1.3 Blueprint Domains and Weighting

The Five Domains and Their Weights

ISACA organizes the CISA exam around five job-practice domains derived from a periodic survey of working IS auditors. The official weights tell you exactly how the 150 questions are distributed, and they should drive how you budget study hours.

The headline takeaway: Domains 4 and 5 together are 52% of the exam — more than half. A candidate who masters operations/resilience and information protection while staying competent elsewhere is in strong shape. Domain 3, at 12%, is the smallest, but it is dense with testable SDLC and project-governance concepts, so do not ignore it.

What Each Domain Covers

Domain 1 — Information Systems Auditing Process (18%). The professional backbone of the credential: audit standards, guidelines, and the ISACA Code of Ethics; risk-based audit planning; audit types; evidence collection and sampling; control self-assessment; and communicating results. This domain frames how you answer every other domain's questions, because CISA constantly asks what an auditor should do.

Domain 2 — Governance and Management of IT (18%). IT governance frameworks (such as COBIT), IT strategy alignment with business objectives, organizational structure, policies and standards, enterprise risk management, IT resource and portfolio management, and laws/regulations affecting IT.

Domain 3 — Acquisition, Development & Implementation (12%). Project management and governance, business case and feasibility analysis, the system development life cycle (SDLC) and methodologies, requirements and control specification, testing strategies, configuration and release management, and post-implementation review.

Domain 4 — Operations and Business Resilience (26%). IT service management, scheduling and incident/problem management, database and system administration, capacity and performance monitoring, end-user computing, business impact analysis, business continuity planning (BCP) and disaster recovery planning (DRP), backup strategies, and recovery objectives such as RTO and RPO.

Domain 5 — Protection of Information Assets (26%). Information security frameworks, logical and physical access controls, identity and access management, network and endpoint security, encryption and public-key infrastructure, data classification, security awareness, incident response, and emerging-technology security.

Turning Weights into a Study Plan

Budget study hours roughly in proportion to the weights. A simple rule of thumb on a 100-hour plan:

• Domain 1: ~18 hours — but treat it as foundational and study it first, because it teaches the auditor mindset every other domain reuses.
• Domain 2: ~18 hours — governance and COBIT concepts.
• Domain 3: ~12 hours — SDLC and project controls.
• Domain 4: ~26 hours — the largest block; master RTO/RPO, BIA, and BCP/DRP cold.
• Domain 5: ~26 hours — the other largest block; access control models and encryption basics are heavily tested.

High-yield concepts that cross domains

Some ideas appear repeatedly regardless of domain label and are worth over-learning: segregation of duties, least privilege, defense in depth, risk-based prioritization, and the difference between preventive, detective, and corrective controls. Recovery metrics (RTO, RPO, MTD/MTO) from Domain 4 and access-control models from Domain 5 are perennial favorites. Knowing these cold lets you reason through unfamiliar stems instead of relying on memorization.

Where the Blueprint Comes From

The five domains are not arbitrary chapter headings — they are derived from ISACA's periodic job-practice analysis, a global survey of working IS auditors that establishes the tasks and knowledge statements the credential certifies. Each domain in the official content outline is broken into two parts: task statements (what an IS auditor does on the job) and knowledge statements (what an IS auditor must know to perform those tasks). Exam questions map back to these statements, which is why so many stems are phrased as workplace scenarios.

Reading the outline like an examiner

When you study a domain, pull the official content outline and read its task and knowledge statements as a checklist. If a statement says an auditor must "evaluate the design and operating effectiveness of identity and access management," expect items that ask you to judge whether a given access-control setup is adequate — not items that merely ask you to define IAM. Converting each statement into a "could I answer a scenario about this?" question is the fastest way to find your gaps.

Weight stability

ISACA refreshes the job-practice and weights every few years. The current split — 18 / 18 / 12 / 26 / 26 — has held steady and reflects how the profession has shifted toward operations, resilience, and information protection. Always re-confirm the weights on the official outline before exam day, but expect Domains 4 and 5 to remain the heavyweights. Use that stability to your advantage: the time you invest mastering recovery objectives, business continuity, access control, and encryption pays off across more than half the exam.