CISA Exam Syllabus: The 5 Domains and their Difficulty


cisa exam syllabusBefore you start pursuing the exam, you might want to take a closer look at the CISA Exam Syllabus, and determine how much you need to learn from scratch, and how much you can rely on existing experience.

CISA Exam Syllabus: The 5 Domains

  • Domain 1: The process of auditing information systems (21%)
  • Domain 2: Governance and management of IT (16%)
  • Domain 3: Information systems acquisition, development, and implementation (18%)
  • Domain 4: Information systems operations, maintenance and support (20%)
  • Domain 5: Protection of information assets (25%)

1. The Process of Auditing Information Systems

The first domain covers how IT auditors provide services in accordance with IT audit standards, in order to assist the organization in protecting and controlling information systems.

The tasks include developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings.

Candidates are expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards.

2. Governance and Management of IT

The second domain covers how IT auditors provide assurance that necessary organization structure and processes are in place.

For example, they need to evaluate the effectiveness of the IT governance structure, organizational structure, HR management, and policies and standards, in order to determine whether they support the organization’s strategies and objectives.

3. IS Acquisition, Development, and Implementation

The third domain covers how IT auditors provide assurance that the practices for the acquisition, development, testing, and implementation of IS meet the organization’s strategies and objectives.

Tasks include evaluating proposed investments in IS acquisition, development, maintenance and subsequent retirement, evaluating project management practices and controls and conducting reviews.

4. IS Operations, Maintenance and Support

Provide assurance that the processes for information systems operations, maintenance and support meet the organization’s strategies and objectives.

Specifically, it includes conducting periodic reviews of IS, and evaluation such as service level management practices, operations and end-user procedures, and process of information systems maintenance.

5. Protection of Information Assets

The last domain covers how IT auditors provide assurance that the organization’s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets.

This includes evaluating the information security policies, standards and procedures; the design, implementation and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.

Which Domains are More Important than the Others?

Domains 4 and 5 represents more than half of the syllabus. It is important that you know these two areas very well, and at the same time achieve a decent score in the other domains.

2016 CISA Exam Changes

Please note that there will be changes effective June 2016. For details, check out this page.

Reference Materials

About the Author Stephanie

I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.

follow me on: