ISACA CISA Certification

Certification guide

Certified Information Systems Auditor (CISA) is ISACA’s flagship credential for the people who provide assurance — the practitioners who plan and execute risk-based audits, evaluate whether IT governance actually aligns technology with business objectives, and render defensible conclusions about the state of an organization’s systems, controls, and resilience. In continuous use since 1978 and held by more than 200,000 professionals worldwide, it is the de facto entry ticket for IT audit, and a standing requirement in job postings across internal audit, Big Four assurance practices, compliance, and risk functions.

The exam content outline in force today took effect August 1, 2024, and the recalibration matters: the same five domains remain, but the weight shifted decisively toward the operational end of the job. Information Systems Operations and Business Resilience rose to 26% and Protection of Information Assets sits at 26% — together, 52% of your scored questions. ISACA also threaded disruptive-technology expectations through the outline: data analytics in the audit process, evaluating automated and AI-assisted decision-making systems, cloud operating models, and the audit implications of DevOps delivery. If your study materials still show the old 21/17/12/23/27 split, they predate the current exam.

150 questions 240 min Scaled 200–800 · pass 450 No penalty for wrong answers PSI center or remote proctor 5 yrs experience (waivers available) 120 CPE / 3 yrs 5 domains

Every question on the exam is multiple choice, and nearly every hard one turns on judgment rather than recall: not “what is a firewall” but “what should the auditor do FIRST,” “which finding is the GREATEST concern,” “what is the BEST evidence.” The five domains below are the map — and your study hours should follow the weights, not your comfort zone.

Domain 1 · 18%

Information Systems Auditing Process

The professional core: audit charters, risk-based planning, standards and ethics, evidence and sampling (attribute, variable, discovery, stop-or-go), CAATs and data analytics, control self-assessment, reporting, follow-up, and quality assurance over the audit function itself. This domain teaches you to think the way the rest of the exam expects you to answer.

Domain 2 · 18%

Governance and Management of IT

Whether leadership actually steers IT: governance frameworks and steering committees, policy hierarchies, risk appetite and response, maturity models and balanced scorecards, organizational structure and segregation of duties, HR controls, and the full third-party arc — vendor selection, SLAs, right-to-audit clauses, offshore and fourth-party risk, and data ownership roles.

Domain 3 · 12%

Information Systems Acquisition, Development and Implementation

The lightest domain by weight, covering how systems come to exist: feasibility studies and business cases, project governance, SDLC methodologies from waterfall through agile and CI/CD pipelines, requirements traceability, testing tiers and UAT, data migration controls, cutover strategies, post-implementation reviews, and vendor protections like source-code escrow.

Domain 4 · 26%

Information Systems Operations and Business Resilience

One of the two scoring heavyweights. Day-to-day operations — incident, problem, and change management, patching, job scheduling, interfaces, database integrity, end-user computing, capacity, monitoring, virtualization and cloud operations — flowing directly into resilience: the BIA, RPO and RTO, backup schemes and restore testing, alternate-site strategies, and the full ladder of BCP/DRP test types.

Domain 5 · 26%

Protection of Information Assets

The security domain, equal in weight to Domain 4: identity and access management, MFA and biometrics, privileged account controls, physical and environmental protection, network security from firewalls and DMZs to segmentation and IDS/IPS, cryptography and PKI, data classification, DLP, media sanitization, security awareness, vulnerability management and penetration testing, and SIEM-driven monitoring.

Our practice exams mirror the real thing: 150 original questions per exam, stratified to the exact blueprint — 27 questions each from Domains 1 and 2, 18 from Domain 3, and 39 each from Domains 4 and 5 — on a 240-minute timer, with a full explanation behind every answer so each review pass teaches the reasoning ISACA rewards, not just the letter.

A note on the pass mark: ISACA scores CISA on a scaled range of 200–800 with 450 required to pass, and the scaled conversion does not map linearly to a raw percentage. The prep community’s long-standing working proxy is roughly 65% raw, so that is where we set the practice pass line. Treat it as a floor, not a target — candidates who consistently score in the mid-70s and above on realistic practice exams walk into the testing center with genuine margin.

ISACA CISA - Practice Exam

Full-length ISACA CISA practice exam — 150 original questions weighted to the current exam content outline (Auditing Process 18%, Governance & Management of IT 18%, Acquisition,…

150 questions 240 min pass 65%
Subscribe to start

Trademark notice & independence

CISA® and ISACA® are registered trademarks of ISACA (Information Systems Audit and Control Association). Certifym is an independent study resource and is not affiliated with, sponsored by, or endorsed by ISACA. Use of these marks is solely to identify the certification for which these study materials are intended. The CISA Exam Content Outline and its domain structure are the property of ISACA; candidates should download the official, current exam content outline directly from isaca.org.

All questions, answers, and explanations on Certifym are original content created for practice purposes. They are not actual ISACA examination questions and are not represented as such. Practicing with these materials does not guarantee a passing result on any live certification exam. Exam requirements, format, domain weights, and eligibility criteria are set by ISACA and may change; always verify current details at isaca.org before scheduling your exam.