Introduction
The Certified Information Systems Auditor (CISA) from ISACA is the world’s most-recognized credential for IT auditors, assurance professionals, and risk-and-controls specialists. While CISSP certifies broad security management capability, CISA certifies audit, assurance, and IT governance capability — and is often required (not just preferred) for senior internal audit, external audit IT specialist, IT risk, and SOX compliance roles.
This guide covers the CISA exam logistics, the five job-practice domains, the experience and substitution rules, costs, and a realistic 4–6 month prep plan.
Who CISA Is For
CISA is the right exam if you:
- Have or will have 5 years of full-time professional IS auditing, control, or security work experience
- Work as an IT auditor, internal auditor (IT specialist), risk analyst, compliance manager, IT GRC consultant, or SOX specialist
- Are pursuing senior audit, risk, or compliance roles
- Need a vendor-neutral credential complementing security certs (Security+, CISSP) for audit-specific resumes
You can sit for the exam without the required experience and complete the experience requirement within 5 years of passing.
CISA Exam Specifications
| Attribute | Detail |
|---|---|
| Exam title | Certified Information Systems Auditor |
| Format | Multi-choice |
| Questions | 150 |
| Duration | 4 hours |
| Passing score | 450 / 800 (scaled) |
| Cost | $575 (ISACA members) / $760 (non-members) |
| Languages | English, Spanish, French, German, Japanese, Chinese, Korean, Hebrew, Italian, Turkish |
| Delivery | Online proctored (PSI) or test center |
| Validity | 3 years (CPE-based renewal) |
| Application fee | $50 (separate from exam fee) |
| Annual maintenance | $45 (member) / $85 (non-member) |
| Experience requirement | 5 years (substitutions possible — see below) |
Experience Requirement and Substitutions
5 years of professional IS auditing, control, or security work experience. Substitutions (max 3 years total):
- 1 year for completion of a 2- or 4-year college degree, or 60–120 college semester credits
- 1 year for another approved certification (e.g., CompTIA Security+, CGEIT, CRISC) — see ISACA’s current list
- 2 years for a master’s degree in IS/IT or related field from a regionally accredited school
- 2 years for completion of an ISACA-approved IS management or IS/IT major college program
You must accumulate the qualifying experience within 10 years before the application date OR within 5 years after passing the exam.
CISA Domains (Current Job Practice Areas)
ISACA’s job practice analysis (used through at least 2026) produces five domains:
| Domain | Weight |
|---|---|
| Information Systems Auditing Process | 18% |
| Governance and Management of IT | 18% |
| Information Systems Acquisition, Development, and Implementation | 12% |
| Information Systems Operations and Business Resilience | 26% |
| Protection of Information Assets | 26% |
Domain 1: Information Systems Auditing Process (18%)
- IS audit standards, guidelines, codes of ethics
- Risk-based audit planning
- Audit project management (objectives, scope, resources)
- Audit evidence: sufficiency, reliability, relevance, usefulness
- Sampling techniques (statistical vs. non-statistical)
- Audit reporting: findings, recommendations, follow-up
- Audit data analytics and continuous auditing
Domain 2: Governance and Management of IT (18%)
- IT governance frameworks (COBIT, ISO/IEC 38500)
- IT strategy alignment with business strategy
- Organizational structures, roles, responsibilities
- Maturity models and capability assessments
- IT policy framework
- Enterprise risk management (ERM) and IT risk
- Performance monitoring (KPIs, KGIs, balanced scorecard)
- IT investment management
Domain 3: IS Acquisition, Development, and Implementation (12%)
- Project management methodologies (waterfall, agile, DevOps)
- Business case and feasibility analysis
- Requirements management
- Acquisition: RFPs, vendor evaluation, contracts
- Development: SDLC controls, configuration management, change management
- Testing types (unit, integration, system, UAT, regression)
- Implementation: data migration, go-live decisions, post-implementation review
Domain 4: IS Operations and Business Resilience (26%) — Tied Largest
- Common IS operations: scheduling, capacity, problem and incident management
- Service-level management
- Change, configuration, release, patch management
- Asset and license management
- Database management
- BCP / DRP fundamentals
- BIA, RPO, RTO, MTD
- Backup and restoration
Domain 5: Protection of Information Assets (26%) — Tied Largest
- Information security governance and policy
- IAM, authentication, authorization
- Network security architecture
- Wireless and remote access security
- Cryptography fundamentals (audit perspective)
- Physical and environmental security
- Cloud and virtualization security (audit angle)
- Data classification and DLP
- Incident response and forensics
What Makes CISA Hard
- “Auditor mindset” matters more than technical depth. Right answers usually relate to evidence, controls, governance, and risk — not technical implementation.
- Memorization-heavy on frameworks. COBIT, ISO 38500, COSO, NIST CSF all surface in scenarios.
- Sampling and audit evidence questions. Statistical sampling concepts (attribute vs. variable sampling) are tested.
- 150 questions in 4 hours is long-form testing — endurance matters.
- Scaled scoring (450/800) means you don’t know what % correct guarantees a pass. Aim for ~80%+ on practice mocks.
The CISA Mindset
CISA rewards independence, evidence, and governance thinking:
- Wrong: “Recommend installing an EDR solution.”
- Right (CISA): “Recommend that management evaluate EDR solutions consistent with the risk treatment plan; ensure procurement and implementation follow established change management procedures.”
You’re an auditor, not an engineer or manager. You evaluate controls, document findings, and recommend — you don’t implement.
Recommended 4–6 Month Study Plan
Month 1: Domains 1 + 2
- IS audit process and standards
- Governance frameworks (COBIT, ISO 38500)
- Risk management
Month 2: Domain 3 + first half of Domain 4
- Project management and SDLC controls
- Change management
- Service management
Month 3: Second half of Domain 4 + first half of Domain 5
- BCP/DRP, BIA, RPO/RTO
- IAM controls
- Network security controls (audit angle)
Month 4: Second half of Domain 5 + integration
- Cryptography (audit-level depth)
- Cloud and virtualization audit considerations
- DLP, classification
- Incident response from audit perspective
Months 5–6: Practice exams and review
- 5+ full-length mocks from Sailor.sh’s CISA mock exam bundle
- Re-study weak domains
- ISACA’s QAE database for direct question style practice
- Train the “auditor mindset” through scenario practice
Resources
- ISACA CISA Review Manual (current edition) — the canonical text
- ISACA QAE (Questions, Answers, Explanations) database — the closest analog to real exam questions
- CISA Online Review Course (ISACA) — official self-paced course
- Hemang Doshi YouTube CISA prep — community gold standard, free
- Sailor.sh CISA mock exam bundle — realistic, domain-aligned practice questions
Salary Impact
CISA is consistently among the top-paid IT certifications:
- US average: $115K–$180K for “IT auditor / IT risk + CISA”
- UK average: £65K–£110K
- India average: ₹18L–₹35L
CISA is often a requirement for senior internal audit IT specialist, Big 4 IT audit senior/manager, and SOX IT controls lead roles.
CISA vs. Other Senior Audit/Governance Certs
| Certification | Provider | Cost | Focus | Validity |
|---|---|---|---|---|
| CISA | ISACA | $760 | IT audit and assurance | 3 years |
| CISSP | (ISC)² | $749 | Broad security management | 3 years |
| CISM | ISACA | $760 | Security management | 3 years |
| CRISC | ISACA | $760 | IT risk management | 3 years |
| CGEIT | ISACA | $760 | IT governance | 3 years |
CISA is the most-recognized audit-specific credential globally. Many senior auditors stack CISA + CISM or CISA + CRISC.
Most Common Reasons People Fail
- Technical-engineer mindset. Right answers reflect audit independence and evidence-based reasoning.
- Skipping ISACA QAE. ISACA’s own question bank is the closest match for real exam style; alternatives must be of similar quality.
- Domain 4 + 5 under-prep. Together they’re 52% of the exam.
- Memorizing frameworks without applying them. COBIT and ISO standards appear in scenarios, not direct recall.
- Booking too early. CISA rewards 4–6 months of slow absorption.
Renewal: 120 CPE Hours Over 3 Years
CISA requires 120 CPE hours over 3 years (at least 20 per year) plus an annual maintenance fee. CPEs come from training, conferences, ISACA chapter events, writing, and presentations.
After You Pass
Strong next moves:
- CISM (Certified Information Security Manager): security-management complement
- CRISC (Certified in Risk and Information Systems Control): risk-focused complement
- CGEIT (Certified in the Governance of Enterprise IT): governance-focused complement
- CISSP: broader security credibility
- Cloud audit angle: AWS Security Specialty, AZ-500, or CCSP
Frequently Asked Questions
Q: Can I take CISA without 5 years of experience? A: Yes. You can pass the exam and apply for certification once you accumulate the required experience (within 5 years of passing).
Q: Is CISA harder than CISSP? A: Both are hard but in different ways. CISA is more focused on audit/assurance; CISSP is broader security. Most candidates find CISA shorter to study for than CISSP.
Q: How long should I prepare? A: 4–6 months for working IT auditors. 6+ months if you’re transitioning into audit from another IT discipline.
Q: Can I take CISA online? A: Yes — ISACA offers remote proctored CISA via PSI, in addition to test centers.
Q: What’s the most important study material? A: ISACA’s CISA Review Manual + QAE database is the canonical pairing. Supplement with realistic practice like Sailor.sh’s CISA mock exam bundle.
Q: Does CISA expire? A: Yes, after 3 years. 120 CPE hours and annual maintenance fees keep it active.
Ready to Start?
CISA is one of the highest-ROI specialized certifications in IT — and it remains durable across audit, risk, compliance, and security careers. Spend 4–6 months absorbing the CISA Review Manual, training the auditor mindset, and drilling realistic scenarios.
Take a free CISA practice test on Sailor.sh to identify weak domains, then work the full CISA mock exam bundle until you consistently score 85%+ across all five job-practice domains.