CISA Exam Structure 2026

CISA Exam Format and Syllabus: Domains, Weightage and What to Study First

The CISA exam is easier to understand when you stop viewing the syllabus as one flat reading list. The smarter way is to understand the current exam format, the five weighted domains, what each domain really covers, and how that changes the order in which you should study.

  • Global explainer
  • Official-outline led
  • Syllabus + study priority
  • Updated June 2026

Professional learner reviewing a CISA exam format roadmap and study plan on a laptop in a bright workspace
The strongest CISA preparation starts with understanding the current exam map before building your study plan.

Quick answer

The current CISA exam is a 150-question computer-based exam built around 5 job practice domains. The current live ISACA content outline shows a weight split of 18%, 18%, 12%, 26% and 26%, which means the syllabus is not evenly balanced and your study order should reflect that.

Key takeaways

  • The best way to understand the CISA syllabus is to connect the five domains to the exam weightage, not just memorize topics.
  • Domains 4 and 5 carry the highest current weight at 26% each, so they deserve major study time.
  • Domain 3 is the lightest at 12%, which means it matters, but should not dominate your plan.
  • The exam format, question style, and timing pressure reward practical judgment more than passive reading.
  • A strong format page should help you decide what to study first, then route you into requirements, cost, and deeper prep guidance.

What is the current CISA exam format?

The current live ISACA CISA content outline states that the exam consists of 150 questions covering 5 job practice domains. Edudelphi’s current official-truth set also confirms a 4-hour computer-based format and a scaled passing score of 450 out of 800, which together make CISA a judgment-heavy exam rather than a simple recall test.

Exam element Current CISA format Why it matters
Question count 150 questions You need both accuracy and pacing. Slow overthinking becomes expensive.
Duration 4 hours Time management is part of exam strategy, not an afterthought.
Delivery mode Computer-based The real exam experience is screen-based, so mock practice should feel similar.
Passing standard Scaled 450 out of 800 Candidates should focus on consistent judgment quality across domains, not one perfect section.
Structure 5 weighted domains The syllabus is not evenly balanced, so your study plan should not be evenly split either.

Official references used for this section: ISACA CISA Exam Content Outline and ISACA CISA credential page.

What does the current CISA syllabus cover?

The current CISA syllabus is best understood as a five-domain map of how ISACA expects information systems auditors to think about audit process, governance, change, operations, resilience, and protection of information assets. In plain language, the syllabus is not only about IT. It is about how to evaluate controls and communicate assurance judgment across technology environments.

That distinction matters because many candidates approach CISA like a technical-security exam or like a general internal-audit exam. It is neither. CISA lives in the middle: audit logic, control reasoning, business context, and technology understanding all need to work together.

Audit process
How audits are planned, performed, documented, and communicated.
Governance and management
How IT is directed, controlled, aligned, and monitored inside the organization.
Systems lifecycle and protection
How acquisition, operations, resilience, and information asset protection are evaluated from an auditor’s perspective.

Current CISA domain weightage explained

The current live ISACA content outline shows the following domain weight split: 18%, 18%, 12%, 26%, and 26%. That means the CISA syllabus is not balanced evenly across the five domains. In practical study terms, Domains 4 and 5 deserve more attention because they carry the heaviest share of the current exam blueprint.

Domain Current weight What it broadly covers
Domain 1: Information Systems Auditing Process 18% Audit planning, evidence, execution, reporting, and follow-up.
Domain 2: Governance and Management of IT 18% Governance structures, IT strategy, policies, risk, and oversight.
Domain 3: Information Systems Acquisition, Development and Implementation 12% Change, development, acquisition, projects, and implementation control points.
Domain 4: Information Systems Operations and Business Resilience 26% Operations, incident handling, continuity, resilience, service delivery, and recovery thinking.
Domain 5: Protection of Information Assets 26% Access, data protection, monitoring, security controls, and asset safeguarding.

There is a simple lesson hiding inside those numbers. If your current study plan treats every domain as equal, it is already misaligned with the current exam structure.

Infographic showing the five CISA domains and their current exam weightage in a clean study-friendly layout
A visual shortcut for the current CISA domain structure and weightage.

Current CISA format at a glance The exam map matters because it tells you where study time should become heavier and where it can stay lighter. FORMAT 150 questions 4 hrs computer-based SCORE 450/800 scaled pass mark 5 domains weighted, not equal WEIGHT SPLIT D1 18% D2 18% D3 12% D4 26% D5 26% Main study consequence Domains 4 and 5 deserve the heaviest time block. Domain 3 should stay lighter than many candidates expect.

Important truth check: the older 18/18/12/26/26 split remains visible on the live ISACA content outline in June 2026, so this article should not borrow newer-outline wording from CISM or other certifications.

Which CISA domains should you study first?

The best study order is not always the official numerical order. For many candidates, the better route is to learn the overall audit logic early, then spend serious time on the heaviest current domains, and only after that deepen the lighter areas. This usually produces a more stable understanding than trying to master every domain at equal intensity from day one.

Good starting logic
Use Domain 1 early to understand audit process and reasoning, then build heavier time blocks around Domains 4 and 5.
Common mistake
Reading the syllabus in order and giving every domain the same study time, even though the current weight split is uneven.

A practical order for many working professionals looks like this:

  1. Domain 1 first, because it teaches the audit lens that helps the rest of the exam make sense.
  2. Domains 4 and 5 next, because they carry the highest current weight and often decide your total scoring stability.
  3. Domain 2 after that, because governance and management thinking connects many questions across the exam.
  4. Domain 3 later, because it is still important, but lighter in current exam weight.
Candidate reviewing CISA domain priorities and study notes beside a laptop in a bright modern workspace
Study order becomes easier once you translate the syllabus into weight-based decisions.
Study-priority ladder This is not the only valid sequence, but it is a practical way to align the syllabus with the current exam blueprint. FIRST Domain 1 Build the audit mindset before the rest of the exam HEAVIEST BLOCK Domains 4 and 5 Highest current weight and major scoring influence THEN Domain 2 Governance and management connective tissue LIGHTER LAST Domain 3 Still important, but lighter than many candidates assume

What are CISA questions actually like?

CISA questions are often less about technical memorization and more about selecting the best audit or control judgment under realistic conditions. That is why candidates who know the syllabus but do not understand ISACA-style reasoning often feel confused by answer choices that all look partly correct.

In practical terms, CISA questions often test whether you can:

  • identify the most appropriate auditor action, not just any technically true statement
  • prioritize risk, evidence quality, and control impact
  • distinguish management responsibility from audit responsibility
  • avoid choosing the most technically detailed option when the broader audit logic points elsewhere
Most common candidate trap

Many candidates answer like implementers, engineers, or security operators. CISA often rewards the answer that best fits the auditor’s role, evidence logic, and risk-based judgment instead.

How does scoring and passing work?

Edudelphi’s current official-truth set, built from official CISA references, uses a scaled passing score of 450 out of 800. For candidates, the more useful takeaway is not to obsess over raw-score myths. The important point is that you need stable performance across the exam blueprint, especially in the heavier current domains, rather than hoping one strong topic area will carry everything else.

This is why exam strategy matters so much. A candidate who is average but steady across the map can outperform someone who is excellent in one narrow area and weak across the rest.

Do not chase myths
Online raw-score guesses often create false confidence or false panic.
Respect the blueprint
The weighted structure matters more than personal comfort with one domain.
Use mocks correctly
Mocks are useful when they show domain weakness patterns, not just one headline score.

What should you know about scheduling, PSI and remote proctoring?

The current live ISACA CISA credential page says candidates have a six-month eligibility period after registration, can schedule as early as 48 hours after payment, and use either authorized PSI testing centers or remote proctoring. Those details matter because format questions are not only about the exam paper. They also affect when and how you should lock your preparation timeline.

Scheduling fact Current official guidance Why candidates care
Eligibility period Six months Your preparation plan should fit a real booking window, not an indefinite one.
Earliest scheduling after payment 48 hours You can move from payment to booking quickly if your plan is already mature.
Appointment visibility Only 90 days in advance Do not panic if your preferred date is not visible too early.
Delivery options PSI test centers or remote proctored exam You can choose the environment that best fits your comfort and logistics.
Rescheduling No penalty if done at least 48 hours before the appointment You have some flexibility if preparation timing shifts.

Official references: ISACA CISA credential page and the linked ISACA scheduling / remote-proctoring guidance on that page.

How should you turn the syllabus into a study plan?

A useful CISA study plan should mirror the exam map. Start by learning the structure, then build your calendar around weightage, weak domains, and question practice. In other words, the syllabus should become a weekly decision tool, not just a list of chapters you hope to finish.

A practical study framework looks like this:

  • first understand the five-domain map and the current weightage
  • set a heavier hour allocation for Domains 4 and 5
  • use Domain 1 early so the audit mindset becomes your base layer
  • start question practice earlier than most candidates expect
  • use mocks to diagnose domain weakness, not just celebrate a score

If you want the deeper execution layer after reading this structure guide, move next to How to Pass CISA in First Attempt for study rhythm, mock strategy, and preparation discipline.

Read the CISA Requirements Guide

How Edudelphi maps training to the CISA syllabus

Edudelphi’s role is to help candidates translate the official CISA blueprint into an easier preparation path. That means structured live teaching, domain-wise sequencing, practice questions, mock support, and clarification around official exam rules. The certification itself remains awarded by ISACA, while Edudelphi provides the training and preparation support layer.

Official ISACA side
Exam structure, content outline, scheduling rules, eligibility, certification requirements, and official exam award.
Edudelphi training side
Live online classes, AI-powered LMS, 3000+ practice questions, mocks, recordings, and study support aligned to the current CISA blueprint.

You may also want to read What Is CISA Certification?, CISA Certification Requirements, and CISA Exam Cost if you are planning the full path rather than only the syllabus.

Frequently asked questions

What is the current CISA exam format?

The current CISA exam format is a computer-based exam with 150 questions across 5 job practice domains. Edudelphi’s current official-truth set also uses a 4-hour duration and a scaled passing score of 450 out of 800.

What does the current CISA syllabus include?

The current syllabus includes five domains covering audit process, governance and management of IT, acquisition and implementation, operations and resilience, and protection of information assets.

What is the current CISA domain weightage?

The current live ISACA content outline shows Domain 1 at 18%, Domain 2 at 18%, Domain 3 at 12%, Domain 4 at 26%, and Domain 5 at 26%.

Which CISA domains should I study first?

Many candidates benefit from starting with Domain 1 to build the audit mindset, then moving heavily into Domains 4 and 5 because they carry the largest current exam weight.

Is the CISA syllabus the same as a plain topic list?

Not really. The useful way to understand the syllabus is as a weighted exam blueprint that should influence your study order, time allocation, and mock strategy.

Can I take CISA through remote proctoring?

Yes. The current ISACA CISA page says the exam is administered at authorized PSI testing centers globally or as a remotely proctored exam.

How long is CISA exam eligibility after registration?

The current official ISACA guidance says candidates have a six-month eligibility period from registration to take the exam.

Looking for tailored CISA training in your country?

Explore Edudelphi’s live online CISA course pages for different markets if you want local fee guidance, market-specific positioning, or a country route that still stays aligned with the same exam format and syllabus.

Accreditations and learning partners

Institutional trust behind the learning experience matters. Edudelphi’s broader quality credentials, approved-provider relationships, and learning partnerships support different programs across the portfolio, while CISA itself remains an ISACA-awarded certification.

IMA Silver Approved Provider
PECB Partner
KHDA
Wiley
ISO 9001:2015 Certified
ACCA Gold Learning Partner
IELTS Accredited
Being CERT Accredited
Global Compliance Institute Partner
UWorld
Gleim
Hock International

Logos shown may represent accreditations, approved provider status, content partnerships, learning affiliations, or quality credentials depending on the program. CISA itself is awarded by ISACA.

Content verification and editorial review

This article was reviewed by the Edudelphi content and training team to keep the structure explanation aligned with the current CISA exam blueprint, real learner questions about the syllabus, and the important distinction between ISACA’s official credential rules and Edudelphi’s preparation support.

Checked against current official CISA structure
We reviewed the live ISACA CISA content-outline and credential pages while preparing this update.
Built for study planning, not only definitions
The page is structured to help candidates turn the syllabus into a practical study order, not just memorize a domain list.
Connected to the wider CISA cluster
The page routes readers into requirements, cost, first-attempt preparation, and country-specific training options where useful.

Share this article:

Leave a Reply

Your email address will not be published. Required fields are marked *