How Long to Study for the CISA Exam?
Most people need 80 to 250 hours — roughly 12 to 24 weeks — depending on how much real IT-audit experience they bring. Here is the honest timeline by experience level, a week-by-week plan, and why learning to think like an auditor matters more than raw hours.
01 The short answer
The CISA is not really a memorisation exam, and that is exactly why raw hours matter less than how you spend them. The 2026 exam is 150 multiple-choice questions in 240 minutes (four hours), scored on a scaled range of 200–800 with 450 as the pass mark. The hardest part for most candidates is not the volume of material — it is learning to answer from the auditor’s perspective. Many questions ask what an auditor should do BEST or FIRST in a scenario, and the “technically correct” answer is often not the one ISACA wants. Building that judgement eats more of your hours than reading ever will.
That auditor lens is why people with the same job title finish in wildly different times. A network engineer might know encryption inside out yet still pick the wrong option on a Domain 5 question, because the engineer’s instinct is to fix the weakness while the auditor’s job is to assess and report it against a control objective. So when you estimate your hours, be honest about how much of your study is closing knowledge gaps versus retraining your instincts — for most candidates the second half is the slower, more valuable work, and it is what the timeline below is built around.
02 How long it takes by experience level
Your starting point matters more than any other factor. Find the lane that sounds most like you — the bar shows roughly how much ground you have to cover, and how much of that is learning the auditor mindset rather than new facts.
Working IT auditor
80–120 hrsYou audit IT controls today and already think in terms of risk, evidence, and findings. You mainly need to map your experience onto ISACA’s vocabulary and the five-domain Exam Content Outline.
Pace: ~8–12 weeks at 10 hrs/weekIT / security pro new to audit
150–200 hrsYou know systems, networks, and security but have never sat on the audit side. The technical domains feel familiar; the governance, control-testing, and “BEST next step” auditor judgement are the new ground.
Pace: ~14–18 weeks at 10–12 hrs/weekNew to IT audit
250+ hrsYou are growing into the field and the vocabulary, audit process, governance frameworks, and the heavy operations and information-protection domains are mostly unfamiliar territory.
Pace: ~20–24 weeks at 10–12 hrs/week03 A week-by-week study plan
This is the “IT pro new to audit” track — a common middle-ground starting point. Compress it toward 12 weeks if you already audit for a living, or stretch it past 20 if IT audit is brand new. The order matters: learn the auditor lens early, then weight your time toward the two heaviest domains.
1–2
Auditing-process foundations (D1, 18%)
Skim the ISACA Exam Content Outline, learn the five domains and their weights, and work through the IS auditing process: planning, risk-based scoping, evidence, sampling, and reporting findings. Goal: internalise the auditor’s “independent, evidence-first” mindset before any deep study.
~25–30 hrs3–5
Governance & management of IT (D2, 18%)
IT strategy, policies, frameworks, roles, and risk management. Learn how governance failings turn into audit findings. Drill 20–30 scenario questions per session and review every miss, watching for “what should the auditor recommend” phrasing.
~30–35 hrs6–7
IS acquisition, development & implementation (D3, 12%)
Project governance, the SDLC, controls in development, testing, and post-implementation review. The smallest domain by weight, but rich in “BEST control” questions, so practise spotting the control that an auditor would expect.
~20–25 hrs8–10
IS operations & business resilience (D4, 26%)
One of the two heaviest domains: operations management, incident handling, backups, business continuity, and disaster recovery. Give it real time and keep asking what the auditor would test and what evidence proves the control works.
~35–40 hrs11–13
Protection of information assets (D5, 26%)
The other heavyweight: access controls, network and endpoint security, encryption, and physical security — all viewed through an audit lens. Half the exam sits in D4 and D5 combined, so this is where extra hours pay off most.
~35–40 hrs14–15
Full-length practice exams
Sit at least three complete 150-question, timed simulations. Score each domain separately and pour your remaining time into whichever falls below 75%. Pay special attention to the auditor-judgement questions where two options are technically correct.
~25–30 hrs16
Final review & book
Light review of weak domains, re-read the auditing-process and control fundamentals, rest the day before, and sit the exam. Don’t cram new material in the last 48 hours — protect your recall and your judgement.
~10 hrs04 What makes your timeline faster or slower
Two people with identical job titles can need wildly different hours. These are the factors that move the needle most.
▲ Speeds you up
- You already perform IT audits and think in controls and risk
- Hands-on exposure to governance frameworks like COBIT
- You can study in long, focused blocks rather than scraps
- A strong prep course with a large question bank
- You test yourself early instead of only reading
▼ Slows you down
- No audit background, so the auditor mindset is new
- The heavy D4 and D5 material is unfamiliar territory
- Studying 30–45 minutes at a time around a full-time job and family
- English is a second language (more reading time per question)
- Relying on reading and videos instead of practice questions
05 A realistic weekly schedule
Most people pass while working full time. The trick is consistency, not heroics — this ~11-hour week is sustainable across the whole 12–16 weeks, and it deliberately front-loads practice questions over passive reading. Notice that every weekday block ends in reviewing your misses, not just answering more: the wrong-answer review is where the auditor mindset actually forms, because you are forced to articulate why the BEST answer beats the merely-correct one.
| Day | Time | Focus |
|---|---|---|
| Mon–Thu | 1.5 hrs (evening) | Read one domain topic, then answer 20–25 practice questions and review every miss — especially the auditor-judgement ones |
| Friday | Rest | No study — protect against burnout |
| Saturday | 3 hrs | One timed mini-mock (45–60 questions) plus a full review of every wrong answer and why the right one wins |
| Sunday | 2 hrs | Attack your weakest domain (usually D4 or D5) and refresh flashcards for key controls and frameworks |
06 FAQ
How many hours do you need to study for the CISA?
Most candidates need 80–250 hours of focused study. Experienced IT auditors who already think in controls and risk terms can be ready in roughly 80–120 hours; people new to IT audit usually need 250 hours or more. Spread over a typical 10–12 hours per week, that works out to about 12–24 weeks, or roughly three to six months.
Can you study for the CISA in one month?
It is realistic only for working IT auditors who can commit several hours a day and already think in terms of controls, risk, and evidence. For someone newer to audit studying 1–2 hours an evening, one month is far too tight, especially for the heavy Domain 4 and Domain 5 material. A 12-week plan is far safer for most working professionals.
What is the passing score for the CISA exam?
CISA uses a scaled score from 200 to 800, and you need 450 or higher to pass. That scaled figure is not a simple percentage of questions correct. As a practical readiness proxy, aim to score a consistent 80%+ on full-length practice exams, and make sure you are comfortable with BEST and FIRST auditor-judgement questions, before you book. ISACA does not publish an official pass rate.
Do I need five years of experience before I can take the CISA exam?
No. You can sit and pass the CISA exam at any time. Full certification requires five years of relevant information systems audit, control, or security experience, with waivers available for some education and other certifications, and that experience can be earned within the ten years before you apply or within five years after you pass the exam. Many people pass the exam first and then complete their experience.
