The CISA® (Certified Information Systems Auditor®) credential, awarded by ISACA®, is the gold standard for IT audit, control and assurance professionals. Since its introduction in 1978, it has been one of the most sought-after qualifications for audit, risk and compliance leadership positions.
CISA covers five domains, updated in August 2024 to reflect changes in technology, risk management and governance frameworks. Regular domain updates ensure the exam stays aligned with real-world job roles and emerging industry trends.
What are the 5 CISA domains?
CISA domain | Exam weighting |
1. Information Systems Auditing Process | 18% |
2. Governance & Management of IT | 18% |
3. Information Systems Acquisition, Development & Implementation | 12% |
4. Information Systems Operations & Business Resilience | 26% |
5. Protection of Information Assets | 26% |
Our CISA exam preparation course covers these five domains in depth.
Summary of the CISA domains
1. Information Systems Auditing Process
This domain examines candidates’ ability to understand an organisation’s IS (information systems)/IT (information technology) security, risk and control solutions. It comprises 18% of the CISA exam and covers:
A – Planning | B – Execution |
IS Audit Standards, Guidelines, and Codes of Ethics | Audit Project Management |
Types of Audits, Assessments, and Reviews | Audit Testing and Sampling Methodology |
Risk-Based Audit Planning | Audit Evidence Collection Techniques |
Types of Controls and Considerations | Audit Data Analytics |
Reporting and Communication Techniques | |
Quality Assurance and Improvement of Audit Process |
2. Governance & Management of IT
This domain examines candidates’ ability to identify critical issues and recommend ways of supporting and safeguarding IT governance. It comprises 18% of the CISA exam and covers:
A – IT governance | B – IT management |
Laws, Regulations, and Industry Standards | IT Resource Management |
Organisational Structure, IT Governance, and IT Strategy | IT Vendor Management |
IT Policies, Standards, Procedures and Practices | IT Performance Monitoring and Reporting |
Enterprise Architecture and Considerations | Quality Assurance and Quality Management of IT |
Enterprise Risk Management | |
Privacy Programme and Principles | |
Data Governance and Classification |
3. Information Systems Acquisition, Development & Implementation
This domain examines candidates’ understanding of IT controls and how IT relates to business. It comprises 12% of the CISA exam and covers:
A – Information systems acquisition and development | B – Information systems implementation |
Project Governance and Management | System Readiness and Implementation Testing |
Business Case and Feasibility Analysis | Implementation Configuration and Release Management |
System Development Methodologies | System Migration, Infrastructure Deployment, and Data Conversion |
Control Identification and Design | Post-implementation Review |
4. Information Systems Operations & Business Resilience
This domain also examines candidates’ understanding of IT controls and how IT relates to business. It comprises 26% of the CISA exam and covers:
A – Information systems operations | B – Business resilience |
IT Components | Business Impact Analysis |
IT Asset Management | System and Operational Resilience |
Job Scheduling and Production Process Automation | Data Backup, Storage, and Restoration |
System Interfaces | Business Continuity Plan |
Shadow IT and End-User Computing | Disaster Recovery Plans |
Systems Availability and Capacity Management | |
Problem and Incident Management | |
IT Change, Configuration, and Patch Management | |
Operational Log Management | |
IT Service Level Management | |
Database Management |
5. Protection of Information Assets
This domain examines candidates’ understanding of cyber security best practices. IT comprises 26^ of the CISA exam and covers:
A – Information asset security and control | B – Security event management |
Information Asset Security Frameworks, Standards, and Guidelines | Security Awareness Training and Programmes |
Physical and Environmental Controls | Information System Attack Methods and Techniques |
Identity and Access Management | Security Testing Tools and Techniques |
Network and End-Point Security | Security Monitoring Tools and Techniques |
Data Loss Prevention | Security Incident Response Management |
Data Encryption | Evidence Collection and Forensics |
Public Key Infrastructure | |
Cloud and Virtualized Environments | |
Mobile, Wireless, and Internet-of-Things Devices |
CISA exam format and maintenance
- 150 multiple-choice questions – 4 hours duration.
- Passing scaled score: 450–800.
- Entry requirements: No experience needed to sit exam, but 5 years professional experience in IS auditing, control or security (waivers available) required to earn certification.
- Cost: US$575 for ISACA members; US$760 non-members.
- Maintenance: 120 CPE (Continuing Professional Education) hours over 3 years (minimum 20 per year), and compliance with ISACA Code and audit standards.
Why choose CISA?
While mastering CISA’s five domains demands effort, the resulting professional credibility and strategic insight make it a vital qualification. It proves you can audit, control, secure and manage IT systems – an attractive skillset for employers worldwide.
- CISA is globally recognised and accredited under ISO/IEC 17024.
- Over 200,000 professionals are currently CISA certified – a testament to its prestige.
- The qualification validates both technical audit expertise and strategic governance skills.
- It also opens career paths: IT auditor, compliance manager, risk officer, resilience specialist and more.
Earn your CISA credential
IT Governance is an ISACA Accredited Partner. Our experts have designed our CISA Training Course to help ensure you pass the exam first time.
It uses the official ISACA curriculum and includes the ISACA CISA Review Questions, Answers & Explanations Manual. Successful completion of the course leads to 28 CPD points.
It’s also available in multiple formats so you can learn from anywhere – online or in person.
The post The 5 CISA Domains Explained appeared first on IT Governance Blog.