CISA Exam Guide: Format, Domains, and How to Pass

The CISA (Certified Information Systems Auditor) is ISACA’s credential for professionals who audit, control, and assess information systems. It is the recognized standard for IS audit work and is widely required for audit, assurance, and IT governance roles.

This guide covers what the exam is, how it is scored, what it tests, and how to prepare for it. ISACA updates the exam content and policies periodically, so confirm the current details on the official ISACA site before you book.

The CISA exam format: fixed-form, not adaptive

Unlike the CISSP CAT, the CISA exam is a fixed-form, linear test. Every candidate answers the same number of questions, and the exam does not change difficulty based on your performance. There are 150 multiple-choice questions, and you have a four-hour window to complete them.

Because the form is fixed, you can move freely through the exam — review your answers, flag questions, and come back to them. This rewards a deliberate strategy: answer what you know first, mark the rest, and use your remaining time on the harder items.

The 5 CISA domains

The CISA job practice is organized into 5 domains, each carrying a different weight on the exam. Allocate your study time to match those weights rather than studying everything evenly.

• Information Systems Auditing Process — planning and executing audits, evidence, and reporting; the foundation of the credential.
• Governance and Management of IT — IT strategy, policies, organizational structure, and how IT aligns with the business.
• Information Systems Acquisition, Development and Implementation — project management, development practices, and controls over new systems.
• Information Systems Operations and Business Resilience — operations management, continuity, backup, and disaster recovery.
• Protection of Information Assets — security controls, access management, and physical and logical safeguards.

What the questions are really like

CISA questions are written from the auditor’s chair. They rarely ask you to recall a fact in isolation; instead they describe a situation and ask what an auditor should do, conclude, or recommend. The expected answer reflects independence, objectivity, and evidence — not the answer an engineer or administrator would give.

A common trap is choosing the technically "correct" fix when the question is really asking what an auditor reports or verifies. Train yourself to ask: what would best support an objective, evidence-based opinion? That mindset separates passing candidates from those who know the material but answer like a practitioner instead of an auditor.

Scoring and the passing standard

CISA is reported on a scaled score that ranges from 200 to 800, and the passing standard is 450. The scaled score is not a raw percentage — ISACA converts your performance to the common scale so results are comparable across exam forms.

The practical takeaway: do not chase a percentage on practice tests. Build consistent competence across all 5 domains, because a single weak domain can drag a scaled score below the line even when your overall accuracy looks healthy.

Experience requirements and certification

Passing the exam is one part of becoming certified. CISA requires a minimum of five years of professional experience in information systems auditing, control, assurance, or security. ISACA allows substitutions and waivers — for example, certain degrees or related experience can offset part of the requirement, typically up to a defined maximum.

You can sit and pass the exam before you have the full experience; you then have a window to apply for certification once you meet the requirement. Confirm the current waiver rules and application window on the ISACA site, as they are periodically adjusted.

A study plan that tells you when you are ready

CISA rewards steady, structured study over cramming. The candidates who pass practice questions in the auditor mindset, review what they miss on a schedule, and measure readiness rather than hours. A plan that works looks like this:

• Start with a diagnostic to find your weakest of the 5 domains on day one.
• Study 20–40 focused minutes daily — weakest domain first, due reviews always.
• Use spaced repetition so missed concepts return at the right interval.
• Drill scenario questions and explain why the auditor answer beats the technician answer.
• Book your real exam when your readiness score clears the passing zone and a full practice exam confirms it.