but acts as the ultimate source of truth for ISACA terminology.
Audit standards: Familiarize yourself with ISACA's ITAF (Information Technology Assurance Framework).

Frequently Asked Questions

How many questions are on the CISA exam?

The exam contains 150 multiple-choice questions to be completed in 240 minutes (4 hours). This gives you about 1 minute and 36 seconds per question.

What is the CISA passing score?

450 on a scaled score of 200-800. ISACA uses a scaled model where question difficulty affects scoring, meaning you cannot translate this to a simple percentage.

How hard is CISA compared to CISSP?

CISA is narrower in scope (5 domains focused on auditing) but requires a deep understanding of audit methodology. CISSP is generally considered harder because it covers 8 broad domains of security engineering and management.

What experience is required to get CISA certified?

You need 5 years of professional IS audit, control, or security experience. Substitutions are available (up to 3 years) for specific degrees or other certifications.

How long should I study for CISA?

If you have an audit background, 8-12 weeks at 2-3 hours daily is typical. If you have an IT background but no audit experience, expect 12-16 weeks to fully grasp the auditor mindset.

Does CISA have PBQs or simulation questions?

No. The CISA exam is entirely multiple-choice with scenario-based questions. There are no command-line simulations or PBQs.

How much does CISA cost?

$575 for ISACA members and $760 for non-members. ISACA membership typically costs $135 plus local chapter fees, making the member route cost-effective.

Does CISA expire?

Yes. To maintain your CISA, you must earn a minimum of 20 Continuing Professional Education (CPE) hours annually, reach 120 CPEs over a 3-year cycle, and pay an annual maintenance fee.

Practice CISA Questions

Build your IS audit knowledge with scenario-based practice questions covering all five CISA domains.

Start Free Practice Test →