Study GuidesMarch 17, 202616 min read

I Failed the CISA Once — Here's the Study Guide That Fixed Everything (2026)

Reviewed by certified IT professionals • About our team

The honest, domain-by-domain study guide I wish I had before my first CISA attempt.

CISA certification study guide with IT audit and governance materials

How I Bombed the CISA (And What Changed the Second Time)

Score report: 410. Passing is 450. Forty points. That's the gap between "Congratulations" and staring at a screen wondering where $575 went.

My mistake was obvious in hindsight. I studied the CISA like a tech exam. I memorized frameworks, control types, and audit procedures. But the exam doesn't care if you can recite COBIT from memory. It cares whether you can think like an auditor and choose the most appropriate action in messy, ambiguous scenarios.

Second attempt: 612. Comfortable pass. Same brain, different approach. Here's exactly what changed.

What the CISA Actually Tests (It's Not What You Think)

The ISACA CISA exam tests your ability to evaluate, audit, and report on information systems. But here's what most study guides won't tell you: roughly 60% of the questions are scenario-based. They give you a situation and ask what an auditor should do first, next, or most importantly.

The Auditor Mindset

This is the single most important concept for passing the CISA. You need to think like an IS auditor, not an IT professional:

  • Auditors assess — they don't fix. If a question asks what to do about a control weakness, the answer is usually "report it" or "recommend remediation," not "fix it yourself."
  • Risk drives everything. The "correct" action always considers risk first. What's the risk? How material is it? What controls mitigate it?
  • Evidence is king. Auditors need evidence to support findings. No evidence = no finding.
  • Independence matters. An auditor should never compromise their independence. Any answer that involves the auditor implementing controls is probably wrong.

I can't stress this enough. On my first attempt, I kept picking answers that a sysadmin would choose. On my second attempt, I asked myself "what would a cautious, evidence-obsessed auditor do?" and suddenly the answers made sense.

CISA Exam Format: The 2026 Version

DetailInfo
Questions150
Duration4 hours
Passing Score450 (scaled, out of 200-800)
FormatMultiple choice
Cost$575 (ISACA members) / $760 (non-members)
Experience5 years IS audit/control/security (waivers available)

Domain Weights (Current Exam Outline)

DomainWeightWhat It Really Tests
1. Information Systems Auditing Process21%How audits are planned, executed, and reported
2. Governance and Management of IT17%IT governance frameworks, strategy alignment
3. Information Systems Acquisition, Dev & Implementation12%SDLC, project management, change control
4. Information Systems Operations and Business Resilience23%Operations, BCP/DRP, incident management
5. Protection of Information Assets27%Security controls, access management, encryption

Domain 5 is the heavyweight at 27%. Combined with Domain 4 (23%), half the exam is about operations and security. Don't ignore Domains 2 and 3, but allocate your study time proportionally.

The Study Plan That Actually Works

Here's the 10-week plan I used for my second attempt. It's designed for people working full-time, assuming 12-15 hours of study per week.

Weeks 1-2: Domain 1 — The Audit Process

Start here because everything else builds on understanding how audits work.

  • Learn audit planning, scoping, and objectives
  • Study risk-based audit planning — this is fundamental
  • Understand audit evidence types: physical, documentary, analytical, testimonial
  • Master sampling methodologies: statistical vs. non-statistical, attribute vs. variable
  • Learn how to write audit findings and reports
  • Take 50 practice questions on Domain 1

The sampling stuff is dry. Power through it. You'll get at least 5-8 questions on sampling, and they're easy points if you know the formulas.

Weeks 3-4: Domain 5 — Protection of Information Assets

Yes, I'm jumping to Domain 5 early. It's 27% of the exam and the content is more tangible than Domains 2-3. Building momentum matters.

  • Study access control models: MAC, DAC, RBAC — know the differences cold
  • Learn network security: firewalls, IDS/IPS, VPNs, network segmentation
  • Understand encryption fundamentals: symmetric vs. asymmetric, hashing, digital signatures
  • Review physical and environmental controls
  • Study data classification and handling
  • Practice 80+ questions on Domain 5

If you have a security background (maybe you've studied for CISSP or CEH), this domain will feel familiar. But remember — the CISA tests these topics from an audit perspective. You need to know how to evaluate whether encryption is properly implemented, not how to implement it yourself.

Weeks 5-6: Domain 4 — Operations & Business Resilience

  • Study IT service management and operational procedures
  • Deep dive into BCP/DRP: RPO, RTO, MTPD, testing strategies
  • Learn incident management processes and escalation
  • Understand change management and configuration management
  • Review database management and data governance basics
  • Practice 70+ questions on Domain 4

BCP/DRP is high-yield. You will absolutely get questions about recovery strategies, and they love asking about the difference between hot sites, warm sites, and cold sites. It's also where they test your understanding of which recovery strategy is appropriate given a specific RTO.

Weeks 7-8: Domains 2 & 3

I paired these because they're related (governance drives acquisition/development decisions) and together they're only 29% of the exam.

  • Domain 2: IT governance structures, COBIT framework, IT strategy alignment with business
  • Domain 2: IT resource management, performance monitoring, quality management
  • Domain 3: SDLC phases and auditor's role in each phase
  • Domain 3: Project management and change management controls
  • Domain 3: System testing types — unit, integration, system, acceptance, regression
  • Practice 60+ questions across both domains

Domain 3 is only 12% but it's deceptively tricky. Questions about the SDLC often hinge on when the auditor gets involved (hint: as early as possible) and what kind of testing catches what kind of defects.

Weeks 9-10: Practice Tests and Targeted Review

  • Take a full-length CISA practice exam — simulate real conditions (4 hours, no breaks)
  • Score it and identify your weakest domains
  • Spend 3-4 days on targeted review of weak areas
  • Take a second full practice test
  • Final days: light review, focus on auditor mindset questions

🎯 The Magic Number

Aim for 70%+ consistently on practice tests before sitting the real exam. The CISA's scaled scoring means that 70% on quality practice tests usually translates to a comfortable pass. Below 65%? You need more time.

Best CISA Study Resources (What I Actually Used)

Primary Resources

  • ISACA CISA Review Manual — the official guide. Dense and sometimes unclear, but it's the source material for exam questions. Read it at least once.
  • ISACA QAE (Questions, Answers & Explanations) — the official question database. Worth every penny. The question style matches the real exam better than any third-party source.
  • ExamCert CISA Practice Tests — great for domain-specific drilling with detailed explanations. I used these daily in weeks 9-10.

Supplementary Resources

  • Hemang Doshi's CISA videos on YouTube — excellent for visual learners. His explanations of audit concepts are clearer than the textbook.
  • Peter Gregory's CISA Study Guide — much more readable than the official manual. Good for a first pass before tackling the ISACA material.
  • Reddit r/CISA — recent exam feedback and community study tips. Read the "I just passed" posts for real insights.

The 6 Traps That Catch Everyone on the CISA

1. Choosing the "Fix It" Answer

When you see a control weakness, your instinct is to fix it. Resist. Auditors report findings — they don't implement solutions. If an answer says "the auditor should configure..." it's almost certainly wrong.

2. Ignoring the "FIRST" and "MOST" Qualifiers

These words change everything. "What should an auditor do first?" has a different answer than "What should an auditor do?" First usually means planning, scoping, or understanding the risk — not jumping into testing.

3. Over-studying Technical Details

You don't need to know how to configure a firewall rule. You need to know how to audit whether firewall rules are appropriate. Focus on controls and assessment, not implementation.

4. Neglecting Business Continuity

BCP/DRP questions show up everywhere — not just in Domain 4. You might get a Domain 1 question about auditing a BCP or a Domain 5 question about backup encryption. Know BCP concepts cold.

5. Studying All Domains Equally

Domain 5 is 27%. Domain 3 is 12%. Spending equal time on both is mathematically foolish. Weight your study time to match domain weights, with extra time on your personal weak areas.

6. Not Practicing Under Exam Conditions

Four hours. 150 questions. No breaks (well, you can take one, but the clock keeps running). If you've never sat through a 4-hour practice test, the mental fatigue will surprise you. Do at least two full-length timed practice exams.

CISA vs. Other Certifications

Wondering how the CISA fits into the bigger picture? Here's how it compares to similar certs.

CertificationFocusBest For
CISAIS auditing, governance, controlsIT auditors, compliance professionals
CISMInformation security managementSecurity managers, CISOs
CISSPBroad information securitySecurity professionals, architects
CRISCIT risk managementRisk analysts, GRC professionals

For a deeper dive, check our CISA vs. CISM and CISA vs. CISSP comparison guides.

Exam Day: What I Did Differently the Second Time

  • Slept 8 hours. First time I stayed up reviewing until 1 AM. Bad move.
  • Ate a real breakfast. Not coffee and anxiety.
  • Read every question twice. Slowly. I caught at least 5 questions where I would've picked the wrong answer on a speed read.
  • Flagged the hard ones. Instead of spending 5 minutes on a tough question, I flagged it and moved on. Came back with fresh eyes after finishing the easy ones.
  • Asked "what would an auditor do?" before every answer. Not a sysadmin. Not a manager. An auditor.

For more tips on the testing experience, check out our Pearson VUE troubleshooting guide and online proctoring tips.

Practice Before You Pay

Don't walk into the CISA cold. Try free practice questions with detailed explanations for every answer.

Start Free CISA Practice Test →

Frequently Asked Questions

How many hours of study does the CISA require?

Most successful candidates report 150-200 hours of total study time. If you have IT audit experience, you may need less. Plan for 12-15 hours per week over 10-14 weeks.

Is the CISA exam harder than CISSP?

They test different things. CISA focuses on auditing processes, controls, and governance. CISSP is broader and covers more technical security domains. Many find CISA harder because the auditing mindset is unfamiliar — even for experienced IT pros.

What is the CISA passing score in 2026?

ISACA uses a scaled scoring system from 200 to 800. You need 450 or higher to pass. This doesn't correspond to a simple percentage — it's a scaled score based on question difficulty.

Can I pass CISA without audit experience?

Yes, many IT professionals pass without formal audit experience. But you must learn to think like an auditor — focusing on controls, evidence, risk assessment, and compliance rather than technical implementation.

How often does the CISA exam content change?

ISACA updates the CISA exam periodically. Always check ISACA's official exam content outline for the latest version before starting your prep.