Career Employer

FREE CISA Study Guide 2026: All 5 Domains

The most important things the CISA tests — an interactive study guide with built-in quizzes and flashcards, organized by all 5 ISACA domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CISA

By

This free CISA study guide walks through every content domain the Certified Information Systems Auditor exam tests, organized to ISACA’s current exam content outline (effective 1 August 2024).[1]

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, flashcards, and practice questions, so you learn by doing — not just reading.

The CISA tests five official domains, and we teach each as one study module. We lead with the heaviest-weighted content: Operations & Business Resilience and Protection of Information Assets are 26% each — together more than half the exam.

Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards.

This guide is a high-yield overview that maps the official content — not a full IT-audit textbook.

CISA Exam Snapshot

CISA exam at a glance
DetailCISA Exam
Questions150 multiple-choice items
FormatLinear, computer-based (single best answer)
Time4 hours (240 minutes)
Passing scoreScaled 450 on a 200–800 scale
Administered byISACA, delivered at PSI test centers or remotely proctored
Certifying bodyISACA
Experience5 years in IS audit, control, assurance, or security (within prior 10 years; waivers apply)
Cost$575 (member) / $760 (non-member), USD
Recertification120 CPE credits per 3-year cycle (min. 20/year) + annual maintenance fee
Outline versionEffective 1 August 2024

The CISA covers five domains. Unlike the prior outline, the current weighting (effective August 2024) puts the most weight on operations, resilience, and information protection. Domains 4 and 5 are 26% each — together 52% of the exam — so that is where to invest first.[1] Study by weight:

CISA weighting by domain (ISACA exam outline, effective Aug 2024)
IS Operations & Business Resilience26% · Domain 4
Protection of Information Assets26% · Domain 5
Information Systems Auditing Process18% · Domain 1
Governance & Management of IT18% · Domain 2
IS Acquisition, Development & Implementation12% · Domain 3

Module 1 · Information Systems Auditing Process

One official domain, 18% of the exam. This domain is the auditor’s craft: how to plan, conduct, and report an IS audit objectively and in line with professional standards. Master it and every other domain becomes “what an auditor looks for” in that area.

1.1 Standards, Ethics & Audit Planning

An IS auditor works to ISACA’s — the framework of and assurance standards (mandatory), guidelines (recommended), and tools. ISACA’s standards and its Code of Professional Ethics require independence, objectivity, due professional care, and competence.[5]

The plan itself is built with : you inventory the audit universe, assess the risk of each area, and direct scarce audit hours where a failure would hurt the organization most. then sets the threshold for what is significant enough to report.

1.2 Controls & Types of Testing

Controls are classified by when they act: a stops an incident, a finds one, and a restores afterward. When the ideal control cannot be implemented, a mitigates the remaining risk.

The auditor proves controls work through two kinds of testing. checks whether a control operated as designed (e.g., were change requests approved?). verifies the data or results themselves.

Strong compliance results let the auditor reduce substantive testing; weak ones demand more. — the chance of a wrong conclusion — combines inherent, control, and detection risk.

Compliance vs. substantive testing
Test typeWhat it checksExample
Compliance testWhether a control operates as designedSampling access requests to confirm each was approved
Substantive testThe integrity of the data or resultsRecomputing interest on a sample of loans
RelationshipStrong compliance results reduce substantive testingWeak controls require more substantive work

1.3 Evidence, Sampling & Reporting

Conclusions must rest on that is sufficient, reliable, and relevant. Auditors gather it through inquiry, observation, inspection, re-performance, and increasingly through — software and analytics that test entire data populations rather than a sample.

When sampling is used, lets results be projected to the population with measurable confidence. supplements (but never replaces) the independent audit.

Finally, results are communicated objectively to management and the audit committee, with findings, risk, and recommendations — and the engagement closes only after follow-up confirms agreed actions were taken and the risk was actually reduced.

Checkpoint · Information Systems Auditing Process

Question 1 of 10

An IS audit director is allocating the limited hours of a three-person audit team across forty auditable systems for the coming year. The approach most consistent with risk-based audit planning is to assign hours according to:

Module 2 · Governance & Management of IT

One official domain, 18% of the exam. This domain is about whether IT is steered to serve the business and managed with discipline — governance structures, frameworks, policies, risk, and performance. The auditor evaluates whether the organization directs and oversees IT, not just runs it.

2.1 IT Governance, Strategy & COBIT

is the board and senior management’s responsibility: set direction, define the risk appetite, and monitor that IT delivers value — distinct from management, which plans, builds, runs, and monitors IT day to day. , ISACA’s framework, formalizes that split (governance = Evaluate, Direct, Monitor).[6] Governance ensures the aligns with business objectives, supported by a coherent .

2.2 Policies, Structure & Segregation of Duties

Governance is operationalized through a document hierarchy — policies (intent) → standards (mandatory specifics) → procedures (steps) → guidelines (optional). Organizational structure assigns accountability, often via a chart, and enforces so no one person can both commit and conceal an error or fraud. Where SoD isn’t feasible (small teams), compensating controls such as management review fill the gap.

The IT policy document hierarchy
DocumentWhat it isMandatory?
PolicyHigh-level statement of management intent and goalsYes
StandardSpecific mandatory requirements (e.g., 'use AES-256')Yes
ProcedureDetailed step-by-step instructionsYes
GuidelineRecommended, discretionary best practiceNo

2.3 IT Risk & Performance Management

identifies, assesses, treats, and monitors risk against the organization’s risk appetite — risks are mitigated, transferred, avoided, or accepted, and what remains is residual risk that management formally owns. Governance also demands performance measurement — metrics, KPIs, and that show whether IT delivers value and improves over time. IT must also comply with applicable laws, regulations, and industry standards.

Checkpoint · Governance & Management of IT

Question 1 of 10

An IS auditor is studying the COBIT framework and notes that COBIT 2019 introduced a way to tailor the framework to an enterprise's specific context. What are these tailoring inputs called?

Module 3 · IS Acquisition, Development & Implementation

One official domain, 12% of the exam — the smallest. This domain follows how systems are acquired or built and put into production, and the controls that keep projects on track and deliver a secure, working system.

3.1 Project Governance & the SDLC

Projects need governance — a business case, feasibility study, defined scope, and a steering committee or PMO that monitors cost, schedule, and benefits. The work itself follows a : feasibility → requirements → design → development → testing → implementation → review. Methodologies differ — is sequential and suits stable requirements; is iterative and suits changing ones — but the control objectives are similar, and security and controls must be built in from the start.

SDLC methodologies compared
MethodologyCharacteristicBest when
WaterfallSequential phases; each completes before the nextRequirements are stable and well understood
AgileIterative sprints delivering working incrementsRequirements evolve; fast feedback needed
PrototypingBuild a model early to refine requirementsRequirements are unclear up front

3.2 Testing, Migration & Changeover

Before go-live, systems are tested in layers — unit, integration, system, and , where users confirm the system meets business requirements. Moving to the new system is a changeover, and the method chosen trades risk against cost: (safest, costliest), , , or (cheapest, riskiest). Data migration must be complete, accurate, and reconciled.

3.3 Implementation & Post-Implementation Review

Going live requires sign-off, training, and a fallback plan. Once the system has stabilized, a evaluates whether it met its objectives, delivered the expected benefits and return on investment, and operates with adequate controls — capturing lessons learned and any defects to correct. Its findings feed back into governance (was the business case realized?) and future projects.

Checkpoint · IS Acquisition, Development & Implementation

Question 1 of 10

An IS auditor is mapping the order of activities in a structured system development life cycle. Which sequence correctly reflects the typical progression of phases for building a new application?

Module 4 · IS Operations & Business Resilience

One official domain, 26% of the exam — tied for the largest. This domain covers running IT day to day and keeping the business resilient when things go wrong. Given its weight, master it: it is more than a quarter of your score.

4.1 IT Operations & Service Management

Operations keep services running: job scheduling and monitoring, capacity and performance management, database administration, and end-user computing controls. Service quality is governed by a that defines targets (uptime, response time) and how they are measured. Data governance ensures information is accurate, available, and well-controlled across its lifecycle.

Core IT operations activities
ActivityWhat it ensures
Job scheduling & monitoringBatch and automated jobs run, complete, and are watched for failures
Capacity managementResources meet current and forecast demand (trend analysis)
Database managementData integrity, availability, and controlled access
SLA managementService targets are defined, measured, and met
End-user computingUser-built tools (spreadsheets, apps) are inventoried and controlled

4.2 Change, Configuration & Incident Management

Stable operations depend on disciplined process. ensures changes to production are requested, approved, tested, and documented (emergency changes still get reviewed after the fact).

keeps an accurate baseline of what is in production, and applies tested fixes for vulnerabilities.

When something breaks, detects, responds, recovers, and learns. Uncontrolled change is one of the most common audit findings in this domain.

Operational control processes
ProcessPurpose
Change managementAuthorize, test, and document changes to production
Configuration managementMaintain an accurate baseline of production assets
Patch managementTest and apply fixes for known vulnerabilities
Incident managementDetect, respond to, recover from, and learn from disruptions
Problem managementFind and eliminate the root cause of recurring incidents

4.3 Business Continuity & Disaster Recovery

Resilience starts with the , which identifies critical processes and sets the recovery targets every other decision serves: , (time to restore — must be less than MTD), and (acceptable data loss — drives backup frequency). The keeps the business running; the restores IT and supports the BCP. Recovery sites trade cost against speed.[7]

Recovery objectives and recovery sites
Term / siteMeaningTrade-off
MTDMaximum Tolerable Downtime — the absolute limitDrives the RTO
RTORecovery Time Objective — target time to restoreMust be shorter than the MTD
RPORecovery Point Objective — acceptable data lossDrives backup frequency
Hot siteFully equipped, near-real-time failoverFastest recovery, most expensive
Warm siteHardware and connectivity; data restored on demandModerate cost and speed
Cold siteEmpty space with power/cooling onlyCheapest, slowest to bring online

Checkpoint · IS Operations & Business Resilience

Question 1 of 10

A BIA was conducted using only revenue figures to rank process criticality. Which dimension of impact was most likely overlooked, weakening the analysis?

Module 5 · Protection of Information Assets

One official domain, 26% of the exam — tied for the largest. This domain is information security from an auditor’s seat: access control, network and endpoint protection, cryptography, and how the organization detects and responds to security events. With Domain 4, it is more than half your score.

5.1 Access Control & Identity Management

follows a sequence: identification (claim) → (prove it) → (what you may do) → accountability (log it). Strong authentication uses — factors from different categories (know, have, are). Access is governed by and need-to-know, reinforced by segregation of duties, and reviewed periodically (recertification) to catch privilege creep.[8]

The three authentication factor categories
FactorTypeExamples
Something you knowKnowledgePassword, PIN, passphrase
Something you havePossessionSmart card, hardware token, phone
Something you areInherence (biometric)Fingerprint, iris, face

5.2 Network, Endpoint & Cryptography

Networks are protected by segmentation, , and , layered as . Cryptography delivers confidentiality, integrity, authentication, and : (one shared key, fast — AES) and (key pair, solves key exchange — RSA, ECC) combine in practice. gives integrity, a adds authenticity and non-repudiation, and manages the trust.

Encrypt vs. sign — which key do you use?
GoalUse this keyResult
Confidentiality (encrypt for someone)Recipient's PUBLIC keyOnly the recipient's private key can decrypt
Authenticity (sign a message)Sender's PRIVATE keyAnyone can verify with the sender's public key
IntegrityHash function (no key)A changed message produces a different digest

5.3 Data Protection, Monitoring & Response

Protection starts with — labeling data by sensitivity so the right controls apply — reinforced by and secure media sanitization at end of life.[9]

Physical and environmental controls protect facilities. Detection relies on logging and monitoring (correlated in a SIEM); response follows the incident lifecycle; and when evidence is collected for investigation, preserves its integrity for potential legal use.

Verifying these controls is where the meets security.[10]

Checkpoint · Protection of Information Assets

Question 1 of 10

An IS auditor is asked to map a proposed control to the security objective it primarily supports. A control that watermarks and restricts who may view a confidential research report most directly serves which element of the CIA triad?

How to Use This CISA Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Operations & Business Resilience (26%) and Protection of Information Assets (26%) are 52% of the exam — invest there first.
  • Think like an auditor. CISA questions ask for the best answer in a risk-and-controls mindset — often the option that addresses governance, process, and evidence, not just the most technical fix.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until your score climbs comfortably above passing.

CISA Concept Questions

Common CISA concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

CISA Glossary

The high-yield CISA terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Agile
An iterative SDLC methodology delivering working software in short increments (sprints); suited to changing requirements.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC); solves key exchange and enables digital signatures.
Audit evidence
Sufficient, reliable, and relevant information that supports the auditor's findings and conclusions.
Audit risk
The risk that an auditor reaches an incorrect conclusion; a combination of inherent risk, control risk, and detection risk.
Authentication
Proving a claimed identity with a credential — something you know, have, or are.
Authorization
Determining what an authenticated identity is permitted to access and do.
Business continuity plan (BCP)
A plan to keep critical business functions operating during and after a disruption.
Business Impact Analysis (BIA)
An analysis identifying critical processes and setting recovery objectives (MTD, RTO, RPO); the foundation of resilience planning.
CAATs
Computer-Assisted Audit Techniques — software tools and analytics used to test large data volumes directly (extract, recompute, find anomalies).
Chain of custody
Documentation showing who handled evidence and when, preserving its integrity for legal use.
Change management
The controlled process to request, approve, test, document, and deploy changes to production systems.
COBIT
ISACA's framework for the governance and management of enterprise IT, separating governance (Evaluate, Direct, Monitor) from management.
Cold site
A recovery site with power and cooling only (empty space) — cheapest, slowest to bring online.
Compensating control
An alternative control used when the ideal (primary) control cannot be feasibly implemented, mitigating the remaining risk.
Compliance testing
Testing whether a control is operating as designed (e.g., are change requests approved before deployment?).
Configuration management
Maintaining an accurate baseline of what hardware and software is in production and controlling changes to it.
Control self-assessment (CSA)
A process in which process owners assess the adequacy of their own controls, supplementing (not replacing) independent audit.
Corrective control
A control that restores systems and fixes the cause after an incident (e.g., backups, incident response, DR plans).
Data classification
Labeling data by sensitivity so the right level of protection is applied throughout its lifecycle.
Data loss prevention (DLP)
Controls that detect and block unauthorized movement or exfiltration of sensitive data.
Defense in depth
Layering multiple, overlapping controls so that if one fails, others still protect the asset.
Detective control
A control that identifies an incident after it has occurred (e.g., audit logs, monitoring, reconciliations).
Digital signature
A hash of a message encrypted with the sender's private key, providing integrity, authenticity, and non-repudiation.
Direct changeover
Switching the old system off and the new one on at once (big-bang) — cheapest and fastest, but the riskiest.
Disaster recovery plan (DRP)
The IT-focused plan to restore systems, data, and infrastructure; it supports the broader BCP.
Enterprise architecture
A blueprint of an organization's business processes, data, applications, and technology and how they fit together.
Enterprise risk management (ERM)
The organization-wide process of identifying, assessing, treating, and monitoring risk against the risk appetite.
Firewall
A network control that permits or blocks traffic between networks based on a defined ruleset.
Hashing
A one-way function producing a fixed-length digest used to verify integrity (e.g., SHA-256); not reversible.
Hot site
A fully equipped recovery site with near-real-time data, ready for near-immediate failover — fastest, most expensive.
Identity and access management (IAM)
The disciplines and technologies that manage digital identities and control their access to resources.
Incident management
The structured process to detect, respond to, recover from, and learn from disruptions and security incidents.
Intrusion detection/prevention (IDS/IPS)
Controls that detect (IDS) or detect and block (IPS) malicious network or host activity.
IS audit
An independent, systematic examination of an organization's information systems, controls, and processes to provide assurance over confidentiality, integrity, availability, and compliance.
IT governance
The board and senior management's responsibility for setting IT direction, defining risk appetite, and monitoring value delivery.
IT strategy
The plan that aligns IT investments and capabilities with the organization's business objectives.
ITAF
ISACA's Information Technology Assurance Framework — the standards, guidelines, and tools that govern how IS audit and assurance work is performed.
Least privilege
Granting users and processes only the minimum access needed to do their job, and nothing more.
Materiality
The threshold at which an error, weakness, or finding is significant enough to influence decisions or require reporting.
Maturity model
A scale (e.g., 0–5) used to assess and improve how capable and consistent a process is.
Maximum Tolerable Downtime (MTD)
The longest a business process can be unavailable before the organization suffers unacceptable harm.
Multi-factor authentication (MFA)
Using two or more factors from different categories — something you know, have, and are.
Non-repudiation
Assurance that a party cannot deny having performed an action, achieved through digital signatures and logging.
Parallel changeover
Running the old and new systems together until the new one is proven — safest but most costly.
Patch management
The process of acquiring, testing, and applying software updates that fix vulnerabilities and defects.
Phased changeover
Rolling out a new system in stages (by module or site) to limit risk.
Pilot
Deploying a new system to one group or location first before a wider rollout.
Post-implementation review
An after-go-live evaluation of whether a system met its objectives, delivered benefits, and operates with adequate controls.
Preventive control
A control that stops an incident before it occurs (e.g., access controls, segregation of duties, firewalls).
Public Key Infrastructure (PKI)
The certificate authorities, certificates, and policies that manage public keys and the trust between parties.
RACI
A responsibility chart mapping who is Responsible, Accountable, Consulted, and Informed for each activity.
Recovery Point Objective (RPO)
The maximum acceptable amount of data loss measured backward in time; drives backup frequency.
Recovery Time Objective (RTO)
The targeted time to restore a system or process after a disruption; must be shorter than the MTD.
Risk-based audit planning
Allocating limited audit resources to the areas of greatest risk to the organization, so audit effort produces the most assurance.
SDLC
System Development Lifecycle — the structured phases for building or acquiring a system: feasibility, requirements, design, build, test, implement, review.
Segregation of duties (SoD)
Splitting a sensitive process so no single person can both perform and conceal an error or fraud.
Service level agreement (SLA)
A documented agreement defining the level of service (e.g., uptime, response time) and how it is measured.
Statistical sampling
Selecting a sample using probability so results can be projected to the whole population with measurable confidence.
Substantive testing
Testing the integrity of data or results themselves (e.g., does a reported balance match the underlying records?).
Symmetric encryption
Encryption using one shared secret key for both encrypting and decrypting (e.g., AES); fast, but key distribution is hard.
User acceptance testing (UAT)
Testing by end users to confirm the system meets business requirements before go-live.
Warm site
A recovery site with hardware and connectivity but needing data restored and configuration — moderate cost and speed.
Waterfall
A sequential SDLC methodology where each phase completes before the next begins; suited to stable requirements.

CISA Study Guide FAQ

The CISA exam has 150 multiple-choice questions and a time limit of 4 hours (240 minutes). It is a linear, computer-based exam — every candidate answers 150 questions, each with a single best answer — delivered at PSI test centers or via remote proctoring.

References

  1. 1.ISACA. “CISA Exam Content Outline (effective 1 August 2024).” isaca.org.
  2. 2.ISACA. “CISA — Certified Information Systems Auditor.” isaca.org.
  3. 3.ISACA. “Get CISA Certified — Requirements.” isaca.org.
  4. 4.ISACA. “Maintain Your CISA Certification (CPE Policy).” isaca.org.
  5. 5.ISACA. “Code of Professional Ethics.” isaca.org.
  6. 6.ISACA. “COBIT — Framework for Governance & Management of Enterprise IT.” isaca.org.
  7. 7.National Institute of Standards and Technology. “SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems.” csrc.nist.gov.
  8. 8.National Institute of Standards and Technology. “SP 800-53 Rev. 5: Security and Privacy Controls.” csrc.nist.gov.
  9. 9.National Institute of Standards and Technology. “SP 800-88 Rev. 1: Guidelines for Media Sanitization.” csrc.nist.gov.
  10. 10.National Institute of Standards and Technology. “SP 800-115: Technical Guide to Information Security Testing and Assessment.” csrc.nist.gov.
  11. 101.National Institute of Standards and Technology (NIST). “Cryptographic Standards and Guidelines.” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.