1.1 Current CISA Exam Facts

The Exam at a Glance

The Certified Information Systems Auditor (CISA) exam is the credential exam offered by ISACA (formerly the Information Systems Audit and Control Association). It is the most widely recognized qualification for professionals who audit, control, monitor, and assess an organization's information technology and business systems. Before building a study plan you should lock in the exam's hard parameters, because every pacing and scoring decision flows from them.

All 150 items are scored the same way; there are no separate sections, no adaptive branching, and no penalty for guessing. Because a wrong answer is never penalized, answer every question even if you must guess — a blank can only cost you points.

Pacing math

Four hours for 150 questions works out to roughly 96 seconds per question — comfortable for a recall item but tight for a multi-step scenario. Target about 90 seconds per question on the first pass and flag anything slower so you bank time for review.

Scoring You Can Trust

CISA uses a scaled score rather than a raw percentage. ISACA converts your raw number-correct to a 200-800 scale that accounts for slight difficulty differences between exam forms, and 450 is the fixed passing line on every form. A 450 does not mean you answered 450 questions correctly or earned 56% — the scaled score is a statistical conversion, so do not try to reverse-engineer a target percentage from it. In practice, candidates who consistently score in the high-70s to low-80s on quality practice exams are well-positioned.

Your preliminary pass/fail result appears on screen immediately, and ISACA emails an official score report (with a breakdown by domain) within about ten business days. That breakdown is the most useful diagnostic on the report: a fail almost always traces to one or two weak domains, telling you exactly where to focus a retake.

Source of truth

Policies, fees, and the content outline change periodically, so confirm current figures against ISACA's official pages before exam day:

• ISACA CISA Certification Page — fees, registration, and policy.
• CISA Exam Content Outline — the five domains and their weights.
• ISACA Certification Exam Candidate Guide — scheduling, ID, and proctoring rules.

When a third-party figure contradicts an ISACA page, the ISACA page wins.

How to Think About CISA Questions

CISA is an applied-judgment exam, not a trivia test. Most stems describe a realistic audit situation and ask what an IS auditor should do first, next, or most importantly. The correct answer is rarely the most technical option — it is the one that is most aligned with audit standards, most independent, and most defensible in front of management. A useful mental model for each item is cue, authority, action, evidence, risk: identify the cue in the stem, the governing standard or control, the action it requires, the evidence that supports it, and the risk if you take the convenient shortcut instead.

A recurring trap is choosing an answer that is operationally helpful but compromises auditor independence — for example, designing a control rather than recommending that management design it. When two options both look correct, prefer the one that preserves objectivity and produces the cleanest audit trail.

What the credential signals

CISA is accredited under ISO/IEC 17024, which is why employers treat it as evidence that the holder can plan and execute a risk-based audit, not merely define terms. The exam favors candidates who reason from standards to action, so studying for decision-making rather than memorization is what the exam rewards.

Test-Day Logistics

Whether you sit at a PSI center or test under remote proctoring, plan the day so logistics never cost you points.

At a test center

Arrive 30 minutes early, bring a valid government-issued photo ID whose name matches your registration exactly, and store all personal items in a provided locker. You may not bring notes, phones, watches, or food into the room; the center supplies an on-screen calculator if one is needed and scratch material per its rules. A short, optional tutorial precedes the 4-hour clock, so the 240 minutes are entirely for the 150 questions.

Under remote proctoring

The online option uses ISACA's remote-proctoring software. You must:

• Test in a private, quiet, well-lit room with no other people present.
• Provide a working webcam and microphone and a stable internet connection.
• Complete a room scan showing the proctor your desk and surroundings.
• Clear the desk of all materials; no second monitor, phone, or paper notes.
• Present a matching government-issued photo ID to the camera.

Technical readiness matters: run the system-compatibility check days in advance, not minutes before, because a failed connection or unsupported browser can forfeit the appointment. Whichever mode you choose, a calm setup preserves the full four hours for thinking rather than troubleshooting.