How hard is the CISA exam? One of the most common questions we got is about how hard the CISA exam can be. This is obviously a subjective question but we will try to give you a helpful answer based on comparison with other qualifications, and comments from past takers. In this article, I’m going to break it down for you, piece by piece. I will show you all the elements of the CISA exam and difficulty levels, so that you have a better understanding of it before you begin.
What Is the Goal of the CISA Exam?
When trying to understand how difficult an exam might be, the first step is to understand the goal of that particular exam. What is it the individuals are supposed to learn or gain from taking it? What should they walk away with?
Passing the CISA exam means that you have proven an understanding of the information contained with the exam. This doesn’t mean you have trained in any particular type of proprietary tools or software. Rather, the CISA exam has a broader focus. Furthermore, the goal of the CISA exam is to show you have the knowledge and experience needed for any job role that requires the CISA certification.
It shows that you have gained and maintained the necessary skills to be a valuable asset to an employer within the field. According to ISACA, “With a growing demand for individuals possessing IS audit, control, and security skills, CISA has become a preferred certification program by individuals and organizations around the world.”
CISA designation was made for professionals with work experience in information systems auditing, control or security. It is a way to distinguish these professionals from those who are not qualified and certified. It can help you quality for a new position, a raise, or employment at a new company, among other things.
CISA Exam Difficulty Level in Terms of Exam Content
Most readers tend to agree: the syllabus and exam content isn’t particularly tough. After all, it is a one-part exam with only 150 questions. Compared to other exams in the niche, it is lighter. That said, it requires basic knowledge on a wide variety of topics, versus specific knowledge in a more narrowed focus. Depending on your learning style and previous experience, this could make it feel harder.
This certification requires 5 years of experience and therefore is not intended for those who just started out working. If you work in IT auditor for a couple of years, it is obviously easier than those who have no relevant experience. Since most people who take CISA have already been working in the industry for 5 years, they will find the information on the exam easier than someone who was just starting out.
How Hard is the CISA Exam?
When asking how hard an exam is, it’s always relative. What is difficult for one person may not be difficult for another, but most will agree it is not as difficult as the Bar or the CPA exam. That said, it has increased in difficulty over the years to keep up with changing standards in the industry. Since opinions can vary so greatly, we want to give you more information about the questions on the exam so you can gauge for yourself how hard it might be for you. .
How Many Questions Are on the CISA?
There are 150 questions on the CISA exam, as mentioned above. The number of exam questions was reduced from 200 to 150 in 2016. You have four hours to complete all of these questions and that is typically more than sufficient time for anyone to complete the entire exam. Now let’s look at what kind of material you will find in these questions.
What is the Material Covered On CISA?
The material that is covered on CISA is all garnered from the five domains. There have been some changes in June of 2019 to the weighting of the five domains but the categories themselves and the information contained within is the same.
Information System Auditing Process
This first domain covers how standardized audit services help enterprises in controlling as well as safeguarding their information systems. Most people already working in the IT security or auditing fields should find this easy enough.
Governance and Management of IT
The second domain is devoted to the essential processes, structures, and leadership that are available to accomplish the organization’s objectives. It also covers support strategies, IT Governance, and IT Management. Most will not find this difficult, either.
Information Systems Acquisition, Development, and Implementation
Now, this third domain is about Information Systems Acquisition. It relies heavily on development and implementation. Some of the information may get a little more difficult, especially if you don’t work with this on a daily basis, but it’s not overly complicated either. It is the fourth and fifth domains of CISA that most will say are the most important and hardest of the exam.
Information Systems Operations and Business Resilience
Next, the fourth domain is about IT asset management, system interfaces, data governance, and end-user computing. Management of system performance, databases and more will be asked about in this section.
Protection of Information Assets
The fifth domain is often considered the most difficult and the most important. Cyber attacks are becoming more common than ever before and the protection of information assets is vital to any organization and this domain focuses on the prevention of this and the protection of all information assets.
New CISA Domain Weighting in 2019
- Information System Auditing Process (21 percent)
- Governance and Management of IT (17 percent)
- Information Systems, Acquisition, Development and Implementation (12 percent)
- Information Systems Operations and Business Resilience (23 percent)
- Protection of Information Assets (27 percent)
As you can see, the domains are still the same but the percentage of weight and material covered in the exam is modified slightly.
CISA Exam Changes in 2019
There have been some small changes in addition to just the weighting of the domains. It is important to take note of these while studying for the exam. It’s essential candidates ensure any study materials they use reflect these recent updates as well.
While the five CISA domains remain similar, there a few noteworthy changes:
- The 2019 job practice, or exam content outline, introduces subdomains to better organize task and knowledge statements within the broader domains.
- Knowledge statements are rewritten to represent current technology and combined as appropriate to remove redundancies.
- Of the 39 task statements in the 2019 CISA Job Practice:
- 35 were carried forward from the current outline but rewritten to use current terminology
- One was eliminated
- 5 are new to the content outline to address emerging changes within the IT audit profession
These changes to the CISA Job Practice, or exam content outline, enhance the preparation experience of exam candidates. It does this by including knowledge areas that directly indicate the content of the CISA exam and tasks to identify context for how the knowledge is used in practice.
Exam Difficulty Based on Question Style
The exam content is manageable, but the question style is not for many candidates. Possibly because of the nature of the profession, the phrasing and wording of the questions are pretty hard to comprehend, even for existing IT auditors. You do need to get familiar with ISACA terminologies to pass this exam.
Also, it is hard to know whether you got the answers correctly. Most seem to be able to narrow down the answers to 2 out of the 4, but after that it is all educated guess. It’s important to remember that the CISA exam is designed to measure a pass/fail of basic competency. This means it is going to test you on the minimum standards. In short, it’s not meant to be so incredibly difficult that people meeting the work requirements for certification wouldn’t be able to pass the exam.
Typically, people can prepare for and pass the CISA within 6 months. If you are currently working in IT auditing, you may even be able to pass in as few as 1-2 months because the exam questions are going to be familiar to you. Remember when studying to look at it from the ISACA point of view, and not necessarily from the point of view you would use in the workplace. For many people, these are different and ISACA is more formal than what they use on the day-to-day in their IT auditing jobs.
How can you know if you’re ready to sit for the exam?
How do you know if you are ready to take and pass the CISA exam? A good indicator of your readiness is the self-assessment offered by ISACA. Candidates can use this as a practice exam to determine if you’re ready to take the exam yet. Finally, you can also find mock tests and practice exams in CISA review courses are helpful, too.
You can learn more and take the CISA Self-Assessment for yourself to get a better feel for where you are when it comes to preparation. This 50-question self-assessment is one of many tools that you can use to help prepare for the CISA exam. We also have other tools and resources here on our site, including information about CISA review courses, review courses and study tips.
CISA Exam Difficulty when Compared to CISSP Exam
It isn’t entirely apple to apple when comparing CISA to CISSP, and opinions are split on this one. My conclusion is that the perceived difficulty is largely a result of one’s background. If one is an auditor, for example, CISA exam is easier; otherwise, if one is a computer science major, he may find CISSP easier.
In any case, if you have taken the CISSP exam before, your CISSP knowledge overlaps nicely with Domain 5 of the CISA exam which represents 27% of the scoring and indirectly for portions of domains 3 (12%) and 4 (23%).
Domains 1 (21%) and 2 (17%) are likely your biggest knowledge gap that you’ll need to fill. Those are also the areas where the “ISACAisms” will become fairly evident.
CISA vs CIA and Others
How hard is CISA as compared to CIA or to other similar exams in this industry? CIA only requires 2 years of job experience vs. the 5 required for CISA and the CISA does not have the minimum requirement for a Bachelor’s degree. The CIA exam is available throughout the year to take, which is more convenient for many people.
In terms of what is harder, the CIA has 3 parts to CISA’s 1 part, and it requires 6.5 hours of testing, vs. CISA’s 4. While the content might not be especially harder, CIA will take you longer. CISA is broader with its subject matter and this tends to make it easier in comparison than many other exams of this type.
You can also learn more about how CISA compares to CIA in terms of choosing the right certification for your needs, if you have not yet decided. Both auditing certifications are similar, so getting all the information first is important to choosing which one you want.
CISA Exam Difficulty Conclusions
At the end of the day, it’s not the most complex exam out there, but it is comprehensive. Take the time to study thoroughly and be prepared before you go. This is essential to passing. We’ve given you information and pointed you in the right direction for study guides and other information that will help you on this journey. You can’t be 100% certain how hard the CISA exam will be for you until you at least start studying the material.
When you go through study guides and practice materials you will be able to see what areas are your strengths. Furthermore, you can see which areas you need to review more closely. If you’ve been working within the industry for years, you shouldn’t have too much trouble passing. You need a basic understanding of at least 70% of the CISA knowledge areas. Most people find that a simple review of the materials will be enough for them to pass the exam.
For Your Further Reading