How to pass Certified Information Systems Auditor (CISA)
20 min read5 domains coveredFree practice, no sign-up
Certified Information Systems Auditor (CISA) is ISACA's professional certification for the people who audit, control, and assure information systems. It is not a hacking exam or a build exam. It tests whether you can plan an audit, gather evidence, evaluate controls against an objective, and report what you find, all while staying independent of the thing you are judging. The role it describes is the auditor's: you assess and advise, you do not run the system or fix the control yourself.
It suits IT auditors, internal and external assurance staff, security and risk professionals moving into audit, and the IT and compliance people who sit on the other side of the audit and need to understand it. The exam is 150 multiple-choice questions in 240 minutes across five domains, scored 200 to 800 with 450 to pass. Operations and Business Resilience and Protection of Information Assets carry 26 percent each, so just over half the exam sits in those two. ISACA also requires five years of relevant work experience to be certified, though you may sit the exam first and claim it within five years.
The exam rewards the audit mindset over technical depth. Most questions are short scenarios where several options are technically correct and only one is the BEST, MOST important, or PRIMARY answer for an auditor. The skill being tested is choosing correctly under that ambiguity from the auditor's seat, which is why practising on scenario questions with a worked explanation, and a reason every wrong option is wrong, beats memorising definitions.
CISA rewards thinking like an independent auditor, not an engineer: pick the BEST answer for someone who evaluates and reports on controls rather than the one who builds or fixes them.
Difficulty
Advanced
Best for
IT auditors and internal or external assurance staff, security, risk, and compliance professionals moving into audit, and the IT managers who are audited and need to understand the process and the standards behind it.
Prerequisites
None to sit the exam. ISACA requires five years of IS audit, control, or security work experience to be certified, with some substitutions, and you may pass the exam first and claim certification within five years.
150
Questions
240 min
Time allowed
450 / 800
Pass mark
$575
Exam cost (USD)
293
Practice questions
How this exam thinks
One shift in mindset separates a pass from a fail on CISA, and it is not about knowing more technology. You have to answer as an auditor, not as an engineer. The single most common failure is reading a scenario and reaching for the fix you would implement, when the exam wants the thing an independent auditor would do: assess, gather evidence, evaluate against a control objective, and report. The auditor evaluates and recommends; the auditor does not operate the control, write the patch, or own the remediation. When an option has you fixing the problem yourself, it is usually the wrong answer, however sensible it sounds.
Read the qualifier in capitals, because ISACA almost never asks for an answer that is simply correct. It asks for the BEST, the MOST important, the FIRST step, the PRIMARY concern, or the GREATEST risk. Several options will be true. Only one is the best fit for the question as written, and the qualifier tells you which axis to judge on. MOST and BEST reward the option that addresses the root cause or the highest risk; FIRST rewards the step that must come before the others, which in audit is almost always to understand the scope, the objective, or the risk before testing or recommending anything.
Two principles decide the close calls. Independence and objectivity come first: an auditor cannot audit work they performed or own a control they assess, so any option that compromises that separation is wrong. Evidence comes before opinion: the auditor's conclusion rests on sufficient, reliable, relevant evidence, not on assurance from management or on what the policy says should happen. And control objectives matter more than control mechanics. The exam cares that you can tell whether a control meets its objective far more than whether you can configure it. When two answers look right, choose the one an independent auditor, working from evidence against an objective, would defend.
What each domain tests and how to study it
The CISA blueprint is split across 5 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Plan a risk-based audit under ISACA standards, choose the right testing and sampling approach, gather sufficient evidence, and report findings to the right stakeholders.
In one sentenceThe craft of auditing itself: the standards and ethics, risk-based planning, evidence and sampling, and how you report what you find.
Recall check: answer these from memory first
Put these in order of authority and say which is mandatory: ISACA audit standard, guideline, procedure.
Distinguish compliance testing from substantive testing, and give a one-line example of each.
Rank these by reliability and say why: a confirmation from the bank, a screenshot from the auditee, the auditor's own re-performance.
What it tests. How an IS audit is run from end to end. Planning under the ISACA IS audit standards, guidelines, and code of ethics; selecting audit types and applying risk-based planning so effort follows risk; managing the audit as a project; testing and sampling methodology, including the difference between compliance and substantive testing and between statistical and judgemental sampling; collecting sufficient, reliable, and relevant evidence and using data analytics; reporting and communicating findings to stakeholders; and quality assurance over the audit process itself through a quality assurance and improvement programme.
How to study it. Learn the audit lifecycle as a fixed order and the vocabulary precisely, because this domain underpins every other one. Fix the standards-guidelines-procedures hierarchy: standards are mandatory, guidelines advise, procedures show how. Know why risk-based planning exists, to direct limited audit effort at the areas of greatest risk. Drill the evidence hierarchy, that evidence from an independent external source outranks evidence supplied by the auditee, and that observation and re-performance outrank inquiry. Keep compliance testing (does the control operate as designed) distinct from substantive testing (is the balance or figure actually correct). Practise placing a scenario at the right phase, because the exam loves asking what the auditor should do FIRST.
Easy to confuse
Compliance testing versus substantive testing. Compliance testing checks whether a control operates as designed; substantive testing checks whether the data or balance itself is correct. If the question is about control operation it is compliance; if it is about the accuracy of the underlying figures it is substantive.
ISACA standards versus guidelines. Standards are mandatory and define the minimum the auditor must do; guidelines advise on how to apply them and are not mandatory. When an option treats a guideline as binding or a standard as optional, it is wrong.
Inherent risk versus control risk versus detection risk. Inherent risk is the exposure before any control; control risk is that a control fails to catch a problem; detection risk is that the audit itself misses it. The auditor cannot change inherent or control risk, only detection risk, by doing more or better testing.
Worked example from the CISA bank
lock_openFree sampleInformation Systems Auditing Processmedium
An IS auditor is preparing the annual audit plan for a mid-sized retail bank. Senior management has asked that prior-year findings drive the selection of auditable units, while the audit committee has asked for coverage that reflects the bank's current risk profile. Which approach should the IS auditor adopt as the PRIMARY basis for selecting auditable units?
AAssess inherent risk, control risk and detection risk for each auditable unit and allocate effort to the highest residual risk areas.check_circle Correct
BSchedule each auditable unit on a fixed three-year rotation so every system is covered at least once in the cycle.
CRe-audit every area where the previous year's report contained a high-rated finding before considering any new auditable units.
DPrioritise the auditable units that the available audit staff have the strongest technical familiarity with for the coming year.
Risk-based audit planning selects auditable units from inherent, control and detection risk rather than rotation, prior findings or auditor availability. ISACA IS Audit and Assurance Standards require the annual plan to reflect the organisation's current risk profile. The auditor combines inherent risk in each unit, the strength of related controls and the residual detection risk to rank units, so that scarce assurance effort lands where the chance and impact of material misstatement or control failure is greatest.
Why A is correct: This is the risk-based audit planning model required by ISACA standards; effort is concentrated where residual risk is highest, which is the defensible basis for an annual plan.
Why B is wrong: Fixed-rotation cycles are tempting because they look fair and predictable, but ISACA standards require selection driven by current inherent and control risk, not calendar rotation that ignores threat changes.
Why C is wrong: Following up prior findings is necessary but partial; it anchors the plan on history rather than the current risk profile and leaves emerging high-risk areas uncovered.
Why D is wrong: Staffing convenience is tempting in a resource-constrained team, but ISACA requires the plan to be driven by risk; auditor availability informs delivery, not selection.
What you must be able to do. Evaluate IT governance, strategy, policy, risk, and vendor arrangements against the law and recognised frameworks, and judge whether management's structures actually achieve their objectives.
In one sentenceThe board-and-management layer: IT governance and strategy, policies and architecture, enterprise and privacy risk, and how IT resources and vendors are managed.
Recall check: answer these from memory first
State the dividing line between IT governance and IT management, and name who is accountable for setting risk appetite.
What is the single most important clause to secure in an outsourcing contract from an auditor's standpoint, and why?
Name the primary purpose of a framework such as COBIT in one line.
What it tests. Whether IT is directed and controlled to serve the organisation. Evaluating IT governance, organisational structure, and IT strategy against applicable laws, regulations, and industry standards; assessing IT policies, standards, and procedures, enterprise architecture, and enterprise risk management; evaluating privacy programmes and principles alongside data governance and classification; judging IT resource management and IT vendor and third-party management; and confirming that IT performance is monitored, reported, and quality-managed against objectives. The auditor here checks that governance structures exist, align IT with business objectives, assign clear accountability, and actually work in practice.
How to study it. Think about whether governance achieves its objective, not whether a document exists. Learn the distinction that governance sets direction and monitors (the board's job) while management executes within it; the exam tests who is accountable for what. Know the role of frameworks such as COBIT as a means to align IT with business goals, not as trivia. For risk, understand that the board owns risk appetite and that risk is managed, not eliminated. For third parties, remember the auditor's recurring point: you can outsource the activity but not the accountability, and the right to audit must be written into the contract. Match a governance weakness to the control that addresses it rather than memorising lists.
Easy to confuse
Governance versus management. Governance sets direction, sets risk appetite, and monitors outcomes; management plans and runs IT within that direction. The board governs and is accountable; management executes and is responsible. The exam tests which layer a given activity belongs to.
Outsourcing the activity versus outsourcing the accountability. You can transfer the work to a vendor, but accountability for the outcome and the data stays with your organisation. Any answer that treats a third party as carrying your accountability, or that drops the right to audit, is wrong.
Risk appetite versus risk tolerance. Risk appetite is how much risk the organisation will accept overall, set by the board; risk tolerance is the acceptable variation around a specific objective or control. Appetite is strategic and broad; tolerance is the practical limit on one item. The exam tests which one a statement expresses.
Worked example from the CISA bank
lock_openFree sampleGovernance and Management of ITmedium
Which statement BEST distinguishes IT governance from IT management within an enterprise?
AIT governance is the daily oversight of IT operations by the chief information officer, while IT management is the strategic stewardship exercised by the audit committee.
BIT governance is performed only by external auditors providing assurance over IT, while IT management is performed by internal audit through control self-assessment.
CIT governance is identical to IT management once a control framework such as COBIT 2019 has been adopted across the enterprise.
DIT governance directs and evaluates the enterprise so that IT supports strategic objectives, while IT management plans, builds and runs IT services to deliver agreed outcomes.check_circle Correct
Distinguish IT governance from IT management as separate but linked accountabilities defined by COBIT 2019 and ISO/IEC 38500. Governance is the board-level activity of evaluating, directing and monitoring the use of IT to meet stakeholder needs, while management plans, builds, runs and monitors IT activities within the direction set by governance. COBIT 2019 codifies this split by labelling EDM objectives as governance and APO/BAI/DSS/MEA objectives as management, and ISO/IEC 38500 frames the same separation as the three governance tasks.
Why A is wrong: This inverts the recognised roles. The board and its committees govern, and the chief information officer manages; conflating the two undermines the separation of decision rights established by COBIT 2019.
Why B is wrong: Assurance providers do not govern or manage IT; they evaluate it. Treating audit as the governance function removes accountability from those charged with governance and is a common candidate trap.
Why C is wrong: Adopting a framework does not collapse the distinction. COBIT 2019 explicitly separates the governance objectives from the management objectives precisely to preserve segregation of decision rights.
Why D is correct: This reflects the ISO/IEC 38500 and COBIT 2019 distinction: governance sets direction, evaluates performance, and monitors compliance through the board, whereas management executes the plans within governance constraints.
What you must be able to do. Evaluate how systems are justified, built, controlled, tested, and put into production, and confirm that the right controls are designed in before go-live rather than bolted on after.
In one sentenceThe build-and-buy lifecycle through an auditor's eyes: the business case, development methodology, application controls, and getting a system safely into production.
Recall check: answer these from memory first
Name the three families of application controls and give one example of each.
Order the testing stages from unit to acceptance, and say what user acceptance testing specifically proves.
Which system changeover approach is the riskiest and why, and which is the safest but most costly?
What it tests. How systems are acquired and delivered, and where the controls sit. Evaluating project governance and management, the business case, and feasibility analysis; assessing system development methodologies such as the SDLC and agile, and the identification and design of application controls (input, processing, and output controls); evaluating system readiness, implementation testing, configuration, and release management; and assessing system migration, infrastructure deployment, data conversion, and the post-implementation review. The recurring theme is that controls are cheapest and most effective when designed in early, and that the auditor confirms they exist before the system goes live.
How to study it. Concentrate on where controls live in the lifecycle and what each test proves. Learn the application-control families, input controls (validation, edit checks) catch bad data going in, processing controls keep it correct in flight, and output controls protect what comes out. Know the testing ladder, unit then integration then system then user acceptance testing, and that UAT is the users' sign-off that the system meets requirements. Understand why building security and controls in early beats retrofitting, the cost rises sharply the later a defect is found. Keep the cutover strategies distinct (parallel, phased, pilot, big-bang or direct) and know which carries the most risk. Remember the post-implementation review checks whether the system delivered the promised benefits.
Easy to confuse
Verification versus validation. Verification asks are we building the system right (does it meet the specification); validation asks are we building the right system (does it meet the user's actual need). User acceptance testing is validation, not verification.
Parallel versus phased versus big-bang changeover. Parallel runs old and new together and is safest but costliest; phased cuts over in stages; big-bang or direct switches all at once and carries the most risk because there is no fallback. The exam picks the answer by how much risk the scenario can tolerate.
Application controls versus general controls. Application controls operate inside one system over its transactions (input, processing, output); general controls are the pervasive IT controls (access, change, operations) that the applications rely on. A weak general control undermines every application control above it.
Worked example from the CISA bank
lock_openFree sampleInformation Systems Acquisition, Development and Implementationmedium
Which statement BEST describes the primary purpose of a business case at the outset of a systems acquisition project?
ATo document the detailed functional and non-functional requirements that the chosen vendor must satisfy before contract award.
BTo justify the proposed investment by linking expected benefits, costs and risks to a defined business problem and strategy.check_circle Correct
CTo record the agreed acceptance criteria that the steering committee will use to sign off the system at go-live.
DTo list the project deliverables, milestones and resource assignments that the project manager will track in the schedule.
Recognise that a business case justifies an investment by linking expected benefits, costs and risks to a defined business problem and strategy. Investment governance requires a documented case that ties forecast benefits, whole-of-life costs and risk exposure to a strategic objective; without that linkage the steering body cannot decide whether the proposed system is worth funding relative to alternatives.
Why A is wrong: Detailed functional and non-functional requirements belong in the requirements specification produced after the business case is approved, so this confuses two separate deliverables.
Why B is correct: A business case exists to demonstrate that an investment is justified by linking forecast benefits, whole-of-life costs, risks and strategic fit, which is the basis on which governance bodies authorise funding.
Why C is wrong: Acceptance criteria are part of the user acceptance testing approach near the end of the project, not the early justification artefact reviewed by the investment board.
Why D is wrong: Deliverables, milestones and resource assignments are scheduling outputs that follow approval of the business case rather than the justification it provides.
What you must be able to do. Evaluate the controls that keep production systems running and recoverable: asset and operations management, availability, incident and change control, and the backup, continuity, and disaster-recovery plans that survive a disruption.
In one sentenceThe largest domain alongside Protection: running IT in production and being able to recover it, from asset and incident management to business continuity and disaster recovery.
Recall check: answer these from memory first
Define RPO and RTO in one line each, and say which drives backup frequency and which drives the recovery-site choice.
Distinguish incident management from problem management, and change management from configuration management.
Rank hot, warm, and cold recovery sites by cost and by speed of recovery, and name what a business impact analysis produces.
What it tests. Keeping systems available and recoverable. Evaluating IT components, asset management, and end-user computing including shadow IT; assessing job scheduling, production automation, and system interfaces; evaluating availability and capacity management, problem and incident management, and change, configuration, and patch management; assessing log management, IT service level management, and database management; evaluating business impact analysis and operational and system resilience; and assessing data backup, storage, and restoration alongside business continuity and disaster recovery plans. The recovery metrics, RTO and RPO, run through the whole domain.
How to study it. This is one of the two heaviest domains, so give it the most time, and most of it is procedural. Anchor recovery to two numbers: RPO is how much data you can afford to lose (it drives backup frequency); RTO is how long you can afford to be down (it drives the recovery strategy). Know that the business impact analysis comes first and is what sets those targets. Learn the recovery-site tiers, hot, warm, and cold, by their trade-off of cost against speed of recovery. Keep incident management (restore service) distinct from problem management (remove the root cause), and change management (authorise and control changes) distinct from configuration management (know what you have). Remember an auditor's test of any plan is evidence that it was tested, not just that it exists.
Easy to confuse
RPO versus RTO. RPO is the maximum tolerable data loss measured backwards from the outage; RTO is the maximum tolerable time to restore service. Frequent backups improve RPO; a faster recovery site or failover improves RTO.
Incident management versus problem management. Incident management restores service as fast as possible after a disruption; problem management finds and removes the underlying root cause so it does not recur. One is about the now, the other about the cause.
Hot site versus warm site versus cold site. A hot site is fully equipped and near-instant but most expensive; a cold site is bare space and cheapest but slowest; a warm site sits between. The right answer is set by the RTO the scenario allows.
Worked example from the CISA bank
lock_openFree sampleInformation Systems Operations and Business Resilienceeasy
An IS auditor is reviewing the IT asset management process at a logistics firm and finds that the configuration management database (CMDB) records hardware ownership, location, and warranty status, while the software asset register records licence entitlements and deployment counts. Which statement BEST describes how these two records should relate within a mature IT asset management programme?
AThe software asset register should be reconciled against the CMDB so that entitlements are compared with deployments and unsupported or unlicensed software is identified.check_circle Correct
BThe CMDB should replace the software asset register because configuration items already include installed software components and their version data.
CThe two records should remain independent to preserve segregation of duties between operations staff who maintain the CMDB and procurement staff who maintain the licence register.
DThe CMDB should be updated only when a software audit by the vendor is announced, so that the operational record matches the entitlement position at that moment.
Recognise that periodic reconciliation between the software asset register and the CMDB is the primary control for identifying licensing and deployment exposures. Software asset management relies on comparing contractual entitlements with actual deployments. The software asset register captures rights granted by licences, while the CMDB captures the operational footprint. Without reconciliation, an organisation cannot evidence licence compliance, plan renewals, or detect unsupported software that increases security and continuity risk.
Why A is correct: Reconciling entitlements held in the software asset register against deployment data in the CMDB is the recognised control that surfaces under-licensing, over-licensing, and unsupported versions, satisfying both audit and compliance objectives.
Why B is wrong: This is tempting because the CMDB does record installed software as configuration items; however, a CMDB tracks operational state for service management, not licence entitlements or contractual rights, so it cannot satisfy software asset management obligations on its own.
Why C is wrong: Segregation of duties applies to who can authorise and record asset changes, not to whether two registers may be reconciled; keeping the records permanently disconnected defeats the purpose of asset management.
Why D is wrong: Updating the CMDB only in response to vendor audits is reactive and undermines day-to-day service management; the CMDB must reflect the current operational state continuously, regardless of audit timing.
What you must be able to do. Evaluate the controls that protect information assets: security frameworks and physical controls, identity and access management, network, endpoint, data and cloud protection, awareness, and security testing, monitoring, and incident response.
In one sentenceThe other heaviest domain: the security controls themselves, judged for whether they meet their objective, across access, network, data, cloud, awareness, and incident response.
Recall check: answer these from memory first
State the one-line role of identification, authentication, authorisation, and accountability, and say which one logging supports.
What is segregation of duties, and which classic pairing should never sit with the same person?
In handling digital evidence, what does chain of custody preserve, and why does an auditor care about it most?
What it tests. Whether information assets are protected to their classification. Evaluating security frameworks, standards, and guidelines and physical and environmental controls; assessing identity and access management, including authentication and authorisation; evaluating network and endpoint security, data loss prevention, encryption, and public key infrastructure; assessing cloud and virtualisation security and mobile, wireless, and IoT security; evaluating security awareness training and programmes and the attack methods and techniques used against systems; and assessing security testing and monitoring tools, incident response, and evidence collection and forensics. The auditor judges whether each control meets its objective, not whether they could build it.
How to study it. Study these controls for their objective and their evaluation, not their configuration, because you are auditing them, not deploying them. Hold the access-control core firmly: identification claims who you are, authentication proves it, authorisation grants what you may do, and accountability ties actions to a person through logging. Apply least privilege and segregation of duties everywhere, the auditor's instinct is that no one person should control a whole transaction. Learn encryption by purpose (confidentiality, integrity, non-repudiation) and the basics of PKI rather than algorithm trivia. For incident response and forensics, the auditor's priorities are preserving the chain of custody and the integrity of evidence. Keep IDS versus IPS and prevention versus detection crisply apart, the exam asks which the situation calls for.
Easy to confuse
Authentication versus authorisation. Authentication proves who you are; authorisation decides what you are allowed to do once proven. Multi-factor strengthens authentication; least privilege and access rules govern authorisation. The exam tests which one a control actually addresses.
Segregation of duties versus least privilege. Segregation of duties splits a sensitive process across people so no one controls it end to end; least privilege limits each person to the minimum access for their role. One prevents collusion and fraud, the other limits blast radius. They reinforce each other but are not the same control.
IDS versus IPS. An intrusion detection system detects and alerts; an intrusion prevention system sits inline and can block. If the scenario needs the threat stopped automatically it is an IPS; if it needs visibility without breaking traffic, an IDS.
Worked example from the CISA bank
lock_openFree sampleProtection of Information Assetseasy
Which statement BEST describes the relationship between ISO/IEC 27001 and ISO/IEC 27002 when an IS auditor is evaluating an organisation's information security framework?
AISO/IEC 27001 specifies the certifiable requirements for an information security management system, while ISO/IEC 27002 provides implementation guidance for the controls referenced in Annex A.check_circle Correct
BISO/IEC 27001 lists detailed technical configuration baselines, while ISO/IEC 27002 lists the certifiable management system clauses that an external registrar can audit against.
CISO/IEC 27001 and ISO/IEC 27002 are alternative frameworks that an organisation may choose between depending on whether it wants a risk-based or a control-based approach to security.
DISO/IEC 27001 provides the catalogue of cryptographic algorithms, while ISO/IEC 27002 provides the risk treatment methodology that the certified organisation must adopt.
Distinguish the certifiable management system requirements in ISO/IEC 27001 from the implementation guidance role of ISO/IEC 27002. ISO/IEC 27001 establishes the requirements for an information security management system, including risk assessment, risk treatment, and Annex A controls; ISO/IEC 27002 is the companion guidance that explains how each control can be implemented, so they work together rather than as alternatives.
Why A is correct: This is correct because 27001 contains the audit-certifiable management system requirements and references Annex A controls, and 27002 is the companion guidance describing how each control may be implemented in practice.
Why B is wrong: This is tempting because both standards are well known, but the roles are reversed; configuration baselines are not in either standard and the certifiable clauses sit in 27001, not 27002.
Why C is wrong: This is tempting because candidates know multiple frameworks exist, but the two standards are complementary parts of the same family rather than alternatives chosen between.
Why D is wrong: This is tempting because cryptography and risk treatment are familiar terms, but neither standard is an algorithm catalogue and risk treatment is governed by 27001 clauses, not 27002.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official ISACA exam content outline and the five domains with their weights. Book a provisional date now: a fixed date converts open-ended study into a plan and is the strongest predictor of actually sitting. Note that Operations and Business Resilience (26 percent) and Protection of Information Assets (26 percent) are just over half the exam between them.
Adopt the auditor's mindset
Week 1
Before any content, drill the one habit the exam is built around: answer as an auditor who evaluates and reports, never as the engineer who fixes. Practise reading a scenario and asking what an independent auditor would do FIRST, and watch for the qualifier (BEST, MOST, PRIMARY). If you cannot say why the fix-it option is wrong, you are not yet thinking the way CISA scores.
Lock the audit process (Domain 1)
Weeks 1 to 2
Get the audit lifecycle, the standards hierarchy, the evidence hierarchy, and compliance versus substantive testing exact, because every other domain assumes them. Use the recall checks in this guide: cover the summary, answer from memory, then reveal. If you cannot state a concept in one sentence, you do not own it yet.
Go deep on the two heavy domains (Domains 4 and 5)
Weeks 2 to 4
Operations and Resilience and Protection of Information Assets are just over half the exam, so they get the most time. Anchor resilience to RTO and RPO and the BIA, and study every security control for its objective and how you would audit it, not how you would configure it. Practise on scenario questions and read the worked explanation on every one, including the ones you got right.
Cover governance and the build lifecycle (Domains 2 and 3)
Weeks 4 to 5
Governance rewards the governance-versus-management split and the outsource-the-activity-not-the-accountability rule; the acquisition domain rewards knowing where application controls live and why building them in early beats retrofitting. Both are learnable, reliable marks once you stop reading them as technology.
Drill weak domains, then space the review
Week 5
Use your per-domain accuracy to attack the two domains dragging you down, not to re-read what you already know. Then space it: revisit each domain's recall prompts after a few days and again a week later. Spacing roughly doubles what sticks compared with cramming.
Sit a timed mock and calibrate
Weeks 6 to 7
Take at least one full 240-minute, 150-question mock under exam conditions to rehearse pacing and the flag-and-return habit. Treat the score as a per-domain readiness signal, not a single number, and review every missed question, checking that you missed it on knowledge and not on forgetting to answer as an auditor.
Know when you're ready
Readiness for CISA is a score on questions you have not seen before, not a feeling that the material is familiar. Those are different things, and the gap between them is where people fail. Re-reading notes builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself: if you can answer fresh scenario questions, pick the BEST option, and explain why each wrong option is wrong, you know it; if you can only nod along to an explanation, you do not yet.
Watch the specific failure this exam punishes hardest. You can know the technology cold and still fail by answering as an engineer, reaching for the fix when the auditor's job is to evaluate and report. When you review a missed question, separate the two causes: did you not know the material, or did you know it and still answer from the operator's seat instead of the auditor's? The second is the more dangerous, because it survives more study. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably on unseen questions across more than one session, not scraping the pass mark once.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free CISA questions with worked explanations. No sign-up.
Answer as an auditor, not an engineer. The auditor evaluates, gathers evidence, and reports; any option that has you operating or fixing the control yourself is usually the wrong answer, however sensible the fix.
Read the qualifier in capitals. ISACA asks for the BEST, MOST important, FIRST, PRIMARY, or GREATEST, not merely a correct answer; the qualifier tells you which axis the single right option is judged on.
When the question asks what to do FIRST, choose the step that establishes scope, objective, or risk. In audit you understand the risk and the objective before you test or recommend anything.
Protect independence and objectivity. An auditor cannot assess their own work or own a control they review, so any option that breaks that separation is wrong by definition.
Prefer evidence over assurance. A conclusion rests on sufficient, reliable evidence (ideally from an independent source or re-performance), not on what management says or what the policy claims.
Flag and move on. With 150 questions in 240 minutes you have a little over a minute and a half each; cover every question once, flag the hard ones, and return so the timer never costs you marks you actually know.
Frequently asked questions
Is the CISA exam hard?
It is an advanced, professional exam, and the difficulty is the mindset more than the facts. You have to answer as an independent auditor choosing the BEST option, not as an engineer picking a technically correct one. Candidates who know the technology often fail by answering from the operator's seat, so scenario practice with worked explanations matters more than memorising terms.
How long should I study for CISA?
Most candidates with audit or IT experience are ready in roughly two to three months of steady study. Put the most time into the two heaviest domains, Operations and Business Resilience and Protection of Information Assets, which carry 26 percent each and just over half the exam between them.
What is the pass mark for CISA?
450 on a scaled range of 200 to 800, shown in the facts panel above. The scale is not a percentage and the questions are weighted, so aim to clear every domain comfortably on unseen practice questions rather than targeting a raw figure.
Do I need work experience to get certified?
Yes, to be certified. ISACA requires five years of IS audit, control, assurance, or security experience, with some waivers and substitutions available. You may sit and pass the exam first and then claim certification within five years once you meet the experience requirement.
How is CISA structured?
It is 150 multiple-choice questions in 240 minutes across five domains, delivered by computer at a PSI test centre or via remote proctoring. There are no performance-based simulations; every question is a scenario or a direct multiple-choice item with one best answer.
Which domains should I focus on?
Operations and Business Resilience and Protection of Information Assets at 26 percent each are just over half the exam, so they deserve the most time. The two 18 percent domains, the Auditing Process and Governance, are reliable marks once you stop reading them as technology and start reading them as audit and accountability.
How many practice questions should I do before booking?
Enough that every domain clears the pass line with margin on questions you have not seen, and a full timed mock feels comfortable on pacing. Quality of review beats raw volume: read the explanation on every question, and when you miss one, check whether you failed on knowledge or on forgetting to answer as an auditor.
Is CISA worth it?
It is the benchmark credential for IT auditors, internal assurance staff, and risk professionals who assess and report on information systems. ISACA's five-year experience requirement means the certification signals verified professional practice rather than just examination knowledge, which carries weight with audit committees and regulators.
Examworthy is not affiliated with or endorsed by ISACA. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. CISA and related marks belong to their respective owners.
