What’s covered in the CISA exam? Are you considering going for your CISA certification? If so, this exam will be a requirement so you need to know what’s going to be on it. In this post, I am going to break down the entire CISA exam syllabus for you, to help you gain an understanding of what’s on it and how to properly prepare for it.
Before you start pursuing the exam, you might want to take a closer look at the CISA Exam Syllabus, and determine how much you need to learn from scratch, and how much you can rely on existing experience. So, with that in mind, let’s dive in!
The first thing you need to know about the CISA exam is the five domains. This refers to the way the exam content has been organized or split into five different sections. The percentages of material in the exam covered by each section has recently changed with 2019 updates. I will highlight those changes a bit better below, but for now, here are the five domains.
There used to be six domains but this was changed in an update back in 2011 and the material that was in that sixth domain was put into the other domains (mainly 4 and 5). Each domain is jam-packed with information (especially the last two). Therefore, it’s important to break them down even further to better understand what’s inside.
Most study guides and materials will take you in-depth into the subdomains, or categories, of each domain. Next, let’s take a deeper look into what each of these categories means so that you might get a greater understanding of what will be covered by the exam.
In this section, I’m going to help you understand all that is in Domain 1. The first domain covers how IT auditors provide services in accordance with IT audit standards, in order to assist the organization in protecting and controlling information systems. This section talks about the audit charter and what it contains, and steps for audit planning.
After that, the tasks include developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings. You will need to know more than just how to answer basic questions. Moreover, you will need to show that you know how to apply these regulations and standards in an actual work setting.
In addition, candidates are expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards. You should memorize S1, S2, S4, S9, and S10. Standards S12 thru S16 were added to CISA back in 2011, and you should know S12, S13 & S14.
In this section, I’m going to tell you all about Domain 2. The second domain covers how IT auditors provide assurance that necessary organizational structure and processes are in place. It also contains sections from the Business Continuity section that used to be in the old Domain 6 before they got rid of it.
For example, they need to evaluate the effectiveness of the IT governance structure, organizational structure, HR management, and policies and standards, in order to determine whether they support the organization’s strategies and objectives.
You’re going to need to know the definition for corporate governance, what ISO 26000 is, what the OECD Principals of Corporate Governance are, and what IT Governance is about. In short, ITG is concerned with two issues: What are they and what drives them?
In addition, you will need to know the five focus areas for ITG, be familiar with the different frameworks, and to also know audit’s role in ITG, to name a few things. If this sounds like a lot, that’s because it is. We highly recommend breaking it down by domain and domain subsections when you study. Only once you are confident you know one domain completely should you move forward to the next.
Next, let’s take a look at what is covered in the 3rd domain.
The third domain covers how IT auditors provide assurance that the practices for the acquisition, development, testing, and implementation of IS meet the organization’s strategies and objectives. There are going to be a lot of topics surrounding project management and business management/realization in this section.
For example, you’ll need to know the difference between portfolio management and program management. You’ll need to know the three major forms of organizational alignment, and you will want to know the roles and responsibilities for project steering, among other things. There is also an entire section on business application development, as stated below, and you need to know what the major risks of any software development project, and at which phase testing begins, for example.
Tasks include evaluating proposed investments in IS acquisition, development, maintenance, and subsequent retirement, evaluating project management practices and controls and conducting reviews. Above all, you want to study the areas listed below until you feel confident in your ability to answer practical questions regarding these topics in a potential work setting.
Now let’s move on to Domain 4, which has even more important things to cover about operations, maintenance, and support.
What is Domain 4 all about? Well, you need to provide assurance that the processes for information systems operations, maintenance, and support meet the organization’s strategies and objectives. There are sections on disaster recovery and it’s important to know what to do in the event of data loss, what is acceptable data loss, and how to manage these issues, among other things.
Specifically, it includes conducting periodic reviews of IS, and evaluation such as service level management practices, operations, and end-user procedures, and process of information systems maintenance. As a result, many will agree that Domain 4 (along with Domain 5) is the most important in all of the CISA syllabus.
Back in 2011, ISACA reduced the domains from 6 to 5. So, part of the material in the old Domain 6 is now in Domain 4. This is all the sections about disaster recovery.
In this section, I’m going to tell you more about the last and 5th domain. The last domain covers how IT auditors provide assurance that the organization’s security policies, standards, procedures, and controls ensure the confidentiality, integrity, and availability of information assets. This is a very important Domain in the CISA syllabus.
Moreover, this includes evaluating the information security policies, standards and procedures; the design, implementation, and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.
However, the 5th Domain is a make-or-break section for you. It is one of the most important, if not THE most important section of the entire CISA exam. If you be sure to know anything, be sure you know this domain.
Now that you know all about these domains and what is covered in them, which ones are the most important? Domains 4 and 5 represent more than half of the syllabus! It is important that you know these two areas very well, and at the same time achieve a decent score in the other domains.
If we talk about difficulty and importance, you must note that ALL sections are important. Subsequently, you should study all the domains accurately and completely. However, if we have to rank them of importance, we can say that Domain 4 and 5 need the most of your attention.
If you want to understand these domains better, you can get a copy of the CISA Review Manual and also a copy of the Q&A CD. You can then read through all the questions on the Q&A CD and be sure you can answer them all correctly. As you go through the questions, you can reference the Review Manual and what section covers that question. This is a great way to begin studying or review, and to evaluate where you are and what sections you need to study more.
However, for most people, this will not be enough on its own to help you pass the CISA exam. I recommend supplemental study aides. More on that later.
As mentioned above, there have been some CISA syllabus updates this year that will be reflected on the exam for candidates taking it June 2019 and beyond. we’re going to take a quick look at it but if you want to know about the changes in more detail, please see the linked article below that covers that.
The CISA syllabus is changed every few years to reflect the constantly changing business environment of IT auditors. It last saw updates in 2016. Now, for 2019, we are seeing more syllabus changes to reflect the latest industry trends impacting the IT audit profession. These changes that have happened in 2019 are to better reflect the changes and standards in the industry.
Most of the changes we see with CISA 2019 are to the five domains. For instance, they are the focal point for the syllabus (as we describe above) and the guide for what will be on the exam. This is designed to help people practice and prepare. Furthermore, the new CISA syllabus will have changes in these domains, as well as in the percentages of info covered for each domain. See below for a layout of this.
While the five domains that comprise the CISA exam will remain similar in 2019, the exam weighting will change slightly, including a greater emphasis on the protection of information assets – a growing industry challenge.
You can see that these are not really big changed. Despite being subtle, it’s still important enough that you know before you take the exam. It could impact how you are studying for the CISA exam. Moreover, the percentages are also changing.
Therefore, this is what it looked like before the changes to the new CISA syllabus:
For details on more of the CISA syllabus changes, check out this page. ISACA also puts out current, updated information regarding the exam on their website if you ever have questions you cannot find the answers to elsewhere.
In conclusion, you now have the answer to “What is on the CISA exam?” With this information, you can decide if this exam is for you, and if you’re ready to sign up for it. This information will also help you to create a plan of action for studying for the exam. Our goal is to help you be fully
You should now know more about the CISA Exam syllabus and feel more confident in your ability to understand what will be on it. If you’re planning to take the exam, we highly recommend you use one of our recommended course guides to study. Even if you’re currently working in a CISA field, it’s still important you get proper study time to ensure you pass the exam on the first try.
Good luck in your CISA career!
I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.
How Can You Register for the CIA Exam? And More.
Simplilearn CISA Course: CISA Simplilearn Course Review
CISA Exam Questions & Study Materials for 2020 CISA Certification
CISA SuperReview by Allen Keele and Certified Information Security: Save $150!