How much does the CISA exam cost in 2026?

The 2026 CISA exam costs $575 for ISACA members and $760 for non-members. ISACA membership is $135 per year plus a $50 one-time application fee, so joining to get the exam discount costs roughly the same as paying the non-member fee outright, but members also get discounted study materials and CPE resources. There is a separate $50 CISA application processing fee when you submit your experience verification after passing.

What is the passing score for CISA?

CISA uses a scaled scoring system from 200 to 800, with 450 as the passing score. Because ISACA uses equated scaling across exam forms, there is no fixed percentage of correct answers that guarantees a pass, but most training providers estimate that 65-70% correct is roughly equivalent to a 450 scaled score. You receive a preliminary pass/fail result immediately after completing the exam, with the official score confirmed within 10 business days.

How many questions are on the CISA exam and how long is it?

The CISA exam has 150 multiple-choice questions with a 4-hour time limit. That works out to roughly 1 minute 36 seconds per question. Questions are a mix of straightforward knowledge checks, scenario-based audit decisions, and "best answer" questions where all options look plausible and you must pick the one most aligned with audit principles. All questions are weighted equally for scoring.

What are the 5 CISA domains in 2026?

The 2026 CISA Job Practice has 5 domains: Domain 1 - Information System Auditing Process (18%), Domain 2 - Governance and Management of IT (18%), Domain 3 - Information Systems Acquisition, Development and Implementation (12%), Domain 4 - Information Systems Operations and Business Resilience (26%), and Domain 5 - Protection of Information Assets (26%). Domains 4 and 5 together make up 52% of the exam and should get the most study time.

Do I need 5 years of experience to take the CISA exam?

No — you can sit for the CISA exam at any time. The 5-year experience requirement only applies when you submit your application to become certified. You have 5 years from the date you pass the exam to verify your experience. Substitutions are available: a bachelor’s degree waives 1 year, a master’s in information systems waives another year, and certifications like CISM, CISSP, CA, CPA, or two years as a full-time university instructor in a related field can waive additional experience up to a maximum of 3 years.

Is CISA harder than CISSP?

CISA and CISSP test different skill sets. CISSP is broader and more management-focused across 8 domains of security practice. CISA is narrower but deeper on audit methodology, control frameworks, and evidence-based thinking. Most candidates find CISSP harder to prepare for because of its scope, but CISA harder to pass on exam day because of its strict auditor mindset — you must pick the most auditable answer, not the most secure or most technical one. Pass rates for both hover around 50-60% for first-time takers.

What is the CISA pass rate?

ISACA does not publish official CISA pass rates. Industry-reported first-time pass rates cluster around 50-60%, with candidates who use the official ISACA CISA Review Manual plus a question bank of 1,000+ practice items reporting success rates closer to 70-75%. The exam is considered moderately difficult — not because the content is obscure, but because the questions force you to think like an independent auditor rather than a security practitioner.

How long should I study for CISA?

Most candidates need 100-200 hours of focused study, typically spread over 12-16 weeks. Experienced IT auditors with 3+ years of control-testing background can prepare in 8-10 weeks at 10 hours/week. Security professionals or developers pivoting into audit usually need 16-20 weeks to internalize the ISACA IT Audit Framework (ITAF) and the auditor-centric way of answering questions. Plan to spend the final 2-3 weeks exclusively on practice questions and full-length mock exams.

How do I maintain my CISA certification after passing?

CISA certification is valid for 3 years. To maintain it, you must complete 120 Continuing Professional Education (CPE) hours during each 3-year cycle with a minimum of 20 CPEs per year. You must also pay an annual maintenance fee of $45 for ISACA members or $85 for non-members, adhere to the ISACA Code of Professional Ethics, and comply with ISACA’s Information Systems Auditing Standards. CPEs can come from ISACA webinars, conferences, university courses, self-study, and teaching or writing on relevant topics.

Is CISA worth it in 2026?

For IT auditors, compliance professionals, and anyone working in SOX, PCI-DSS, HIPAA, or ISO 27001 environments, CISA remains one of the highest-ROI certifications in 2026. The growth of cloud governance, AI audit requirements, privacy regulation, and continuous controls monitoring has increased demand for certified auditors. Big 4 firms (Deloitte, PwC, EY, KPMG) list CISA as preferred or required for audit manager roles, and ISACA’s 2024 salary data shows a 20-25% premium for certified professionals. The combined exam plus first-year membership cost of roughly $760 typically pays back within the first year through either a promotion, a raise, or eligibility for higher-paying audit roles.

CISA Exam Guide 2026: FREE ISACA Practice + 16-Week Plan

CISA in 2026: The Only Guide You Need

The ISACA CISA (Certified Information Systems Auditor) is the world's most recognized credential for IT audit, control, and assurance professionals. Over 175,000 people hold it, and in 2026 it is more relevant than ever — SOX compliance, PCI-DSS 4.0, ISO 27001:2022, new AI governance rules, and cloud-heavy environments have created a shortage of qualified auditors.

This guide is built to beat every other CISA resource on the web. It covers the 2026 exam at full depth: cost, format, eligibility, the 5 Job Practice Domains, a 16-week study plan, pass rates, salary data, and exam-day strategy. Every detail was cross-referenced against isaca.org/credentialing/cisa and the 28th edition CISA Review Manual.

free CISA practice questionsPractice questions with detailed explanations

CISA Exam At-a-Glance (2026)

Detail	Information
Certification Body	ISACA (Information Systems Audit and Control Association)
Exam Delivery	PSI Services — online proctored OR PSI test center
Questions	150 multiple-choice
Duration	4 hours (240 minutes)
Passing Score	450 on a 200-800 scaled scale
Cost	$575 ISACA member / $760 non-member
Application Fee	$50 one-time (after passing)
Languages	English, Chinese (Simplified), French, German, Italian, Japanese, Korean, Spanish, Turkish
Experience Requirement	5 years IS audit/control/security (substitutions up to 3 years)
Experience Window	5 years from passing to verify and certify
Validity	3 years, renewable
CPE Requirement	120 CPE hours every 3 years (minimum 20/year)
Annual Maintenance Fee	$45 member / $85 non-member
Exam Windows	Continuous testing, book any day of the year
Retake Policy	90-day cool-down, max 4 attempts per 12 months

FREE CISA Prep: Practice Before You Pay

Before committing to the $760 non-member fee, prove to yourself that you can actually pass. The biggest mistake CISA candidates make is buying a $400 review course, cramming for 3 months, and then failing because they never tested themselves under real exam conditions.

Our free CISA practice question bank covers all 5 domains with ISACA-style questions that emphasize the "best answer" approach — the defining characteristic of the CISA exam. Every question includes a detailed explanation of why the correct answer is correct, why the distractors are wrong, and which domain concept the question tests.

Start CISA practice questions nowPractice questions with detailed explanations

What the CISA Is — and the 2026 Context That Makes It Hotter Than Ever

CISA was created by ISACA in 1978 and has been continuously updated. The certification validates your ability to audit, assess, control, and provide assurance over an organization's information systems. In plain terms: if a company depends on IT — and every company now does — someone has to independently verify that the systems are reliable, that data is accurate, that controls are working, and that the organization is meeting its regulatory obligations. That someone is usually a CISA.

The 2026 IT Audit Market

Three forces have made 2026 a breakout year for IT audit demand:

1. SOX 404 remains the bedrock. Every US-listed public company must annually attest to the effectiveness of its internal control over financial reporting (ICFR). Most of those controls are IT general controls (ITGCs) or application controls — access provisioning, change management, computer operations, and data integrity. PCAOB inspections of audit firms have hammered on IT general controls every year since 2019, and CISA-credentialed staff are the standard firm answer.

2. PCI-DSS 4.0 is now enforced. The Payment Card Industry Data Security Standard 4.0 became mandatory on March 31, 2025, replacing 3.2.1. It introduced customized approach implementations, targeted risk analyses, and a significantly stronger emphasis on authentication, logging, and script management. Every merchant, service provider, and auditor needs people who understand how to audit against the 12 requirements and 64 sub-requirements.

3. AI governance is now an audit domain. In 2024-2026, the EU AI Act, the NIST AI Risk Management Framework (AI RMF 1.0), ISO/IEC 42001:2023 (AI Management Systems), and SEC climate-and-AI disclosure rules have created a new layer of controls that auditors must evaluate. ISACA released the AAIA (Advanced in AI Audit) credential in 2024, but the foundational audit mindset being tested is still CISA. Organizations that need AI model inventories, training-data lineage controls, bias-testing procedures, and continuous-monitoring mechanisms are turning to CISA-certified auditors first.

Add PCI-DSS 4.0, SOX 404, HIPAA, GDPR, CCPA, NYDFS Part 500, and NIST CSF 2.0 to the mix and the demand curve is steep. ISACA's 2024 State of IT Audit report found that 62% of organizations have open IT audit positions they cannot fill and that salaries for certified IT auditors grew 8.4% year-over-year.

Who Should Take CISA

CISA is a credential for people who make audit, control, or assurance decisions about IT systems. The sweet spot is 2-5 years of experience in one of these roles:

Role	Why CISA Fits
IT Auditor	This is the canonical CISA role — it is literally in the name.
Big 4 Audit Staff / Senior	Deloitte, PwC, EY, and KPMG require CISA for promotion to audit manager in their Risk Assurance / Assurance Technology practices.
Internal Audit (IT specialty)	Corporate internal audit departments running ITGC testing, application reviews, and SOX compliance.
SOX Compliance Analyst	If you spend your days testing access controls, change management, and backup procedures, CISA codifies your work.
Security Manager / GRC Analyst	Anyone writing policies, testing controls, or interfacing with external auditors benefits from the audit lens CISA teaches.
IT Risk Analyst	CRISC is the deeper risk credential, but CISA is the common prerequisite for risk roles that also involve audit.
IT Consultants	Advisory consultants delivering SOC 1, SOC 2, or ISO 27001 engagements lean on CISA daily.
Security Engineers Moving into Governance	Technical folks pivoting toward CISO-track roles use CISA as the bridge credential.

CISA is not the right first cert for:

Pure pentesters / red team — look at OSCP, OSEP, or CEH instead.
Entry-level IT help desk — start with CompTIA A+, Network+, Security+.
Software developers who want a security bent — CSSLP or GSSP is a better match.
Project managers who want IT governance depth — CGEIT is closer, CISA is auxiliary.

Eligibility & the 5-Year Experience Rule

Here is the part most candidates get confused about: you do not need 5 years of experience to sit for the exam. You need 5 years of experience to become CISA-certified after you pass. And you have 5 years from the exam date to submit the paperwork.

The Experience Requirement

To earn the CISA, you need 5 years of professional experience in information systems auditing, control, or security. Experience must have been gained within the 10-year period preceding application, or within 5 years after passing the exam.

Substitutions (Up to 3 Years)

Substitution	Years Waived
Bachelor's degree (any field, from an accredited institution)	1 year
Master's degree in information security or information technology	1 year
2-year associate degree	1 year (max combined with bachelor's)
Full-time university instructor (2 years teaching in a related field)	1 year per 2 years of teaching
Holding CISM, CISSP, or CA / CPA / CIA	2 years
One year of IS experience OR one year of non-IS audit experience	1 year

The maximum substitution is 3 years — meaning every candidate must have at least 2 years of verifiable hands-on IS audit, control, or security work.

The Experience Verification Process

After you pass the exam, you have 5 years to:

Complete the CISA application (submit online via your ISACA account).
Pay the $50 application processing fee.
List your relevant experience with employer names, dates, job responsibilities, and a verifier (typically your supervisor or HR contact).
Wait 4-8 weeks for ISACA to review your application and verify with your listed contacts.
Receive your certification number and digital badge.

If you do not apply within 5 years, your passing score expires and you must retake the exam.

The 5 CISA Job Practice Domains (2026 Weights)

ISACA's CISA Job Practice was refreshed in 2024 and remains in effect for 2026. The 5 domains and their weights are:

#	Domain	Weight	Question Count (approx)
1	Information System Auditing Process	18%	27
2	Governance and Management of IT	18%	27
3	Information Systems Acquisition, Development and Implementation	12%	18
4	Information Systems Operations and Business Resilience	26%	39
5	Protection of Information Assets	26%	39
	Total	100%	150

Domains 4 and 5 together are 52% of the exam. If you prioritize study time incorrectly, this is where you lose points.

Domain 1 — Information System Auditing Process (18%)

Domain 1 is the CISA's philosophical foundation. You cannot pass without internalizing the ISACA audit methodology.

Core Topics

Topic	What You Must Know
Audit Planning	Risk-based audit planning, annual audit plan development, engagement planning, scoping
Risk-Based Audit Approach	Identifying inherent risk, control risk, and detection risk; setting materiality
ISACA IT Audit Framework (ITAF)	The 3-tier ITAF structure: General Standards (1000s), Performance Standards (1200s), Reporting Standards (1400s); Guidelines (2000s); Tools and Techniques (4000s)
Audit Evidence	Sufficient vs appropriate evidence, relevance, reliability, types of evidence (documentary, testimonial, analytical, physical)
Sampling	Statistical vs judgmental; attribute sampling (control testing) vs variable sampling (substantive testing); stop-or-go, discovery, monetary unit sampling
CAATs (Computer-Assisted Audit Techniques)	Generalized audit software (ACL, IDEA), test data, integrated test facility, parallel simulation, embedded audit modules, continuous auditing
Data Analytics in Audit	Descriptive, diagnostic, predictive, prescriptive; data visualization; full-population analysis vs sampling
Fraud Detection	Red flags, Benford's Law, segregation-of-duties testing, fraud triangle (pressure, opportunity, rationalization)
Audit Reporting	Report structure, management letters, communication of findings, distribution
Quality Assurance and Improvement Program (QAIP)	Internal assessment, external assessment at least every 5 years, peer review
Engagement Documentation	Workpapers, retention, electronic workpaper systems, confidentiality

Where Candidates Lose Points

The trap in Domain 1 is picking the most thorough answer when ISACA wants the most appropriate answer given audit constraints. Example:

A company has 40,000 employee access-right records. The auditor wants to test whether terminated employees still have active accounts. What is the BEST approach?

A) Manually sample 50 accounts B) Use CAATs to run full-population analysis joining the HR termination table against active directory C) Ask the IT manager for a list D) Interview the security team about their offboarding process

The correct answer is B. Full-population analysis is now feasible, it is more efficient than sampling, and it is more reliable than inquiry. ISACA has steadily shifted toward data analytics answers since 2019.

Domain 2 — Governance and Management of IT (18%)

Domain 2 is where non-auditors often struggle because it is not technical — it is strategic. This domain is thick with frameworks, policies, and organizational structures.

Core Topics

Topic	What You Must Know
IT Strategy Alignment	How IT strategy supports business strategy; IT steering committees
COBIT 2019	The 6 governance principles, 5 governance objectives (EDM domain) and 35 management objectives (APO/BAI/DSS/MEA domains) — 40 total, the goals cascade, performance management (CMMI-based capability levels 0-5), design factors
Governance vs Management (EDM vs PBRM)	Evaluate-Direct-Monitor (governance) vs Plan-Build-Run-Monitor (management) — a COBIT 2019 cornerstone
IT Policies, Standards, and Procedures	Policy hierarchy, who approves what, exception management
Organizational Structures	CIO, CISO, CRO, CCO reporting lines; independence requirements; segregation of duties at the org level
Enterprise Architecture (EA)	TOGAF, Zachman framework; how EA enables governance
Balanced Scorecard (BSC)	Four perspectives: financial, customer, internal process, learning and growth; IT BSC variant
Risk Management	ISO 31000, NIST RMF, FAIR; inherent vs residual risk; risk register
Portfolio, Program, and Project Management	PMO structures; portfolio (run the business vs change the business), program (related projects), project (specific deliverable)
Human Resource Management	Background checks, onboarding, job rotation, mandatory vacation, training, separation of duties
Sourcing Strategies	In-house, outsourcing, offshoring, cloud; vendor management; SOC reports (SOC 1/2/3, Type I/II)
Compliance Management	Regulatory mapping, compliance reviews, third-party attestations

High-Yield: COBIT 2019 Goals Cascade

This gets tested almost every exam. Memorize the chain:

Stakeholder Drivers/Needs → Enterprise Goals → Alignment Goals → Governance/Management Objectives.

There are 13 Enterprise Goals and 13 Alignment Goals in COBIT 2019, mapped across the four BSC perspectives (financial, customer, internal, learning & growth).

Domain 3 — Information Systems Acquisition, Development and Implementation (12%)

The smallest domain in the exam, but still 18 questions on your form. Domain 3 covers how systems are built or bought and how auditors evaluate each phase.

Core Topics

Topic	What You Must Know
SDLC Models	Waterfall, iterative, spiral, incremental, prototyping, Agile (Scrum, Kanban, XP), DevOps, DevSecOps
Project Management Methods	PMI PMBOK, PRINCE2, Agile; project management vs product management
Business Case Development	Cost-benefit analysis, ROI, NPV, payback period; benefits realization
Feasibility Study	Technical, operational, economic, schedule, legal feasibility
Requirements Definition	Functional vs non-functional requirements; traceability matrix
Design Phase	Logical vs physical design; data models; UI/UX design
Development Controls	Separation of environments (dev/test/prod); code review; static/dynamic application security testing (SAST/DAST)
Testing Phases	Unit, integration, system, regression, performance, load, stress, user acceptance testing (UAT)
Implementation/Migration Approaches	Big bang, phased, parallel, pilot; fallback planning
Change Management	Change advisory board (CAB), emergency changes, standard changes, post-implementation review
Post-Implementation Review (PIR)	Lessons learned, benefit realization, user satisfaction
Acquisition	RFI (request for information), RFP (request for proposal), RFQ (request for quotation); evaluation criteria; contracts and SLAs
Configuration Management	CMDB, baselines, version control

Migration Approach Cheat Sheet (Frequently Tested)

Approach	Risk	When to Use
Big Bang	Highest	Small systems, can tolerate downtime
Phased	Medium	Complex systems rolled out module-by-module or site-by-site
Parallel	Lowest	Mission-critical systems; old and new run simultaneously
Pilot	Low-Medium	Test with a subset of users before full rollout

Exam tip: If the question mentions "highest risk tolerance" or "least risk," the answer is almost always parallel. If it says "least costly," the answer is typically big bang.

Domain 4 — Information Systems Operations and Business Resilience (26%)

Domain 4 is tied for the largest domain and covers two big areas: how IT operations run day-to-day, and how the business survives disruption.

4A — IT Operations

Topic	What You Must Know
Job Scheduling	Batch vs real-time; job dependencies; scheduling tools (Control-M, AutoSys); error handling
IT Service Management (ITIL 4)	Service value system; service value chain (plan, improve, engage, design & transition, obtain/build, deliver & support)
Incident Management	Detection, logging, categorization, prioritization, resolution; SLAs
Problem Management	Root cause analysis, known errors, problem vs incident distinction
Change Management (Operations)	Standard/normal/emergency changes; CAB; back-out plans
Capacity and Performance Management	Trend analysis, performance baselines, capacity forecasting
Monitoring	System monitoring, application performance monitoring (APM), log management
IT Asset Management (ITAM)	Hardware and software asset inventories; license management; disposal
Database Management	DBMS types (relational, NoSQL, hierarchical, network); backup and recovery; ACID properties
Middleware and APIs	Application integration; API security; ESB
Virtualization	Hypervisors (Type 1 vs Type 2); VM sprawl; VM isolation
Cloud Computing	IaaS/PaaS/SaaS; public/private/hybrid/community; NIST SP 800-145
Network Management	Network monitoring, SNMP, NetFlow; network segmentation

4B — Business Resilience

Topic	What You Must Know
Business Impact Analysis (BIA)	Identify critical business processes, quantify impact over time, determine recovery priorities
Business Continuity Plan (BCP)	Plan structure, activation criteria, roles, communication
Disaster Recovery Plan (DRP)	IT-focused recovery procedures; subset of BCP
RTO, RPO, MTD, WRT	Recovery Time Objective, Recovery Point Objective, Maximum Tolerable Downtime, Work Recovery Time
High Availability Architectures	Active-active, active-passive, clustering, load balancing
Backup Strategies	Full, incremental, differential; 3-2-1 rule; immutable/air-gapped backups (anti-ransomware)
DR Sites	Hot (RTO minutes-hours, most expensive), warm (RTO hours-1 day, mid cost), cold (RTO 1+ weeks, cheapest)
Testing DR/BCP	Checklist, walkthrough, tabletop, parallel, full interruption

RTO/RPO Cheat Sheet

RTO (Recovery Time Objective): How fast must we restore? Drives DR site choice and backup frequency.
RPO (Recovery Point Objective): How much data can we afford to lose? Drives backup frequency and replication.
MTD (Maximum Tolerable Downtime): The business-defined absolute maximum. RTO must be less than MTD.
WRT (Work Recovery Time): Time to make the system usable after the technical RTO is met (data validation, user communication, etc.). MTD = RTO + WRT.

Domain 5 — Protection of Information Assets (26%)

Domain 5 is tied with Domain 4 as the largest and covers the security body of knowledge an auditor must understand to evaluate controls.

Core Topics

Topic	What You Must Know
Information Security Frameworks	NIST CSF 2.0 (6 functions: Govern, Identify, Protect, Detect, Respond, Recover), ISO 27001/27002, CIS Controls v8
Privacy	GDPR (EU), CCPA/CPRA (California), HIPAA, PIPEDA, LGPD; data subject rights; data controller vs processor
Data Classification and Handling	Public, internal, confidential, restricted; data owners and custodians; labeling
Identity and Access Management (IAM)	Identity lifecycle, provisioning/deprovisioning, access reviews
IAM Subdomains	IGA (Identity Governance and Administration), PIM (Privileged Identity Management), PAM (Privileged Access Management), SSO, federation (SAML, OIDC, OAuth 2.0)
Authentication Factors	Something you know (password), something you have (token), something you are (biometric); MFA
Encryption	Symmetric (AES, 3DES), asymmetric (RSA, ECC), hashing (SHA-256, SHA-3, bcrypt, Argon2); message digests
Public Key Infrastructure (PKI)	Certificate authorities, registration authorities, CRL vs OCSP, digital certificates
Network Security	Firewalls (packet-filtering, stateful, next-gen, WAF), IDS/IPS (signature vs anomaly), SIEM, NAC, VPNs
Endpoint Security	Anti-malware, EDR/XDR, DLP, host-based firewalls
Email Security	SPF, DKIM, DMARC; email gateways; phishing defenses
Wireless Security	WPA3, WPA2-Enterprise (802.1X/EAP), rogue AP detection
Physical Controls	Preventive, detective, corrective; mantraps, biometrics, CCTV, HVAC
SDLC Security	Security requirements, threat modeling (STRIDE, DREAD), secure coding standards (OWASP)
DevSecOps	Shift-left security, SAST/DAST/IAST, SCA, container scanning, IaC scanning
Penetration Testing	Black box, gray box, white box; internal vs external; rules of engagement
Vulnerability Management	CVSS scoring, patch management, prioritization, remediation SLAs
Incident Response	SANS 6-step (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned)
Forensics	Chain of custody, evidence preservation, imaging, hash validation, write blockers
Cloud Security	Shared responsibility model (varies by service model: IaaS/PaaS/SaaS); CASB; CSPM; CWPP

Incident Response: The 6 Phases (SANS)

Preparation — Policies, team, tools, training.
Identification — Detect and confirm an incident.
Containment — Short-term (isolate affected system) and long-term (rebuild).
Eradication — Remove the root cause (malware, compromised account).
Recovery — Restore systems, monitor for recurrence.
Lessons Learned — Post-incident review, update procedures.

NIST SP 800-61r2 uses 4 phases (Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity) — both models are testable.

Cross-Domain High-Yield: The Control Concepts Every Question Leans On

These concepts cut across every domain and show up in 20-30% of questions.

Control Classifications by Objective

Type	Purpose	Examples
Preventive	Stop incidents before they happen	Firewalls, access controls, segregation of duties, encryption
Detective	Identify incidents that have occurred	Logs, IDS, audit trails, CCTV, reconciliation
Corrective	Restore after an incident	Backups, incident response, patches, fire suppression
Deterrent	Discourage threats	Warning signs, legal notices, visible cameras
Compensating	Alternate control when the primary one cannot be implemented	Manual review when automated segregation is infeasible

Control Classifications by Nature

Administrative (Managerial): Policies, procedures, standards, training.
Technical (Logical): Firewalls, encryption, access control lists.
Physical: Locks, cameras, fences, guards.

Segregation of Duties (SoD)

The principle that no single individual should control all phases of a transaction. The classic trio: authorization, custody, recordkeeping. When segregation is not feasible (e.g., small teams), implement compensating controls: supervisory review, detailed logging, mandatory vacation, job rotation.

Risk Treatment (ISO 31000 / NIST)

Option	Description	Example
Mitigate (Modify)	Implement controls to reduce risk	Add MFA to reduce account takeover risk
Accept (Retain)	Take no action; document and monitor	Accept a low-impact risk because control cost exceeds benefit
Transfer (Share)	Shift to a third party	Buy cyber insurance, outsource to SOC-2-compliant vendor
Avoid	Eliminate the activity causing the risk	Discontinue a product line with unmanageable risk

COBIT 2019 Fundamentals (Deep Dive)

If you only study one framework beyond ITAF, study COBIT 2019. ISACA publishes it, ISACA tests it, and Domain 2 leans on it heavily.

The 6 Governance System Principles

Provide stakeholder value
Holistic approach
Dynamic governance system
Governance distinct from management
Tailored to enterprise needs
End-to-end governance system

The 3 Governance System Components Layers

Governance Objectives (5): Evaluate, Direct, Monitor
Management Objectives (35): Aligned to Plan-Build-Run-Monitor
Total: 40 objectives across 5 domains (EDM, APO, BAI, DSS, MEA)

The 5 COBIT Domains

Domain	Full Name	Focus
EDM	Evaluate, Direct, and Monitor	Governance — 5 objectives
APO	Align, Plan, and Organize	Strategy and planning — 14 objectives
BAI	Build, Acquire, and Implement	Development and implementation — 11 objectives
DSS	Deliver, Service, and Support	Operations — 6 objectives
MEA	Monitor, Evaluate, and Assess	Assurance and compliance — 4 objectives

The Goals Cascade (Memorize the Order)

Stakeholder Drivers and Needs → Enterprise Goals → Alignment Goals → Governance/Management Objectives

Enterprise goals are grouped by the 4 Balanced Scorecard perspectives. Alignment goals connect enterprise value to IT capability.

CISA Pass Rate & Difficulty Reality Check

ISACA does not publish official pass rates. Here is what we know from surveys, training providers, and candidate forums:

Source	Reported First-Time Pass Rate
Gleim CISA Review (2024 customer survey)	87% (self-selected study-committed users)
HOCK International	80%+ (among full-course completers)
Reddit r/CISA candidate self-reports	55-65%
Industry average across all candidates	~50-60%
Retakers using official Review Manual + QAE DB	75-80%

Why the range? First-time pass rates depend heavily on:

Study materials used — candidates using the official ISACA CISA Review Manual plus the ISACA QAE database significantly outperform those who only watch YouTube.
Practice question volume — candidates who answer 1,000+ practice questions pass at roughly 2x the rate of those who answer under 300.
Experience background — working IT auditors pass at higher rates than career changers.
Mindset adjustment — the #1 reason experienced security professionals fail CISA on the first try is failing to shift from a "secure the system" mindset to an "audit the system" mindset.

Plan on 100-200 hours of study, and do not schedule the exam until you are consistently scoring 75%+ on practice exams taken under timed conditions.

FREE Practice, Round 2

Practice is what separates the 50% who pass from the 50% who don't. Before we get to the study plan, make sure you have your practice environment ready.

Start practicing nowPractice questions with detailed explanations

16-Week CISA Study Plan (Most Candidates)

This plan assumes 10 hours per week. Scale up or down based on your schedule.

Weeks 1-2: Orientation and Domain 1 Foundation

Read the ISACA CISA Review Manual Chapter 1 (Domain 1).
Watch Prabh Nair's free Domain 1 YouTube series.
Review ITAF structure: 1000/1200/1400/2000/4000 sections.
Practice: 50 Domain 1 questions. Review every incorrect answer.

Weeks 3-4: Domain 2 — Governance and Management of IT

Read Chapter 2 of the Review Manual.
Dedicate 2 hours to COBIT 2019: memorize the 5 domains (EDM, APO, BAI, DSS, MEA), the 40 objectives, and the goals cascade.
Practice: 75 Domain 2 questions. Write one-page summary of COBIT.

Weeks 5-6: Domain 3 — IS Acquisition, Development, Implementation

Read Chapter 3.
Build SDLC comparison table (Waterfall, Agile, DevSecOps).
Memorize migration approaches and their risk/cost trade-offs.
Practice: 50 Domain 3 questions.

Weeks 7-9: Domain 4 — IS Operations and Business Resilience (BIG DOMAIN)

Read Chapter 4 — this is the longest chapter.
Week 7: IT operations (ITIL 4, incident/problem/change, capacity, monitoring, ITAM).
Week 8: Databases, virtualization, cloud, network management.
Week 9: Business resilience — BIA, BCP, DRP, RTO/RPO/MTD, backup strategies, DR sites.
Practice: 150 Domain 4 questions across the three weeks.

Weeks 10-12: Domain 5 — Protection of Information Assets (BIG DOMAIN)

Read Chapter 5.
Week 10: Frameworks (NIST CSF 2.0, ISO 27001/2, CIS v8) + privacy (GDPR, CCPA).
Week 11: IAM, encryption, PKI, network security, endpoint, email, wireless.
Week 12: SDLC security, DevSecOps, pen testing, vulnerability management, incident response, forensics, cloud security.
Practice: 150 Domain 5 questions across the three weeks.

Weeks 13-14: Full-Length Practice Exams + Weakness Targeting

Take 2 full 150-question timed practice exams.
After each, spend 8 hours analyzing wrong answers.
Re-study weak domains.

Week 15: Final Mock Exams

Take 2 more full mock exams in 4-hour blocks, ideally at the same time of day you will sit the real one.
Target: consistent 75%+ scores.
Final review of high-yield flashcards (COBIT, ITAF, RTO/RPO, sampling types, control classifications).

Week 16: Taper Week

Light review only — no new material.
1 final mock exam on Day 2 of this week.
Day 6: rest.
Day 7: exam day.

Recommended Resources (Free-First)

Free

Resource	Why
ISACA Official Exam Candidate Guide (PDF, free from isaca.org)	Authoritative source for 2026 exam policies
Prabh Nair YouTube channel	The gold standard of free CISA video content — 100+ hours of domain videos
OpenExamPrep free CISA practice questions	Free ISACA-style questions with AI tutor explanations — start here
ISACA Free Webinars	Monthly free webinars count as CPE later and are great intro content
r/CISA subreddit	Candidate trip reports and current-week study updates

Paid (Only After Exhausting Free)

Resource	What It Is	Who Should Buy
ISACA CISA Review Manual, 28th Edition	The official prep book. 650+ pages.	Every candidate. Non-negotiable.
ISACA QAE Database (Questions, Answers, Explanations)	1,000+ official practice questions, digital version with analytics	Every candidate. The single highest-ROI paid resource.
Wiley CISA Review, 27th Edition (Peter Gregory)	Alternative textbook with slightly different writing style	Candidates who find the Review Manual dense
Hemang Doshi’s CISA Absolute Guide	Concise, high-yield summary guide	Final 4-week review; not a primary text
Gleim CISA Review	Complete course with question bank	Candidates who want maximum structure
HOCK International CISA	Video-heavy course with strong QA	Candidates who learn by video
Cybrary CISA Course	Video course at a lower price point	Budget-conscious candidates
Pearson IT CISA Cert Guide	Alternative textbook format	Candidates who want a third reference

The lean budget stack: Official Review Manual ($139 member) + ISACA QAE 12-month subscription ($299 member) + free practice + Prabh Nair YouTube. Total: under $500, covers everything.

Exam-Day Strategy: The 4-Hour Stamina Game

The CISA is a stamina exam. 150 questions in 240 minutes is 1 minute 36 seconds each, but the real challenge is sustaining sharp judgment across 4 hours. Here is the playbook.

Pacing

Minute 0-80: Answer questions 1-50. If any question takes more than 90 seconds, flag it and move on.
Minute 80-160: Answer questions 51-100. Same rule.
Minute 160-220: Answer questions 101-150.
Minute 220-240: Revisit flagged questions. Do not change an answer unless you have a concrete reason — first instincts are correct ~75% of the time.

The Question Type Identification Drill

Every CISA question falls into one of three archetypes. Identify which before you answer:

Archetype	Signal	Strategy
Knowledge Check	"Which of the following is defined as..."	Pick the definition. Move fast.
Scenario / Best Answer	A 3-5 sentence paragraph ending with "What is the BEST action for the auditor?"	Identify the role (auditor vs manager), phase of audit, and control objective. Rule out technical-only answers.
Most / Least / First / Next	"Which should the auditor do FIRST?" / "Which is the GREATEST concern?"	Read every option — all may be plausible. Pick based on audit sequencing (planning → fieldwork → reporting) or risk magnitude.

The Elimination Engine

For the hard questions, eliminate in this order:

Eliminate technical-only answers — CISA tests audit judgment, not technical execution.
Eliminate answers that skip governance — if an option bypasses management approval, it is usually wrong.
Eliminate absolutes — "always," "never," "all" are usually wrong.
Eliminate answers that ignore independence — auditors never implement controls or take management actions.
Choose the answer that an independent auditor would report to the audit committee.

Working-Memory Conservation

Do NOT go back and re-read passages multiple times. Read once, decide, move on.
Skip questions you can feel will eat 3+ minutes — flag and return.
Hydrate. PSI allows water at test centers (check per-site rules).
If online-proctored: set up a quiet room, close all other apps, test the webcam, and keep your government ID ready.

Cost Breakdown, Retake Policy & Recertification

Total First-Year Cost

Item	ISACA Member	Non-Member
Exam fee	$575	$760
ISACA membership (optional)	$135 + $50 one-time	n/a
Application processing fee (after passing)	$50	$50
Annual maintenance fee	$45	$85
Year 1 Total (minimum path)	$855	$895

Membership mathematics: joining costs $185 first year ($50 application + $135 dues) and saves you $185 on the exam fee ($760 - $575 = $185). You break even in year 1 and win in year 2+ via lower maintenance fees and discounted resources.

Retake Policy

After a failed attempt, wait 90 days before retesting.
Maximum 4 attempts per 12-month period.
You pay the full exam fee on each retake.

Recertification (3-Year Cycles)

120 CPE hours per 3-year cycle.
Minimum 20 CPE hours per year — you cannot back-load everything into year 3.
Annual maintenance fee: $45 member / $85 non-member.
Adhere to the ISACA Code of Professional Ethics and the Information Systems Auditing Standards.
ISACA audits approximately 10% of certificants each year — keep documentation of every CPE.

CPE activities include ISACA chapter meetings, webinars, conferences, vendor training, university courses, teaching, writing articles, and serving on ISACA committees.

Salary & Career: What a CISA Actually Earns

ISACA's 2024 State of IT Audit report and US BLS data converge on these numbers for 2026:

Role	CISA Average Base Salary (US)
IT Auditor (Entry, 0-2 years)	$72,000 - $92,000
IT Auditor (Mid, 3-5 years)	$90,000 - $115,000
IT Audit Senior	$105,000 - $130,000
IT Audit Manager	$125,000 - $160,000
Director of IT Audit	$150,000 - $200,000
VP / Head of Internal Audit (IT)	$180,000 - $260,000+
SOX Compliance Analyst	$85,000 - $115,000
GRC Manager	$115,000 - $155,000
Big 4 Audit Senior (CISA-preferred)	$95,000 - $120,000
Big 4 Audit Manager (CISA-required)	$140,000 - $175,000

The CISA Premium

ISACA's survey and Robert Half's 2026 Salary Guide both show a 20-25% salary premium for CISA-certified professionals versus uncertified peers in the same role. The premium is highest in finance, healthcare, and government sectors — industries with the heaviest audit regulation.

Career Paths

Big 4 / Advisory path: Associate → Senior → Manager → Senior Manager → Partner. CISA typically required at Manager level.
Corporate internal audit path: IT Auditor → Senior → Manager → Director → VP/CAE.
GRC / compliance path: SOX Analyst → GRC Manager → Director of Compliance → CISO track.
Cybersecurity audit specialist: Add CISM or CRISC; can pivot into security advisory consulting.

Common Mistakes That Tank First-Time Candidates

Mistake #1: Picking "The Most Secure" Answer

CISA is an audit exam, not a security exam. The right answer is the one an independent auditor would recommend or observe — usually the one that improves evidence, transparency, or control testability, not the one that adds technical defenses.

Wrong: "Encrypt everything end-to-end." Right: "Evaluate whether encryption is implemented per policy and independently verify the key management process."

Mistake #2: Ignoring Evidence Sufficiency

When questions ask what the auditor should do when evidence is insufficient, the answer is almost always gather more evidence — never "escalate to management" or "qualify the report" as the first step.

Mistake #3: Confusing Compensating vs Corrective Controls

Compensating: An alternate control used when the primary control cannot be implemented (e.g., manager review when automation is infeasible).
Corrective: A control that restores after an incident (e.g., backups, patches, incident response).

These get confused constantly. Compensating is proactive substitution; corrective is reactive restoration.

Mistake #4: Auditor Independence Violations

Auditors never:

Implement the controls they audit.
Take management decisions.
Write policies they will later audit.
Sign off on remediation.

Any answer that has the auditor doing any of the above is wrong.

Mistake #5: Under-Practicing

100 practice questions is not enough. You need 1,000+ and you need them spread across timed, full-length sets in the final 3 weeks.

Mistake #6: Skipping the Manual

YouTube and courses summarize, but ISACA writes the exam off the Review Manual. If you skip it, you will miss wording nuances ("the MOST appropriate" vs "the BEST") that the exam leans on.

Mistake #7: Cramming Domains 4 and 5 Last

Candidates run out of time and end up rushing the two biggest domains (52% of the exam combined). Start Domain 4 by Week 7 of a 16-week plan — not Week 12.

Mistake #8: Treating Every Question as a Trap

Some questions really are straightforward definitions. Do not overthink — if an option clearly matches the textbook definition, pick it and move on.

CISA vs CISSP vs CISM vs CIA — And How to Stack

Cert	Body	Focus	Experience	Best For
CISA	ISACA	IT audit, control, assurance	5 years IS audit/control/security	IT auditors, compliance pros, SOX, Big 4
CISSP	ISC2	Security management (8 domains)	5 years in 2+ domains	Senior security engineers, CISOs
CISM	ISACA	Information security management	5 years info sec (3 in mgmt)	Security managers, CISOs
CIA	IIA	General internal audit	Varies by part, typically bachelor's + 2 years	Financial/ops auditors (less IT-focused)
CRISC	ISACA	IT risk management	3 years IT risk & control	Risk managers, control owners
CGEIT	ISACA	IT governance (executive)	5 years IT governance, 1 in leadership	CIOs, IT governance leaders
CDPSE	ISACA	Privacy engineering + assurance	3 years privacy + technical	Privacy engineers, DPOs with technical focus

Stacking Strategy

CISA + CISM: The classic ISACA pair. CISA for audit, CISM for management. One-year average acquisition gap. Both share ISACA membership benefits.
CISA + CISSP: Broadest combo. CISA for audit depth, CISSP for security breadth. Often seen in Big 4 and CISO-track professionals.
CISA + CIA: The "audit unicorn." Covers IT and financial audit. Most common in large internal audit departments.
CISA + CRISC: Audit plus risk. Common in enterprises with sophisticated risk functions.

Start with CISA if your work is primarily auditing IT systems. Start with CISM if you are managing a security program and will rarely audit. Start with CISSP if you are a senior security engineer heading into management.

Your Next Steps After CISA

Once you earn CISA, the natural follow-ups are:

CISM (Certified Information Security Manager) — if you want to move from auditing security into managing it.
CRISC (Certified in Risk and Information Systems Control) — if you specialize in IT risk.
CGEIT (Certified in the Governance of Enterprise IT) — executive-level IT governance.
CDPSE (Certified Data Privacy Solutions Engineer) — privacy engineering with audit angles.
AAIA (Advanced in AI Audit) — ISACA's new AI audit credential, launched 2024.
CPA or CIA — if you want to cross into financial audit or general internal audit.

All five ISACA credentials (CISA, CISM, CRISC, CGEIT, CDPSE) share a single 3-year CPE cycle if you hold multiple — a huge maintenance efficiency.

Final CTA: Start Practicing Today

CISA is a pass-able exam with a clear roadmap. The candidates who fail almost always share one trait: they underpractice. You can fix that right now.

Start practicing nowPractice questions with detailed explanations

The 2026 IT audit market has more openings than qualified candidates. The CISA is the fastest credential path into those openings. The only thing between you and that career step is the 150-question exam — and a study plan that actually works.

Good luck. You can do this.

Official Sources

ISACA CISA program home: https://www.isaca.org/credentialing/cisa
ISACA Exam Candidate Guide (PDF): available from the CISA program page
ISACA Code of Professional Ethics: https://www.isaca.org/credentialing/code-of-professional-ethics
ISACA IT Audit Framework (ITAF): available to members via isaca.org
COBIT 2019 Framework: https://www.isaca.org/resources/cobit
ISACA 2024 State of IT Audit report: https://www.isaca.org
PSI Services (delivery vendor): https://www.psionline.com
NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
PCI Security Standards Council: https://www.pcisecuritystandards.org

Information current as of April 2026. Always verify specific fees, dates, and eligibility details at isaca.org before applying or registering.

✓Key Facts

CISA in 2026: The Only Guide You Need

CISA Exam At-a-Glance (2026)

FREE CISA Prep: Practice Before You Pay

What the CISA Is — and the 2026 Context That Makes It Hotter Than Ever

The 2026 IT Audit Market

Who Should Take CISA

Eligibility & the 5-Year Experience Rule

The Experience Requirement

Substitutions (Up to 3 Years)

The Experience Verification Process

The 5 CISA Job Practice Domains (2026 Weights)

Domain 1 — Information System Auditing Process (18%)

Core Topics

Where Candidates Lose Points

Domain 2 — Governance and Management of IT (18%)

Core Topics

High-Yield: COBIT 2019 Goals Cascade

Domain 3 — Information Systems Acquisition, Development and Implementation (12%)

Core Topics

Migration Approach Cheat Sheet (Frequently Tested)

Domain 4 — Information Systems Operations and Business Resilience (26%)

4A — IT Operations

4B — Business Resilience

RTO/RPO Cheat Sheet

Domain 5 — Protection of Information Assets (26%)

Core Topics

Incident Response: The 6 Phases (SANS)

Cross-Domain High-Yield: The Control Concepts Every Question Leans On

Control Classifications by Objective

Control Classifications by Nature

Segregation of Duties (SoD)

Risk Treatment (ISO 31000 / NIST)

COBIT 2019 Fundamentals (Deep Dive)

The 6 Governance System Principles

The 3 Governance System Components Layers

The 5 COBIT Domains

The Goals Cascade (Memorize the Order)

CISA Pass Rate & Difficulty Reality Check

FREE Practice, Round 2

16-Week CISA Study Plan (Most Candidates)

Weeks 1-2: Orientation and Domain 1 Foundation

Weeks 3-4: Domain 2 — Governance and Management of IT

Weeks 5-6: Domain 3 — IS Acquisition, Development, Implementation

Weeks 7-9: Domain 4 — IS Operations and Business Resilience (BIG DOMAIN)

Weeks 10-12: Domain 5 — Protection of Information Assets (BIG DOMAIN)

Weeks 13-14: Full-Length Practice Exams + Weakness Targeting

Week 15: Final Mock Exams

Week 16: Taper Week

Recommended Resources (Free-First)

Free

Paid (Only After Exhausting Free)

Exam-Day Strategy: The 4-Hour Stamina Game

Pacing

The Question Type Identification Drill

The Elimination Engine

Working-Memory Conservation

Cost Breakdown, Retake Policy & Recertification

Total First-Year Cost

Retake Policy

Recertification (3-Year Cycles)

Salary & Career: What a CISA Actually Earns

The CISA Premium

Career Paths

Common Mistakes That Tank First-Time Candidates

Mistake #1: Picking "The Most Secure" Answer

Mistake #2: Ignoring Evidence Sufficiency

Mistake #3: Confusing Compensating vs Corrective Controls

Mistake #4: Auditor Independence Violations

Mistake #5: Under-Practicing

Mistake #6: Skipping the Manual

Mistake #7: Cramming Domains 4 and 5 Last

Mistake #8: Treating Every Question as a Trap

CISA vs CISSP vs CISM vs CIA — And How to Stack

Stacking Strategy

Your Next Steps After CISA

Final CTA: Start Practicing Today

Official Sources

Free Study Resources

CISA