The Certified Information Systems Auditor (CISA) is ISACA's flagship certification for IT auditors and assurance professionals. What makes CISA unique is its focus on the auditor's perspective—you must learn to think like someone who evaluates and assesses controls rather than implements them. This comprehensive guide will help you develop that mindset and pass on your first attempt.
Understanding the CISA Exam
Before beginning your preparation, understand what makes the CISA exam unique:
- Number of Questions: 150 multiple-choice questions
- Duration: 4 hours
- Passing Score: 450 out of 800 (scaled scoring)
- Five Domains: Comprehensive IT audit coverage
- Experience Requirement: 5 years IS audit, control, or security
- Certification Validity: 3 years with CPE requirements
Critical: Think Like an Auditor
The most common reason candidates fail CISA is answering from an IT professional's perspective rather than an auditor's. Auditors assess, evaluate, test controls, and make recommendations—they don't implement solutions. When in doubt, choose the answer that involves evaluation and reporting.
The Five CISA Domains
CISA covers five domains. Notice that Domains 4 and 5 together represent 50% of the exam:
Domain 1: Information Systems Auditing Process (21%)
Audit standards, planning, execution, documentation, and reporting. Understand ISACA audit standards, risk-based audit planning, evidence gathering, audit workpapers, and communicating findings. This domain establishes the foundation for everything else.
Domain 2: Governance and Management of IT (17%)
IT governance frameworks, policies, organizational structures, and enterprise architecture. Learn COBIT, IT strategic planning, portfolio management, and how auditors assess IT governance effectiveness.
Domain 3: Information Systems Acquisition, Development, and Implementation (12%)
SDLC phases, project management, change management, and system implementation controls. Understand how auditors evaluate development methodologies, testing, and post-implementation reviews.
Domain 4: Information Systems Operations and Business Resilience (23%)
IT service management, operations controls, incident management, and business continuity. This is the second-largest domain—master IT operations from an audit perspective including capacity planning, SLAs, and disaster recovery.
Domain 5: Protection of Information Assets (27%)
Security controls, access management, network security, and data protection. The largest domain covers how auditors evaluate security frameworks, identity management, encryption, and physical security controls.
16-Week Study Plan
This study plan assumes 10-15 hours of study per week. Focus heavily on the auditor's perspective:
Weeks 1-4: Audit Fundamentals & Governance
- Master ISACA audit standards and guidelines
- Understand risk-based audit planning methodology
- Learn audit evidence types and evaluation techniques
- Study IT governance frameworks (especially COBIT)
- Practice thinking "What would an auditor evaluate?"
- Complete 75+ practice questions on Domains 1 and 2
Weeks 5-8: Development & Operations
- Study SDLC phases from an audit perspective
- Learn change management and configuration controls
- Understand IT operations and service management
- Master business continuity and disaster recovery concepts
- Study incident response and problem management
- Complete 75+ practice questions on Domains 3 and 4
Weeks 9-12: Information Asset Protection
- Master security control frameworks from audit perspective
- Study access control models and identity management
- Learn network security and encryption concepts
- Understand physical and environmental controls
- Study data classification and protection methods
- Complete 100+ practice questions on Domain 5
Weeks 13-16: Review & Practice Exams
- Take 4-5 full-length practice exams (150 questions each)
- Focus on developing the auditor mindset for each question
- Review weak areas identified in practice tests
- Re-study control types: preventive, detective, corrective
- Master sampling techniques and evidence evaluation
- Schedule exam when scoring 75%+ consistently
Key Concepts to Master
The Auditor's Role
- Assess: Evaluate the design and effectiveness of controls
- Test: Gather evidence through substantive and compliance testing
- Document: Maintain audit workpapers and evidence
- Report: Communicate findings and recommendations
- Follow-up: Verify management's corrective actions
Control Types
- Preventive: Controls that stop incidents before they occur
- Detective: Controls that identify incidents after they occur
- Corrective: Controls that fix issues after detection
- Compensating: Alternative controls when primary controls are impractical
Audit Evidence Types
- Physical evidence: Direct observation and inspection
- Documentary evidence: Policies, procedures, logs, reports
- Testimonial evidence: Interviews and representations
- Analytical evidence: Calculations, comparisons, trend analysis
Pro Tip: The ISACA Mindset
When facing scenario questions, always ask: "What would an auditor do FIRST?" The answer usually involves assessing, evaluating, or gathering evidence—not implementing fixes. Auditors recommend; management implements.
Essential Study Resources
- ISACA CISA Review Manual: The official and most comprehensive resource
- ISACA QAE (Questions, Answers & Explanations): Official practice questions
- COBIT 2019 Framework: Critical for governance questions
- ISACA Audit and Assurance Standards: Know the standards well
- PrepForCerts Practice Tests: Smart Practice exam simulation
Common Mistakes to Avoid
- Thinking like a security professional: Auditors assess, they don't implement
- Ignoring the audit process domain: Domain 1 establishes the framework for everything
- Underestimating Domains 4 and 5: These represent 50% of the exam
- Memorizing without understanding: CISA tests application, not just recall
- Skipping the ISACA standards: Many questions reference specific standards
Key Phrase Alert: "What should the auditor do FIRST?"
When you see "FIRST" in a question, look for answers involving assessment, evaluation, or understanding the situation—never immediate implementation or technical fixes. Auditors always assess before recommending.
Exam Day Strategy
- Read each question from the auditor's perspective
- Look for keywords: "BEST," "FIRST," "MOST important"
- Eliminate answers that involve implementation over assessment
- Consider what evidence an auditor would need
- Manage time: ~1.6 minutes per question (4 hours / 150 questions)
- Flag difficult questions and return to them later
Frequently Asked Questions
How long should I study for the CISA exam?
Most candidates need 3-4 months of dedicated study, investing 10-15 hours per week. Those with existing audit experience may need less time. The key challenge is developing the auditor mindset rather than just learning concepts.
What is the CISA exam format?
The CISA exam consists of 150 multiple-choice questions to be completed in 4 hours. The passing score is 450 out of 800 using a scaled scoring method. Questions are heavily scenario-based, testing your ability to think like an auditor.
What experience is required for CISA certification?
CISA requires 5 years of professional experience in IS auditing, control, assurance, or security. Substitutions are available: up to 3 years for certain education and up to 2 years for related certifications. You can take the exam before meeting requirements.
Is CISA harder than CISSP?
They test different skills. CISA focuses specifically on audit and assurance, requiring the auditor mindset. CISSP covers broader security management. Many security professionals find CISA challenging because they must shift from an implementer's to an evaluator's perspective.
How does CISA compare to CISM?
CISA focuses on IT audit and assurance—evaluating controls and making recommendations. CISM focuses on information security management—building and managing security programs. CISA is ideal for auditors; CISM for security managers and leaders.