CISA
Exam Guide
Certified Information Systems Auditor · Everything you need to pass on your first attempt
Exam Overview
What is CISA?
The Certified Information Systems Auditor (CISA) is the world's most recognised certification for IS audit, control, assurance, and security professionals. Issued by ISACA since 1978, it validates your ability to assess vulnerabilities, report on compliance, and institute controls within an enterprise.
CISA is globally accepted and legally mandated in many jurisdictions for IS audit roles. It is consistently ranked among the top three highest-paying IT certifications worldwide.
Eligibility: You can sit the exam before meeting experience requirements. To receive the certification, you need a minimum of 5 years of professional IS audit, control, assurance, or security work experience. Up to 3 years can be substituted with education (1 year per year of full-time university study, max 3 years).
Quick Facts
| Format | Computer-Based Testing (CBT) |
| Questions | 150 multiple-choice questions |
| Duration | 4 hours (240 minutes) |
| Passing Score | 450 out of 800 |
| Score Scale | 200–800 (scaled scoring) |
| Language | English + 9 other languages |
| Availability | Year-round at PSI testing centres |
| Results | Provisional score immediately; official within 10 business days |
Languages Available
CISA is available in the following languages:
- English
- Chinese Simplified
- Chinese Traditional
- French
- German
- Hebrew
- Italian
- Japanese
- Korean
- Spanish
Candidates may choose the language of the exam during registration. Selecting your preferred language can significantly reduce cognitive load.
Domain Distribution & Weightage
The Five CISA Domains (2019 Job Practice)
All 150 questions are drawn from five domains. Understanding the weightage helps you prioritise your study time effectively.
Priority Focus: Domain 5 (27%) + Domain 4 (23%) = 50% of the exam. If you master these two domains, you are halfway to passing. Domain 1 at 21% is equally critical as it tests auditing methodology which underpins all other domains.
Detailed Domain Breakdown
| Domain | Topic | Weight | Approx. Questions | Study Priority |
|---|---|---|---|---|
| 1 | Information System Auditing Process | 21% | ~31–32 | 🔴 Critical |
| 2 | Governance and Management of IT | 17% | ~25–26 | 🟠 High |
| 3 | Information Systems Acquisition, Development and Implementation | 12% | ~18 | 🟡 Medium |
| 4 | Information Systems Operations and Business Resilience | 23% | ~34–35 | 🔴 Critical |
| 5 | Protection of Information Assets | 27% | ~40–41 | 🔴 Critical |
| TOTAL | 100% | 150 | ||
Note: ISACA publishes the domain weightage but questions are not tagged with domains during the exam. Some questions are "pilot" (unscored experimental questions) — you will not know which ones they are. Always answer every question as if it counts.
Scoring System & Pass Mark
How CISA is Scored
Understanding the Scaled Score
CISA uses Item Response Theory (IRT) scaled scoring — not a simple percentage of questions correct. Key points:
- The 200–800 scale is NOT a percentage — 450/800 does NOT mean 56.25% of questions correct
- Each question has a difficulty weight — harder questions may contribute more to your score
- ISACA estimates approximately 60–65% of questions correct correlates to a passing scaled score of 450
- Some questions are unscored "pilot" items being validated for future exams — you cannot identify them
- There is NO penalty for wrong answers — always guess if unsure (never leave blank)
Target Score Strategy: Aim for 70–75% correct (approximately 105–112 questions out of 150) to provide a comfortable buffer above the 450 passing score threshold, accounting for question difficulty variation.
Score Reporting
- Provisional score displayed immediately after completing the exam at the test centre
- Official score available in your My ISACA account within 10 business days
- Score report shows overall scaled score and performance by domain
- Domain performance (Below Average / Average / Above Average) helps identify areas for retake study
- Passing candidates receive a digital badge and certificate by post
Retake Policy
- 1st attempt: Full exam fee applies
- Retake 1: Minimum 30-day waiting period
- Retake 2: Minimum 90-day waiting period
- Retake 3: Minimum 90-day waiting period
- Maximum attempts: 4 times in a rolling 12-month period
- Full exam fee applies for each retake attempt
After failing 4 times in 12 months, you must wait until the next 12-month period. This makes first-attempt preparation absolutely critical.
Exam Costs & Fee Structure
Official ISACA Exam Fees (2025)
Membership Math: Annual membership costs $135. Exam fee saving = $185 (non-member $760 − member $575). Net saving = $185 − $135 = $50 on first attempt. Membership also provides access to ISACA resources, study materials, chapter events, and CPE opportunities — making it worthwhile beyond just the exam discount.
Total Cost to Certification (Realistic Budget)
| Item | Cost (Member) | Cost (Non-Member) | Notes |
|---|---|---|---|
| ISACA Membership (1 year) | $135 | $0 | Optional but recommended |
| CISA Exam Registration Fee | $575 | $760 | Main exam cost |
| CISA Review Manual (2024/25) | ~$59 (member) | ~$79 | Official ISACA textbook — essential |
| CISA QA&E Database (Online) | ~$199 (member) | ~$249 | Official ISACA question bank |
| Third-Party Practice Tests | $30–$100 | $30–$100 | Udemy, Whizlabs, etc. |
| Study Course (Optional) | $200–$1,500 | $200–$1,500 | ISACA online, Simplilearn, etc. |
| MINIMUM TOTAL | ~$968 | ~$1,088 | Exam + manual + basic prep |
| FULL TOTAL | ~$1,600+ | ~$1,800+ | All resources included |
Strategy to Appear with Minimum Cost
"The candidate who passes on the first attempt pays the least. Every retake costs $575–$760 plus time. Invest in preparation, not in retakes."
Cost Minimisation — Step by Step
Potential Savings Summary
Exam Timing & Time Management
Time Per Question Analysis
Recommended Time Strategy
✓ Do This
- Flag and skip difficult questions on first pass
- Answer every single question (no blanks)
- Use process of elimination for uncertain questions
- Watch your time — check at question 50 and 100
- Trust your first instinct unless clearly wrong
- Read every word of every answer choice
- Look for the "BEST" answer — CISA often has two plausible answers
✗ Don't Do This
- Spend more than 2 minutes on any one question
- Change confident answers without a clear reason
- Leave any question blank at the end
- Panic if you don't know 20–30 questions
- Ignore the domain weightage when studying
- Read only the question stem — read all 4 options
- Bring prohibited items into the test room
Exam Rules & Testing Centre Policies
What to Bring to the Test Centre
Required: Two forms of valid, government-issued ID. Primary ID must have photo + signature (passport strongly recommended). Secondary ID must have either photo or signature. Both must not be expired.
- Acceptable IDs: Passport, national identity card, driver's licence, military ID
- Confirmation of your exam appointment (email or printed)
- Your ISACA exam registration confirmation number
NOT Allowed: Mobile phones, smartwatches, earbuds, notes, books, paper, food, drinks (except water in clear bottle, if permitted), wallets (usually stored in locker). Personal items stored in a provided locker.
Test Centre Regulations
| Rule | Detail |
|---|---|
| Arrive Early | Arrive at least 30 minutes before scheduled exam time. Late arrivals may be turned away and forfeit their fee. |
| Check-In Process | Biometric capture (fingerprint or palm vein), photo, ID verification. This takes 10–15 minutes. |
| No Electronic Devices | All devices — phones, smartwatches, fitness bands, Bluetooth devices — must be off and stored in a locker. Violation = immediate disqualification. |
| Scratch Paper | Provided by the test centre (erasable board or paper). You may NOT bring your own. Returned at end of exam. |
| Breaks | You may take breaks but the clock does NOT stop. Bathroom breaks count against your exam time. Plan accordingly. |
| Monitoring | Exam is recorded via CCTV. Proctors monitor the room. Suspicious behaviour results in immediate termination. |
| Misconduct | Cheating, sharing questions, impersonation = permanent ban from ISACA certifications and potential legal action. |
| Cancellation Policy | Cancel/reschedule at least 72 hours before appointment to avoid forfeiting the full fee. Check ISACA's current policy. |
Question Pattern & Typology
All Questions are Multiple Choice — But They Are NOT Equal
All 150 CISA questions are four-option multiple choice (A, B, C, D). However, CISA questions are designed to be scenario-based, application-level questions that test judgment and decision-making — not just memorisation.
The CISA Question Mindset — Think Like an IS Auditor
CISA questions frequently use the words: FIRST, MOST, PRIMARILY, BEST, MOST LIKELY, GREATEST RISK. These qualifiers are deliberate — they tell you to prioritise, not just identify.
| Qualifier | What It's Testing | Strategy |
|---|---|---|
| FIRST | Sequence / priority of audit steps | Usually: understand → plan → assess risk → then act |
| BEST | Optimal control or approach among multiple plausible options | Think: preventive > detective > corrective; or most complete |
| PRIMARILY | Main purpose — may have secondary valid purposes | Select the dominant or fundamental reason |
| MOST LIKELY | Probability-based reasoning | Consider which scenario is most common in practice |
| GREATEST RISK | Risk ranking among options | Consider impact × likelihood; governance failures often outrank technical |
| MOST IMPORTANT | Prioritisation of controls | Prevention before detection; governance before technical |
The IS Auditor Perspective: When in doubt, think like an IS auditor — not like an IT manager or security engineer. The auditor's role is to assess, report, and recommend — not to implement, manage, or operate. Questions about what the auditor does FIRST usually involve understanding and planning before action.
Common Question Traps to Avoid
Achieving Technique & Study Strategy
Recommended Study Timeline (12-Week Plan)
| Week | Focus | Activities | Target |
|---|---|---|---|
| Week 1 | Orientation & Domain 1 | Read CISA manual D1; attempt 50 D1 practice questions; take diagnostic test | Understand audit methodology |
| Week 2 | Domain 2 — IT Governance | Read D2; 50+ practice questions; COBIT deep dive | Frameworks & governance |
| Week 3 | Domain 3 — IS Acquisition | Read D3; 40+ practice questions; SDLC methodologies | SDLC, project management |
| Week 4–5 | Domain 4 — IS Operations | Read D4 (heavy content); 70+ practice questions; BCP/DRP focus | Operations & resilience |
| Week 6–7 | Domain 5 — Information Security | Read D5 (heaviest domain); 100+ practice questions; crypto, access control | Security controls mastery |
| Week 8 | Cross-Domain Review | Review weak areas; 100 mixed questions; revisit difficult concepts | Consolidate knowledge |
| Week 9–10 | Practice Exam Intensive | 2–3 full 150-question mock exams under timed conditions; detailed review of every wrong answer | Score consistently 70%+ |
| Week 11 | Gap Filling & Final Review | Focus only on weak domains from mock exam performance; memorise key formulas | Close identified gaps |
| Week 12 | Final Preparation | Light review; one final timed practice exam; logistics preparation; rest before exam | Confidence & readiness |
Study Techniques That Work
Performance Benchmarks
| Mock Exam Score | Readiness Assessment |
|---|---|
| Below 50% | Not ready — significant gaps remain; reschedule |
| 50–60% | Borderline — continue studying; focus on weak domains |
| 60–70% | Getting closer — target 2 more weeks of focused practice |
| 70–75% | Ready — schedule your exam; maintain momentum |
| 75%+ | Well prepared — high confidence of passing |
Do NOT schedule your exam until you consistently score 70%+ on multiple full-length practice exams under timed conditions.
Key Formulas to Memorise
| Formula | Meaning | Context |
|---|---|---|
| ALE = ARO × SLE | Annual Loss Expectancy = Annual Rate × Single Loss | Risk quantification (Domain 2, 5) |
| SLE = AV × EF | Single Loss = Asset Value × Exposure Factor | Risk quantification (Domain 2) |
| Availability = MTBF ÷ (MTBF + MTTR) | Reliability metric for service availability | Domain 4 — Operations |
| SPI = EV ÷ PV | Schedule Performance Index (project) | Domain 3 — Project management |
| CPI = EV ÷ AC | Cost Performance Index (project) | Domain 3 — Project management |
| SV = EV − PV | Schedule Variance — negative = behind schedule | Domain 3 — Project management |
| CV = EV − AC | Cost Variance — negative = over budget | Domain 3 — Project management |
| CER (FAR = FRR) | Crossover Error Rate — lower = better biometric | Domain 5 — Biometrics |
After the Exam — Certification & Maintenance
From Passing to Certified — The Certification Application
Passing the exam is not the same as being certified. You must apply for certification within 5 years of passing by submitting:
- Experience verification: Minimum 5 years of professional IS audit, control, assurance, or security experience — verified by your employer(s)
- Application form: Submitted online via My ISACA account
- Application fee: $50 (member) / $75 (non-member)
- Adherence to the ISACA Code of Professional Ethics: Mandatory agreement
- Compliance with CISA Continuing Education Policy: CPE commitment
Experience Substitutions: Up to 3 years of experience can be substituted: 1 year substituted per year of full-time university education in IS/IT/audit; 1 year for holding CISM, CRISC, CGEIT, or other qualifying certifications; 1 year for qualifying university instructor experience.
Continuing Professional Education (CPE)
Once certified, CISA must be maintained through annual CPE:
- 120 CPE hours required over 3-year reporting period
- Minimum 20 CPE hours per calendar year
- CPE must be IS audit, IT, security, or related field
- Annual maintenance fee: $45 (member) / $85 (non-member)
- Qualifying activities: ISACA events, webinars, conferences, teaching, writing, volunteer work
- Non-compliance = suspension or revocation of certification
CISA Certification Value
- Global recognition: Accepted in 180+ countries
- Salary premium: CISA holders earn 20–35% more than non-certified peers (industry surveys)
- Career advancement: Required or preferred for senior audit, compliance, and security roles
- Client confidence: Big 4 and mid-tier accounting firms often require CISA for IT audit staff
- Regulatory acceptance: CISA is recognised in SOX, GDPR, and banking regulatory frameworks as a qualifying credential
Final Exam Day Checklist
3 Days Before
- ✅ Complete final mock exam — review only wrong answers
- ✅ Confirm test centre location and travel route
- ✅ Verify appointment confirmation email
- ✅ Ensure both forms of ID are valid and not expired
- ✅ Memorise all key formulas (ALE, SLE, MTBF, etc.)
- ✅ Rest — do not cram the night before
Day of Exam
- ✅ Arrive 30 minutes before scheduled time
- ✅ Bring two valid government-issued photo IDs
- ✅ Leave ALL electronic devices in your car or at home
- ✅ Eat a proper meal — avoid heavy food that causes drowsiness
- ✅ Stay calm — you have prepared for this
- ✅ During exam: flag uncertain questions; never leave blanks
- ✅ Use all 4 hours — don't rush out early
"Every question answered is progress. Every practice exam taken is armour for exam day. Your preparation is your competitive advantage — trust it."
