CISA (Certified Information Systems Auditor): Complete Guide 2026
The gold standard for IS audit, control, and security.
Table of Contents
What is CISA?
The Certified Information Systems Auditor (CISA) from ISACA is the globally recognized certification for IS audit, control, and assurance professionals. Since 1978, more than 200,000 people have earned this credential.
CISA was shortlisted as the 2025 Best Professional Certification Program by SC Awards. It validates your ability to assess IT systems, identify vulnerabilities, and ensure compliance.
Exam Format & Details
Understanding the CISA exam format helps you prepare effectively. The exam tests your ability to apply IS audit knowledge to real-world scenarios.
Quick Exam Facts
- Duration: 4 hours (240 minutes)
- Format: 150 multiple choice questions
- Passing Score: 450/800 (scaled scoring)
- Cost: $575 (members) / $760 (non-members)
- Experience: 5 years in IS audit (with substitutions)
- Validity: 3 years (40 CPE hours annually)
- Delivery: PSI test centers worldwide or remote proctored
ISACA uses scaled scoring, meaning your score reflects question difficulty, not just the number correct. Some questions are pretest items that don't count toward your score.
The 5 CISA Domains (Updated August 2024)
| Domain | Weight |
|---|---|
| 1. Information System Auditing Process | 21% |
| 2. Governance and Management of IT | 16% |
| 3. IS Acquisition, Development & Implementation | 18% |
| 4. IS Operations and Business Resilience | 20% |
| 5. Protection of Information Assets | 25% |
Domain 1: IS Auditing Process (21%)
- Planning and executing IS audits
- Audit standards and guidelines
- Risk-based audit planning
- Evidence collection and evaluation
- Communicating audit results
Domain 2: Governance and Management of IT (16%)
- IT governance frameworks
- IT strategy and policies
- IT resource and portfolio management
- IT organizational structure
Domain 3: IS Acquisition, Development & Implementation (18%)
- Project governance and management
- System development lifecycle
- Application controls
- System implementation and migration
Domain 4: IS Operations and Business Resilience (20%)
- IT service management
- IT operations
- Business continuity planning
- Disaster recovery
Domain 5: Protection of Information Assets (25%)
- Information security management
- Logical and physical access controls
- Network and endpoint security
- Security incident management
- AI and emerging technology security
2024/2025 Domain Updates
ISACA updated the exam content outline in August 2024:
- Greater emphasis on business resilience (Domain 4)
- Increased focus on information asset protection (Domain 5 - now 25%)
- AI and emerging technology security coverage added
- Updated weights to reflect current industry priorities
Experience Requirements
CISA requires 5 years of professional IS audit, control, or security work experience. However, substitutions are available:
Experience Substitutions
- Master's degree: 1 year waived
- Bachelor's degree: 1 year waived (in IS-related field)
- CISM, CGEIT, CRISC: 1 year waived each
- Other certs (CISSP, CIA): 1 year waived
- University instructor: 1 year waived per 2 years teaching
- Maximum substitution: 3 years
Important Note
You can take and pass the exam before meeting the experience requirement. You have 5 years from the exam date to submit your experience verification. Your certification becomes active once experience is approved.
Study Strategy & Resources
Most candidates study 3-4 months for CISA. Here's a proven approach:
Phase 1: Foundation (Weeks 1-4)
- Read ISACA CISA Review Manual cover to cover
- Take notes on unfamiliar concepts
- Focus on understanding the ISACA mindset
- Complete domain review questions
Phase 2: Deep Dive (Weeks 5-10)
- Study each domain individually
- Use ISACA QAE Database for practice questions
- Create flashcards for key terms and concepts
- Watch video courses for complex topics
Phase 3: Practice & Review (Weeks 11-14)
- Take full-length practice exams under test conditions
- Review incorrect answers thoroughly
- Focus on weak domains identified in practice tests
- Aim for 75%+ on practice exams before scheduling
Recommended Resources
- Official: ISACA CISA Review Manual (27th Edition)
- Practice Questions: ISACA QAE Database, ExamCert
- Video Courses: ISACA Online Review Course, Pluralsight
- Supplementary: IT Auditing by Chris Davis
Exam Day Tips
Maximize your performance with these strategies:
Before the Exam
- Get 7-8 hours of sleep the night before
- Arrive 30 minutes early for check-in
- Bring two forms of valid ID
- Avoid last-minute cramming
During the Exam
- Time management: ~96 seconds per question
- Read carefully: Look for "BEST," "FIRST," "MOST IMPORTANT"
- Think like an auditor: Focus on risk, controls, compliance
- ISACA perspective: Choose answers ISACA would prefer
- Flag and move: Don't get stuck on difficult questions
Key CISA Mindset
- Auditors advise and assess - they don't implement
- Risk-based approach is always preferred
- Documentation and evidence are essential
- Management is responsible for controls
- Independence and objectivity are paramount
Career Impact & Salaries
CISA is highly valued in audit, compliance, and GRC roles:
Salary Expectations
- United States: $110,000 - $160,000+ USD
- United Kingdom: £60,000 - £100,000 GBP
- Australia: $120,000 - $180,000 AUD
- IT Audit Director: $150,000 - $220,000+ USD
Job Roles Requiring CISA
- IT Auditor / IS Auditor
- IT Audit Manager / Director
- Information Security Manager
- GRC Analyst / Manager
- Compliance Officer
- Internal Audit Manager
Industry Demand
- Required by Big 4 accounting firms for IT audit roles
- Valued in financial services, healthcare, government
- Growing demand due to increased regulatory requirements
- Over 200,000 certified professionals worldwide
Start Your CISA Journey
Practice with 500+ exam-style questions and detailed explanations
Get Free Practice QuestionsPlan Your Study Journey
Use our free tools to optimize your preparation
Frequently Asked Questions
How hard is the CISA exam?
CISA is moderately difficult, with a first-time pass rate around 50%. The exam tests your ability to apply IS audit concepts to real scenarios, not just memorize facts. Candidates with actual IT audit experience have a significant advantage. Most candidates study 3-4 months with dedicated effort.
What is the CISA passing score?
You need a scaled score of 450 out of 800 to pass CISA. ISACA uses scaled scoring based on question difficulty, so there's no fixed percentage. The exam has 150 multiple choice questions over 4 hours.
Can I take CISA without 5 years experience?
Yes! You can take and pass the exam first, then work on meeting the experience requirement. You have 5 years from the exam date to submit experience verification. Substitutions (education, other certifications) can reduce the requirement by up to 3 years.
CISA vs CIA - which should I get?
CISA focuses specifically on IS/IT audit, while CIA (Certified Internal Auditor) covers all types of internal audit including operational and financial. If your career is in IT audit specifically, choose CISA. For broader internal audit roles across all business areas, CIA is better. Many senior auditors hold both certifications.
Is CISA worth it in 2025?
Absolutely. With increasing regulatory requirements (SOX, GDPR, etc.) and cybersecurity concerns, demand for qualified IS auditors continues to grow. CISA holders typically earn 15-25% more than non-certified peers, and the certification is required by most Big 4 firms for IT audit positions.
How long is CISA certification valid?
CISA is valid for 3 years. To maintain certification, you must earn 40 CPE hours annually (minimum 20) with 120 hours total over 3 years. You also pay an annual maintenance fee of $45 (members) or $85 (non-members).
