7.2 Last-Week Review Map

Build the Map from the Blueprint

The final week is a consolidation sprint, not a content-acquisition phase. Anchor it to the official weights so your hours land where the points are:

Domains 4 and 5 are 52% of the exam combined, so they deserve the largest share of review time, followed by 1 and 2, with Domain 3 last. Layer your error log on top of this: a weak Domain 5 is a five-alarm priority, while a weak Domain 3 is a smaller fire. Spend your scarce final hours on the intersection of high weight and your demonstrated weakness.

The Single Most-Tested Concept Per Domain

If you commit nothing else to memory this week, lock in these high-yield anchors — the concept each domain returns to again and again:

• Domain 1 — Audit standards and risk-based planning. Know the ITAF (Information Technology Assurance Framework), the difference between standards (mandatory), guidelines, and tools/techniques, and that audit plans are built on a risk-based assessment so high-risk areas get audited first and most often. Know the control hierarchy: preventive, detective, corrective.
• Domain 2 — Governance via COBIT. Know that governance sets direction and evaluates (the board's job) while management plans, builds, runs, and monitors, and that COBIT separates these. Steering committees, IT strategy alignment to business objectives, and clear roles/responsibilities are the recurring themes.
• Domain 3 — SDLC controls. Know the system development life cycle phases and the controls in each — especially separation of development, test, and production environments, proper change management, and UAT (user acceptance testing) sign-off before go-live.
• Domain 4 — RTO/RPO and recovery sites. Know that RTO (Recovery Time Objective) is how fast you must restore, RPO (Recovery Point Objective) is how much data loss is tolerable, and the site trade-offs: hot (minutes, costly), warm (hours), cold (days, cheap).
• Domain 5 — Access control and cryptography. Know least privilege, segregation of duties, and that public-key (asymmetric) encryption gives confidentiality when you encrypt with the recipient's public key, while digital signatures give integrity and non-repudiation using the sender's private key.

How to Spend the Seven Days

Structure the week so each day has a clear, bounded job:

• Days 7-5: Rotate through Domains 4, 5, then 1/2, doing focused review of the anchors above plus your weakest error-log topics. One short timed set each day.
• Days 4-3: Run mixed-domain sets of 50-75 questions to rehearse domain-switching and the BEST/FIRST/MOST qualifier discipline. Re-read rationales, not just the right answer.
• Day 2: One light full or half-length simulation in the morning; afternoon is pure rationale review. Stop introducing new resources — a new question bank or video this late fragments recall and erodes confidence.
• Day 1 (before exam): Light skim of your one-page anchor sheet, confirm logistics (covered in 7.3), and rest. Cramming the night before trades sleep for marginal recall and hurts pacing the next day.

The discipline that wins the final week is subtraction: cut scattered material, keep the high-yield anchors, and protect your sleep and pacing reflexes.

Build a One-Page Anchor Sheet

Condense the whole exam into a single page you can mentally recite. The act of compressing forces recall, and the page becomes your Day-1 review. Group it by the traps CISA reuses:

• Control types: preventive (stop it), detective (catch it), corrective (fix it). When two controls work, preventive wins. Compensating controls offset a weakness when the ideal control is impractical.
• Auditor role: independence first. The auditor assesses and reports; the auditor never owns, operates, or remediates the control. Loss of independence is an automatic wrong answer.
• Evidence reliability: evidence is stronger when it is independent of the auditee, obtained directly by the auditor, and corroborated. An auditor's direct observation and reperformance outrank a client-prepared report.
• Domain 4 resilience numbers: RTO = time to restore; RPO = tolerable data loss; MTD/MTO = the absolute outer limit; hot/warm/cold sites trade cost against recovery speed.
• Domain 5 crypto: confidentiality uses the recipient's public key to encrypt; signatures use the sender's private key to sign a hash, giving integrity and non-repudiation. Symmetric is fast but has a key-distribution problem; asymmetric solves distribution but is slower.

Spaced Repetition Beats Re-Reading

In the final week, active recall and spaced repetition outperform passive re-reading. Quiz yourself, close the book, and reconstruct the anchor from memory; then check and correct. Re-reading creates a false sense of fluency because the material feels familiar, but familiarity is not retrievability. Short, frequent self-tests across the day — morning, midday, evening — cement the high-yield facts far better than one long cram session, and they leave your mind calmer going into exam day.

Pair each recall session with a quick check of your error log so the facts you self-test are the ones most likely to appear in the heaviest domains, not the ones you already know cold.