The 5 CISA Domains Explained

The CISA® (Certified Information Systems Auditor®) credential, awarded by ISACA®, is the gold standard for IT audit, control and assurance professionals. Since its introduction in 1978, it has been one of the most sought-after qualifications for audit, risk and compliance leadership positions.

CISA covers five domains, updated in August 2024 to reflect changes in technology, risk management and governance frameworks. Regular domain updates ensure the exam stays aligned with real-world job roles and emerging industry trends.


What are the 5 CISA domains?

CISA domain Exam weighting
1. Information Systems Auditing Process 18%
2. Governance & Management of IT 18%
3. Information Systems Acquisition, Development & Implementation 12%
4. Information Systems Operations & Business Resilience 26%
5. Protection of Information Assets 26%

Our CISA exam preparation course covers these five domains in depth.


Summary of the CISA domains

1. Information Systems Auditing Process
This domain examines candidates’ ability to understand an organisation’s IS (information systems)/IT (information technology) security, risk and control solutions. It comprises 18% of the CISA exam and covers:

A – Planning B – Execution
IS Audit Standards, Guidelines, and Codes of Ethics Audit Project Management
Types of Audits, Assessments, and Reviews Audit Testing and Sampling Methodology
Risk-Based Audit Planning Audit Evidence Collection Techniques
Types of Controls and Considerations Audit Data Analytics
  Reporting and Communication Techniques
  Quality Assurance and Improvement of Audit Process


2. Governance & Management of IT
This domain examines candidates’ ability to identify critical issues and recommend ways of supporting and safeguarding IT governance. It comprises 18% of the CISA exam and covers:

A – IT governance B – IT management
Laws, Regulations, and Industry Standards IT Resource Management
Organisational Structure, IT Governance, and IT Strategy IT Vendor Management
IT Policies, Standards, Procedures and Practices IT Performance Monitoring and Reporting
Enterprise Architecture and Considerations Quality Assurance and Quality Management of IT
Enterprise Risk Management
Privacy Programme and Principles
Data Governance and Classification


3. Information Systems Acquisition, Development & Implementation
This domain examines candidates’ understanding of IT controls and how IT relates to business. It comprises 12% of the CISA exam and covers:

A – Information systems acquisition and development B – Information systems implementation
Project Governance and Management System Readiness and Implementation Testing
Business Case and Feasibility Analysis Implementation Configuration and Release Management
System Development Methodologies System Migration, Infrastructure Deployment, and Data Conversion
Control Identification and Design Post-implementation Review


4. Information Systems Operations & Business Resilience
This domain also examines candidates’ understanding of IT controls and how IT relates to business. It comprises 26% of the CISA exam and covers:

A – Information systems operations B – Business resilience
IT Components Business Impact Analysis
IT Asset Management System and Operational Resilience
Job Scheduling and Production Process Automation Data Backup, Storage, and Restoration
System Interfaces Business Continuity Plan
Shadow IT and End-User Computing Disaster Recovery Plans
Systems Availability and Capacity Management  
Problem and Incident Management  
IT Change, Configuration, and Patch Management  
Operational Log Management  
IT Service Level Management  
Database Management  


5. Protection of Information Assets
This domain examines candidates’ understanding of cyber security best practices. IT comprises 26^ of the CISA exam and covers:

A – Information asset security and control B – Security event management
Information Asset Security Frameworks, Standards, and Guidelines Security Awareness Training and Programmes
Physical and Environmental Controls Information System Attack Methods and Techniques
Identity and Access Management Security Testing Tools and Techniques
Network and End-Point Security Security Monitoring Tools and Techniques
Data Loss Prevention Security Incident Response Management
Data Encryption Evidence Collection and Forensics  
Public Key Infrastructure  
Cloud and Virtualized Environments  
Mobile, Wireless, and Internet-of-Things Devices  



CISA exam format and maintenance

  • 150 multiple-choice questions – 4 hours duration.
  • Passing scaled score: 450–800.
  • Entry requirements: No experience needed to sit exam, but 5 years professional experience in IS auditing, control or security (waivers available) required to earn certification.
  • Cost: US$575 for ISACA members; US$760 non-members.
  • Maintenance: 120 CPE (Continuing Professional Education) hours over 3 years (minimum 20 per year), and compliance with ISACA Code and audit standards.


Why choose CISA?

While mastering CISA’s five domains demands effort, the resulting professional credibility and strategic insight make it a vital qualification. It proves you can audit, control, secure and manage IT systems – an attractive skillset for employers worldwide.

  • CISA is globally recognised and accredited under ISO/IEC 17024.
  • Over 200,000 professionals are currently CISA certified – a testament to its prestige.
  • The qualification validates both technical audit expertise and strategic governance skills.
  • It also opens career paths: IT auditor, compliance manager, risk officer, resilience specialist and more.


Earn your CISA credential

IT Governance is an ISACA Accredited Partner. Our experts have designed our CISA Training Course to help ensure you pass the exam first time.

It uses the official ISACA curriculum and includes the ISACA CISA Review Questions, Answers & Explanations Manual. Successful completion of the course leads to 28 CPD points.

It’s also available in multiple formats so you can learn from anywhere – online or in person.


The post The 5 CISA Domains Explained appeared first on IT Governance Blog.