ALREADY HAVE A CISA CERTIFICATION? LOG IN TO MYISACA

What is covered on the CISA exam?

The Certified Information Systems Auditor® (CISA®) exam consists of 150 questions covering 5 job practice domains, all testing your knowledge and ability on real-life job practices leveraged by expert professionals. (Note: We recently updated CISA’s job practice and exam-prep material. Learn more.)

Illustration of a certificate on the wall with man in front

ISACA’S commitment

Since its inception in 1978, more than 200,000 people have obtained ISACA’s CISA certification to validate their expertise in understanding and performing vital roles in audit, security and control. The domains, subtopics and tasks are the results of extensive research, feedback and validation from subject matter experts and prominent industry leaders from around the globe.

Job practice areas tested for and validated by a CISA certification

18% DOMAIN 1 – INFORMATION SYSTEMS AUDITING PROCESS

Providing industry-standard audit services to assist organizations in protecting and controlling information systems, Domain-1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, risk and control solutions.

A–PLANNING

  1. IS Audit Standards, Guidelines, and Codes of Ethics
  2. Types of Audits, Assessments, and Reviews
  3. Risk-Based Audit Planning
  4. Types of Controls and Considerations

B–EXECUTION

  1. Audit Project Management
  2. Audit Testing and Sampling Methodology
  3. Audit Evidence Collection Techniques
  4. Audit Data Analytics
  5. Reporting and Communication Techniques
  6. Quality Assurance and Improvement of Audit Process

18% DOMAIN 2 – GOVERNANCE & MANAGEMENT OF IT

This domain confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.

A–IT GOVERNANCE

  1. Laws, Regulations, and Industry Standards
  2. Organizational Structure, IT Governance, and IT Strategy
  3. IT Policies, Standards, Procedures and Practices
  4. Enterprise Architecture and Considerations
  5. Enterprise Risk Management 
  6. Privacy Program and Principles
  7. Data Governance and Classification

B–IT MANAGEMENT

  1. IT Resource Management
  2. IT Vendor Management 
  3. IT Performance Monitoring and Reporting
  4. Quality Assurance and Quality Management of IT

12% DOMAIN 3 – INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT & IMPLEMENTATION

Domains 3 and 4 offer proof not only of your competency in IT controls, but also your understanding of how IT relates to business.

A–INFORMATION SYSTEMS ACQUISITION AND DEVELOPMENT

  1. Project Governance and Management
  2. Business Case and Feasibility Analysis
  3. System Development Methodologies
  4. Control Identification and Design

B–INFORMATION SYSTEMS IMPLEMENTATION

  1. System Readiness and Implementation Testing
  2. Implementation Configuration and Release Management
  3. System Migration, Infrastructure Deployment, and Data Conversion
  4. Post-implementation Review

26% DOMAIN 4 – INFORMATION SYSTEMS OPERATIONS & BUSINESS RESILIENCE

Domains 3 and 4 offer proof not only of your competency in IT controls, but also your understanding of how IT relates to business.

A–INFORMATION SYSTEMS OPERATIONS

  1. IT Components
  2. IT Asset Management
  3. Job Scheduling and Production Process Automation
  4. System Interfaces
  5. Shadow IT and End-User Computing
  6. Systems Availability and Capacity Management
  7. Problem and Incident Management
  8. IT Change, Configuration, and Patch Management
  9. Operational Log Management
  10. IT Service Level Management
  11. Database Management

B–BUSINESS RESILIENCE

  1. Business Impact Analysis
  2. System and Operational Resilience
  3. Data Backup, Storage, and Restoration
  4. Business Continuity Plan
  5. Disaster Recovery Plans

26% DOMAIN 5 – PROTECTION OF INFORMATION ASSETS

Cybersecurity now touches virtually every information systems role, and understanding its principles, best practices and pitfalls is a major focus within Domain 5.

A–INFORMATION ASSET SECURITY AND CONTROL

  1. Information Asset Security Frameworks, Standards, and Guidelines
  2. Physical and Environmental Controls
  3. Identity and Access Management
  4. Network and End-Point Security
  5. Data Loss Prevention
  6. Data Encryption
  7. Public Key Infrastructure
  8. Cloud and Virtualized Environments
  9. Mobile, Wireless, and Internet-of-Things Devices

B–SECURITY EVENT MANAGEMENT

  1. Security Awareness Training and Programs
  2. Information System Attack Methods and Techniques
  3. Security Testing Tools and Techniques
  4. Security Monitoring Tools and Techniques
  5. Security Incident Response Management
  6. Evidence Collection and Forensics  

Secondary Classifications – Tasks

  1. Plan an audit to determine whether information systems are protected, controlled, and provide value to the organization. 
  2. Conduct audits in accordance with IS audit standards and a risk based IS audit strategy. 
  3. Apply project management methodologies to the audit process. 
  4. Communicate and collect feedback on audit progress, findings, results, and recommendations with stakeholders. 
  5. Conduct post-audit follow up to evaluate whether identified risk has been sufficiently addressed. 
  6. Utilize data analytics tools to enhance audit processes. 
  7. Evaluate the role and/or impact of automatization and/or decision-making systems for an organization.  
  8. Evaluate audit processes as part of quality assurance and improvement programs. 
  9. Evaluate the IT strategy for alignment with the organization's strategies and objectives. 
  10. Evaluate the effectiveness of IT governance structure and IT organizational structure. 
  11. Evaluate the organization's management of IT policies and practices, including compliance with legal and regulatory requirements. 
  12. Evaluate IT resource and project management for alignment with the organization's strategies and objectives. 
  13. Evaluate the organization's enterprise risk management (ERM) program. 
  14. Determine whether the organization has defined ownership of IT risk, controls, and standards. 
  15. Evaluate the monitoring and reporting of IT key performance indicators (KPIs) and IT key risk indicators (KRIs). 
  16. Evaluate the organization's ability to continue business operations. 
  17. Evaluate the organization's storage, backup, and restoration policies and processes. 
  18. Evaluate whether the business cases related to information systems meet business objectives. 
  19. Evaluate whether IT vendor selection and contract management processes meet business, legal, and regulatory requirements. 
  20. Evaluate supply chains for IT risk factors and integrity issues.
  21. Evaluate controls at all stages of the information systems development life cycle. 
  22. Evaluate the readiness of information systems for implementation and migration into production. 
  23. Conduct post-implementation reviews of systems to determine whether project deliverables, controls, and requirements are met. 
  24. Evaluate whether effective processes are in place to support end users. 
  25. Evaluate whether IT service management practices align with organizational requirements. 
  26. Conduct periodic review of information systems and enterprise architecture (EA) to determine alignment with organizational objectives.
  27. Evaluate whether IT operations and maintenance practices support the organization's objectives. 
  28. Evaluate the organization's database management practices. 
  29. Evaluate the organization's data governance program. 
  30. Evaluate the organization's privacy program. 
  31. Evaluate data classification practices for alignment with the organization's data governance program, privacy program, and applicable external requirements. 
  32. Evaluate the organization's problem and incident management program. 
  33. Evaluate the organization's change, configuration, release, and patch management programs. 
  34. Evaluate the organization's log management program. 
  35. Evaluate the organization's policies and practices related to asset life cycle management. 
  36. Evaluate risk associated with shadow IT and end-user computing (EUC) to determine effectiveness of compensating controls. 
  37. Evaluate the organization's information security program. 
  38. Evaluate the organization's threat and vulnerability management program. 
  39. Utilize technical security testing to identify potential vulnerabilities. 
  40. Evaluate logical, physical, and environmental controls to verify the confidentiality, integrity, and availability of information assets. 
  41. Evaluate the organization's security awareness training program. 
  42. Provide guidance to the organization in order to improve the quality and control of information systems. 
  43. Evaluate potential opportunities and risks associated with emerging technologies, regulations, and industry practices.

Getting ready for the current exam

ISACA offers a variety of exam preparation resources including group training, self-paced training and study resources in various languages to help you prepare for the current certification exam. Choose what works for your schedule and your studying needs.

ISACA glossary and CISA translations

Some CISA terms can be lost in translation. That is why ISACA has translated our CISA Terminology List into numerous languages, ensuring learners fully understand the materials. Please see the list of translations below. To learn more about key industry terms, please explore the ISACA glossary here.

Chinese Simplified | French | German | Japanese | Korean | Spanish