1.5 Study Calendar and Practice Plan
Key Takeaways
- A typical working professional needs roughly 8-12 weeks (120-180 hours) of structured study, weighted toward Domains 4 and 5.
- Build a domain-by-domain calendar, then shift to timed full-length practice exams in the final two to three weeks.
- Maintain an error log that records why each missed question was missed; review it as its own study activity.
- After certifying, you must earn at least 20 CPE hours every year and 120 CPE hours over each rolling three-year cycle, plus pay the annual maintenance fee.
An 8-12 Week Calendar
Most working candidates pass with 8 to 12 weeks of consistent study totaling roughly 120-180 hours. The exact length depends on your audit and IT background, but the structure should follow the domain weights. A proven sequence front-loads the foundation, then the two heaviest domains, then the lighter ones, and reserves the end for full-length practice.
| Weeks | Focus | Why |
|---|---|---|
| 1-2 | Domain 1: Auditing Process | Foundation; teaches the auditor mindset every domain reuses |
| 3-4 | Domain 5: Protection of Information Assets (26%) | Heaviest domain; start early while energy is high |
| 5-6 | Domain 4: Operations & Business Resilience (26%) | Other heaviest domain; master RTO/RPO, BIA, BCP/DRP |
| 7 | Domain 2: Governance & Management of IT (18%) | Frameworks and COBIT |
| 8 | Domain 3: Acquisition, Development & Implementation (12%) | SDLC and project controls |
| 9-10 | Full-length timed practice + error-log review | Build stamina and pacing; close gaps |
If you have only eight weeks, compress the governance and acquisition blocks; if you have twelve, add a second pass over Domains 4 and 5 in weeks 11-12.
Practice Exams and the Error Log
Reading alone does not pass CISA — timed practice under exam conditions does. Shift to full-length 150-question practice exams in the final two to three weeks and treat each one as a dress rehearsal: 4 hours, no notes, no pausing. The goal is to reach a consistent 75-85% on quality question banks, which historically maps to a comfortable pass.
The error log
The single highest-leverage habit is a disciplined error log. For every missed (or guessed-and-lucky) question, write two sentences:
- "I missed this because…" — pick a category: misread the qualifier, did not know the rule, wrong sequence, chose the convenient-but-non-independent option, or overgeneralized a control.
- "Next time I will look for…" — the concrete cue that would have flagged the right answer.
Review the log as its own study session twice a week. Patterns emerge fast — for example, if most misses are "chose the technical fix over the audit action," you have a mindset gap, not a knowledge gap, and you can correct it directly.
Common pitfalls to drill away
- Confusing preventive vs. detective vs. corrective controls.
- Mixing up RTO (downtime tolerance) and RPO (data-loss tolerance).
- Picking the option that compromises independence.
- Ignoring the qualifier word (FIRST, MOST, EXCEPT).
After You Pass: Maintaining the Credential
Earning CISA is the start of an ongoing obligation. To keep the designation active you must:
- Earn and report a minimum of 20 CPE (Continuing Professional Education) hours every calendar year.
- Earn and report at least 120 CPE hours over each rolling three-year reporting cycle.
- Pay the annual maintenance fee (US$45 for ISACA members, US$85 for non-members).
- Comply with ISACA's CPE audit if selected (keep documentation of your activities).
- Continue to abide by the ISACA Code of Professional Ethics and the IS Auditing Standards.
Failure to meet the annual minimum, the three-year total, or the maintenance fee can result in revocation of the CISA designation. CPE hours can come from ISACA chapter events, conferences, webinars, vendor training, publishing, and teaching — and the same qualifying activity can count toward multiple ISACA certifications you hold. Build CPE into your routine from day one rather than scrambling at the end of a cycle.
| Maintenance item | Requirement |
|---|---|
| Annual CPE minimum | 20 hours |
| Three-year CPE total | 120 hours |
| Annual maintenance fee | US$45 member / US$85 non-member |
| Code of ethics | Must be upheld continuously |
Choosing and Sequencing Your Materials
A focused toolkit beats a sprawling one. Most successful candidates rely on three resources used in a deliberate order:
- A primary review text (for example, ISACA's official CISA Review Manual) read domain by domain to build the conceptual map.
- A large question bank (ISACA's official database or a reputable equivalent) worked in two modes — study mode with explanations while learning, then exam mode timed once you know the material.
- Full-length practice exams in the final stretch to build stamina and calibrate pacing.
Resist collecting five overlapping question banks; depth of review beats breadth of sources. Whenever a practice explanation conflicts with the official ISACA outline or manual, trust the official material.
A weekly rhythm that works
Within each study week, alternate learn and test days rather than reading for two weeks before touching a question. A simple cycle: read a sub-topic, immediately do 20-30 questions on it, log the misses, and revisit the weak spots the next session. This retrieval-practice loop cements material far better than re-reading, and it surfaces gaps while you still have time to close them.
Final-week taper
In the last week, stop cramming new material. Re-read your error log end to end, do one or two final timed exams early in the week (not the night before), and reserve the day before the exam for light review and rest. Confirm your appointment, ID, and — if testing remotely — your system check. Arriving rested with a clear pacing plan is worth more than the last few hours of cramming.
What is the recommended focus for the final two to three weeks before the CISA exam?
How many CPE hours must a CISA holder earn each year and over each three-year cycle to maintain certification?
Which study habit most directly converts missed practice questions into reliable improvement?