CISA Exam Format and Domains Explained (Domain-by-Domain)

Quick Answer

The CISA exam domains are five core job practice areas tested over a four-hour, 150-question exam. Based on the latest updates for 2026, the domains and their weightages are:

• Domain 1: Information Systems Auditing Process (18%)

• Domain 2: Governance and Management of IT (18%)

• Domain 3: Information Systems Acquisition, Development, and Implementation (12%)

• Domain 4: Information Systems Operations and Business Resilience (26%)

• Domain 5: Protection of Information Assets (26%)

Earning the prestigious CISA designation is a significant career milestone, but the exam presents a unique challenge. It’s designed to test not just what you know, but how you think like an information systems auditor. ISACA, the governing body, periodically updates the exam content outline to reflect current global standards, and this guide breaks down the latest requirements for 2026.

Understanding the CISA exam domains and their specific weightage is the foundational first step to creating a successful study strategy. This guide will walk you through the CISA exam format, provide a detailed explanation of all five domains, and offer strategic insights on how to allocate your study time for maximum impact.

CISA Exam Format and Structure: The Essentials

Before diving into the syllabus, it’s crucial to understand the logistical “nuts and bolts” of the CISA exam. The test is a 150-question, multiple-choice exam administered over a four-hour period. It is delivered globally as a Computer-Based Test (CBT) at PSI test centers or via remote proctoring.

Attribute	Details
Exam Length	4 Hours (240 minutes)
Question Count	150 Multiple-Choice Questions (MCQs)
Language Availability	English, Chinese, French, German, Japanese, Korean, Spanish, etc.
Passing Score	450 out of 800 (Scaled Score)

This structure gives you just under two minutes per question. Recognizing these time constraints is critical. This is why an exam-focused pedagogy that teaches time management alongside subject matter is vital to ensuring you can answer all questions confidently within the allotted time.

Breakdown of CISA Exam Domains (Domain-by-Domain)

The CISA exam is not a random collection of IT facts. It is meticulously structured around five “Job Practice Areas” that mirror the real-world responsibilities of an IT auditor. These domains were updated by ISACA’s Job Practice Analysis to ensure they reflect modern cybersecurity and operational needs.

Domain 1: Information Systems Auditing Process (18%)

Think of this domain as the “rules of the road” for an IS auditor. It covers the foundational knowledge required to plan, conduct, and report on an audit. It’s less about technology and more about the structured methodology that governs the entire audit lifecycle.

Key Topics Covered:

• ISACA IT Audit and Assurance Standards, Guidelines, and Codes of Ethics
• Risk-based audit planning and risk analysis
• Internal controls concepts
• Audit project management and evidence collection techniques

Study Tip: Focus on the sequence and purpose of each phase in an audit. Questions in this domain often test your understanding of the correct order of operations, from initial planning to final reporting.

Domain 2: Governance and Management of IT (18%)

This domain elevates your perspective from the audit process to the strategic level of the organization. It examines how IT aligns with business objectives and how governance structures ensure that IT supports the enterprise’s mission effectively and ethically.

Key Topics Covered:

• IT governance and management frameworks (e.g., COBIT)
• IT organizational structures and leadership roles
• Business Continuity Planning (BCP) and Disaster Recovery (DR) strategies
• IT resource and performance management

A common pain point for candidates is differentiating between “Governance” (the strategic direction set by the board) and “Management” (the execution of that direction by executives). This domain tests your ability to make that distinction clearly.

Domain 3: Information Systems Acquisition, Development, and Implementation (12%)

This domain focuses on how new information systems are built or acquired. It covers the entire lifecycle, from the initial business case to post-implementation review, ensuring that new systems are secure, effective, and meet business needs.

Key Topics Covered:

• Project management methodologies (Agile, Waterfall)
• Software Development Life Cycle (SDLC) phases and controls
• Testing methodologies
• Post-implementation reviews and data conversion audits

While this is the lowest-weighted domain, it can be tricky for candidates without a development or project management background. You won’t need to code, but you must understand the controls required at each stage of a project.

Domain 4: Information Systems Operations and Business Resilience (26%)

Domain 4 has seen a significant increase in weightage, reflecting ISACA’s current focus on Business Resilience. This domain is about “keeping the lights on.” It covers the day-to-day operations of IT infrastructure and the critical processes required to ensure systems are available, reliable, and can recover from disruptions.

Key Topics Covered:

• IT service management and infrastructure (hardware, networks, databases)
• System performance monitoring and business resilience strategies
• Data backup, storage, and restoration
• Incident management and response

Because this domain is highly technical and now carries equal weight to Domain 5, it’s where theoretical knowledge meets practical reality. At EduDelphi, our CISA-certified trainers leverage their senior industry experience to bridge this gap, translating complex operational concepts into the specific audit considerations you’ll face on the exam.

Domain 5: Protection of Information Assets (26%)

Alongside Domain 4, this is the highest-weighted area of the exam. Your performance here is critical to passing. This area covers all aspects of information security, focusing on the policies, standards, and controls required to ensure the confidentiality, integrity, and availability of information assets.

Key Topics Covered:

• Information security management frameworks
• Logical and physical access controls
• Encryption techniques and Public Key Infrastructure (PKI)
• Network security and attack vectors
• Security event monitoring and testing

You simply cannot pass the CISA exam without a strong command of this domain. It requires a deep understanding of modern cybersecurity threats and the controls used to mitigate them.

Understanding CISA Question Format & Cognitive Levels

The CISA exam rarely asks simple “What is X?” questions. Instead, it presents you with a scenario and asks you to determine the “BEST,” “MOST likely,” or “PRIMARY” course of action. This is the CISA question format designed to test your judgment.

To succeed, you must adopt the “ISACA Mindset.” Your role as an auditor is to assess controls, identify risks, and report findings to management. It is not your job to fix the problem directly. When evaluating answer choices, always select the one that aligns with an auditor’s responsibilities of evaluation and assurance, not implementation.

This is why an outcome-oriented curriculum is so important. The exam tests application and analysis, not rote memorization. Mastering this requires extensive practice. Access to a large pool of exam-style questions, like EduDelphi’s practice infrastructure with over 5,000+ MCQs, helps you recognize these subtle questioning patterns and develop the critical thinking skills ISACA is looking for.

Passing Score and Difficulty

The CISA passing score is 450 on a scaled score range of 200 to 800. This is not a simple percentage. ISACA uses a scaling process to account for minor differences in question difficulty across different exam forms, ensuring a consistent standard for passing.

The exam’s difficulty is subjective but is generally considered moderately difficult to hard, depending on your professional background.

Candidate Profile	Perceived Difficulty
Entry-Level Professional	Hard. Technical domains (4 & 5) and governance concepts (2) can be challenging without hands-on experience.
Experienced IT/IS Professional	Moderate to Hard. Strong in technical domains but may need to focus on the audit process (1) and governance (2).
Experienced Financial Auditor	Moderate. Strong in the audit process (1) but will need to dedicate significant time to technical domains (4 & 5).

Strategic CISA Study Plan by Domain

A smart study plan allocates time based on domain weightage and personal weaknesses. Given that Domains 4 and 5 together now account for 52% of the exam, it’s logical to dedicate more than half of your study time to mastering them.

A proven resource allocation strategy is:

1. Build Foundational Knowledge: Start by thoroughly reading the official ISACA CISA Review Manual (CRM) to understand all concepts.
2. Reinforce with Practice Questions: After each domain, work through a large set of practice questions specific to that area to test your comprehension.
3. Simulate Exam Conditions: In the final weeks, focus on full-length mock exams to build stamina, refine your time management, and identify any remaining weak areas.

Using an advanced Learning Management System (LMS) can be a game-changer. The ability to track your performance analytics per domain allows you to see precisely where you are struggling—for example, scoring 85% in Domain 1 but only 55% in Domain 5—so you can adjust your focus before it’s too late.

Master the CISA Domains with EduDelphi

The CISA syllabus is vast, and while self-study is an option, a structured mentorship program ensures you focus your limited time on what truly matters for the exam. Our approach is designed to guide you through all five ISACA CISA domains with clarity and confidence. If you have questions about the syllabus or need a walkthrough of the topics, you can always get clarification here.

At EduDelphi, our CISA program offers:

• Comprehensive review of all 5 domains by expert, CISA-certified trainers.
• Timed mock exams that simulate the real test environment and question format.
• Flexible weekend and evening schedules designed for busy working professionals.

Don’t leave your CISA success to chance. Check out our upcoming CISA training schedule to get started.

Conclusion

The CISA exam is a comprehensive test of an information system auditor’s knowledge and judgment. The CISA exam domains are designed to cover the full lifecycle of IT auditing, from foundational processes and governance to the highly technical areas of operations and security. With a heavy emphasis on both the protection of information assets and business resilience (Domains 4 and 5), your study plan must prioritize these critical areas.

The exam is tough, but the career benefits of becoming a Certified Information Systems Auditor are recognized globally. For more context on its value, see our guide on why CISA certification is worth it. With the right strategy and a deep understanding of the domains, you can conquer the exam and achieve your certification goal.

Which of the 5 domains do you find most intimidating? Let us know in the comments or contact a counselor for a syllabus walkthrough.

Key Takeaways

• The CISA exam consists of 150 multiple-choice questions to be answered in 4 hours.
• The five domains were updated in 2024, with IS Operations & Resilience (26%) and Protection of Assets (26%) now carrying equal, majority weight.
• Passing the exam requires a scaled score of 450 out of 800, which is not a raw percentage.
• The question format tests your analytical skills and judgment, requiring you to think like an auditor.
• A strategic study plan should prioritize the highest-weighted domains and use practice questions to master the “ISACA mindset.”

Frequently Asked Questions (FAQs)

What are the 5 CISA exam domains for 2026?

The CISA exam domains based on the latest 2024 update are: 1) Information Systems Auditing Process (18%), 2) Governance and Management of IT (18%), 3) Information Systems Acquisition, Development, and Implementation (12%), 4) Information Systems Operations and Business Resilience (26%), and 5) Protection of Information Assets (26%).

Which CISA domain carries the most weight on the exam?

As of the 2026 exam cycle, Domain 4 (IS Operations and Business Resilience) and Domain 5 (Protection of Information Assets) carry the highest weightage at 26% each. Together, they represent 52% of the exam content.

How many questions are in the CISA exam and how long does it take?

The CISA exam format consists of 150 multiple-choice questions (MCQs) administered over a four-hour (240-minute) session. This structure allows candidates approximately 1.6 minutes per question, requiring strict time management strategies during the test.

What is the passing score for the CISA exam?

The CISA passing score is a scaled score of 450 on a scale of 200 to 800. It is important to note that this is a weighted score based on difficulty, not a raw percentage, meaning you cannot simply aim to answer a certain number of questions correctly to pass.

Is the CISA exam difficult for non-technical professionals?

Yes, the exam is generally considered moderately difficult to hard, particularly for those without a technical background. Non-technical candidates often find Domain 4 (Operations) and Domain 5 (Protection) challenging because they require a deep understanding of technical infrastructure and security protocols, not just auditing theory.

Can I take the CISA exam online from home?

Yes, ISACA offers the exam via remote proctoring (Computer-Based Testing) through PSI, allowing you to take it from home. The online version follows the exact same CISA exam structure and security protocols as the test center version.

Do I need work experience to take the CISA exam?

No, you do not need work experience to sit for the exam; anyone can register and take the test. However, to be officially certified after passing, you must submit verified evidence of five years of work experience across the CISA exam domains.

Which CISA domain is considered the hardest?

Most candidates consider Domain 5 (Protection of Information Assets) and the updated Domain 4 (Operations and Resilience) the hardest due to their technical depth regarding cyber threats and system infrastructure.

How often does ISACA change the CISA exam syllabus?

ISACA updates the CISA syllabus domains periodically, typically every 3 to 5 years. The most recent major update occurred in August 2024, which remains the standard for the 2026 exam cycle.

Does the CISA exam require coding knowledge?

No, the CISA question format does not require you to write code. However, you are expected to understand the software development lifecycle (Domain 3) and logic controls well enough to audit them, identify vulnerabilities, and recommend appropriate security measures.