CISA Exam Syllabus: The 5 Domains and their Difficulty

cisa exam syllabus

What’s covered in the CISA exam? Are you considering going for your CISA certification? If so, this exam will be a requirement so you need to know what’s going to be on it. In this post, I am going to break down the entire CISA exam syllabus for you, to help you gain an understanding of what’s on it and how to properly prepare for it.

Before you start pursuing the exam, you might want to take a closer look at the CISA Exam Syllabus, and determine how much you need to learn from scratch, and how much you can rely on existing experience. So, with that in mind, let’s dive in!

CISA Exam Syllabus: The 5 Domains

The first thing you need to know about the CISA exam is the five domains. This refers to the way the exam content has been organized or split into five different sections. The percentages of material in the exam covered by each section has recently changed with 2019 updates. I will highlight those changes a bit better below, but for now, here are the five domains.

  1.  Information System Auditing Process (21 percent)
  2. Governance and Management of IT (17 percent)
  3.  Information Systems, Acquisition, Development and Implementation (12 percent)
  4.  Information Systems Operations and Business Resilience (23 percent)
  5.  Protection of Information Assets (27 percent)

There used to be six domains but this was changed in an update back in 2011 and the material that was in that sixth domain was put into the other domains (mainly 4 and 5). Each domain is jam-packed with information (especially the last two). Therefore, it’s important to break them down even further to better understand what’s inside.

Most study guides and materials will take you in-depth into the subdomains, or categories, of each domain. Next, let’s take a deeper look into what each of these categories means so that you might get a greater understanding of what will be covered by the exam.

1. The Process of Auditing Information Systems

In this section, I’m going to help you understand all that is in Domain 1. The first domain covers how IT auditors provide services in accordance with IT audit standards, in order to assist the organization in protecting and controlling information systems. This section talks about the audit charter and what it contains, and steps for audit planning.

After that, the tasks include developing and implementing a risk-based IT audit strategy, planning and conducting the audit, and reporting findings. You will need to know more than just how to answer basic questions. Moreover, you will need to show that you know how to apply these regulations and standards in an actual work setting.

In addition, candidates are expected to know the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards. You should memorize S1, S2, S4, S9, and S10.  Standards S12 thru S16 were added to CISA back in 2011,  and you should know S12, S13 & S14.

There are seven areas that you need to understand about Domain 1:
  1. Management of  the IS Audit Function
  2. ISACA IT Audi and Assurance Standards and Guidelines
  3. Risk Analysis
  4. Internal Controls
  5. Performing an IS Audit
  6. Control Self-Assessment
  7. The Evolving IS Audit Process

2. Governance and Management of IT

In this section, I’m going to tell you all about Domain 2. The second domain covers how IT auditors provide assurance that necessary organizational structure and processes are in place. It also contains sections from the Business Continuity section that used to be in the old Domain 6 before they got rid of it.

For example, they need to evaluate the effectiveness of the IT governance structure, organizational structure, HR management, and policies and standards, in order to determine whether they support the organization’s strategies and objectives.

You’re going to need to know the definition for corporate governance, what ISO 26000 is, what the OECD Principals of Corporate Governance are, and what IT Governance is about. In short, ITG is concerned with two issues: What are they and what drives them?

In addition, you will need to know the five focus areas for ITG, be familiar with the different frameworks, and to also know audit’s role in ITG, to name a few things. If this sounds like a lot, that’s because it is. We highly recommend breaking it down by domain and domain subsections when you study. Only once you are confident you know one domain completely should you move forward to the next.

There are 13 areas, or subdomains, under Domain 2 that you should know:
  1. Corporate Governance
  2. IT Governance (ITG)
  3. Information Technology Monitoring and Assurance Practices for Board and Senior Management
  4. Information Systems Strategy
  5. Maturity and Process Improvement Models
  6. IT Investment and Allocation Practices
  7. Policies and Procedures
  8. Risk Management
  9. IS management Practices (and 5 sub-areas under this as well)
  10. IS Organizational Structure and Responsibilities
  11. Auditing IT Governance Structure and Implementation
  12. Business Continuity Planning
  13. Auditing Business Continuity

Next, let’s take a look at what is covered in the 3rd domain.

3. IS Acquisition, Development, and Implementation

The third domain covers how IT auditors provide assurance that the practices for the acquisition, development, testing, and implementation of IS meet the organization’s strategies and objectives. There are going to be a lot of topics surrounding project management and business management/realization in this section.

For example, you’ll need to know the difference between portfolio management and program management. You’ll need to know the three major forms of organizational alignment, and you will want to know the roles and responsibilities for project steering, among other things. There is also an entire section on business application development, as stated below, and you need to know what the major risks of any software development project, and at which phase testing begins, for example.

Tasks include evaluating proposed investments in IS acquisition, development, maintenance, and subsequent retirement, evaluating project management practices and controls and conducting reviews. Above all, you want to study the areas listed below until you feel confident in your ability to answer practical questions regarding these topics in a potential work setting.

There are 14 subdomain areas of Domain 3 that you need to study for:
  1. Business Realization
  2. Project Management Structure
  3. Project Management Practices
  4. Business Application Development
  5. Business Application Systems
  6. Alternative Forms of Software Project Organization
  7. Alternative Development Methods
  8. Infrastructure Development/ Acquisition Practices
  9. Information Systems Maintenance Practices
  10. System Development Tools and Productivity Aids
  11. Process Improvement Practices
  12. Application Controls
  13. Auditing Application Controls
  14. Auditing Systems Development, Acquisition and Maintenance

Now let’s move on to Domain 4, which has even more important things to cover about operations, maintenance, and support.

4. IS Operations, Maintenance, and Support

What is Domain 4 all about? Well, you need to provide assurance that the processes for information systems operations, maintenance, and support meet the organization’s strategies and objectives. There are sections on disaster recovery and it’s important to know what to do in the event of data loss, what is acceptable data loss, and how to manage these issues, among other things.

Specifically, it includes conducting periodic reviews of IS, and evaluation such as service level management practices, operations, and end-user procedures, and process of information systems maintenance. As a result, many will agree that Domain 4 (along with Domain 5) is the most important in all of the CISA syllabus.

Back in 2011, ISACA reduced the domains from 6 to 5. So, part of the material in the old Domain 6 is now in Domain 4. This is all the sections about disaster recovery.

There are 6 areas or subdomains of Domain 4 that you need to study:
  1. Information Systems Operations
  2. Information Systems Hardware
  3. IS Architecture and Software
  4. IS Network Infrastructure
  5. Auditing Infrastructure and Operations
  6. Disaster Recovery Planning

5. Protection of Information Assets

In this section, I’m going to tell you more about the last and 5th domain. The last domain covers how IT auditors provide assurance that the organization’s security policies, standards, procedures, and controls ensure the confidentiality, integrity, and availability of information assets. This is a very important Domain in the CISA syllabus.

Moreover, this includes evaluating the information security policies, standards and procedures; the design, implementation, and monitoring of various controls, such as system and logical security controls, data classification processes, and physical access and environmental controls.

However, the 5th Domain is a make-or-break section for you. It is one of the most important, if not THE most important section of the entire CISA exam. If you be sure to know anything, be sure you know this domain.

Finally, Domain 5 has eight subdomain areas for you to study:
  1. Importance of Information Security Management
  2. Logical Access
  3. Network Infrastructure Security
  4. Auditing Information Security Management Framework
  5. Auditing Network Infrastructure Security
  6. Environmental Exposures and Controls
  7. Physical Access Exposures and Controls
  8. Mobile Computing

Which Domains are More Important than the Others?

Now that you know all about these domains and what is covered in them, which ones are the most important? Domains 4 and 5 represent more than half of the syllabus! It is important that you know these two areas very well, and at the same time achieve a decent score in the other domains.

If we talk about difficulty and importance, you must note that ALL sections are important. Subsequently, you should study all the domains accurately and completely. However, if we have to rank them of importance, we can say that Domain 4 and 5 need the most of your attention.

If you want to understand these domains better, you can get a copy of the CISA Review Manual and also a copy of the Q&A CD. You can then read through all the questions on the Q&A CD and be sure you can answer them all correctly. As you go through the questions, you can reference the Review Manual and what section covers that question. This is a great way to begin studying or review, and to evaluate where you are and what sections you need to study more.

However, for most people, this will not be enough on its own to help you pass the CISA exam. I recommend supplemental study aides. More on that later.

CISA Exam Changes

As mentioned above, there have been some CISA syllabus updates this year that will be reflected on the exam for candidates taking it June 2019 and beyond. we’re going to take a quick look at it but if you want to know about the changes in more detail, please see the linked article below that covers that.

The CISA syllabus is changed every few years to reflect the constantly changing business environment of IT auditors. It last saw updates in 2016. Now, for 2019, we are seeing more syllabus changes to reflect the latest industry trends impacting the IT audit profession. These changes that have happened in 2019 are to better reflect the changes and standards in the industry.

Changes to the CISA Domains in 2019

Most of the changes we see with CISA 2019 are to the five domains. For instance, they are the focal point for the syllabus (as we describe above) and the guide for what will be on the exam. This is designed to help people practice and prepare. Furthermore, the new CISA syllabus will have changes in these domains, as well as in the percentages of info covered for each domain. See below for a layout of this.

While the five domains that comprise the CISA exam will remain similar in 2019, the exam weighting will change slightly, including a greater emphasis on the protection of information assets – a growing industry challenge.

The breakdown of percentages for the five domains will be as follows:

  1.  Information System Auditing Process (21 percent)
  2. Governance and Management of IT (17 percent)
  3.  Information Systems, Acquisition, Development and Implementation (12 percent)
  4.  Information Systems Operations and Business Resilience (23 percent)
  5. Protection of Information Assets (27 percent)

You can see that these are not really big changed. Despite being subtle, it’s still important enough that you know before you take the exam. It could impact how you are studying for the CISA exam. Moreover, the percentages are also changing.

Previous Domain Percentages

Therefore, this is what it looked like before the changes to the new CISA syllabus:

    • 1: The process of auditing information systems (21%)
    • 2: Governance and management of IT (16%)
    • 3: Information systems acquisition, development, and implementation (18%)
    • 4: Information systems operations, maintenance and support (20%)
    • 5: Protection of information assets (25%)

For details on more of the CISA syllabus changes, check out this page. ISACA also puts out current, updated information regarding the exam on their website if you ever have questions you cannot find the answers to elsewhere.


In conclusion, you now have the answer to “What is on the CISA exam?” With this information, you can decide if this exam is for you, and if you’re ready to sign up for it. This information will also help you to create a plan of action for studying for the exam. Our goal is to help you be fully

You should now know more about the CISA Exam syllabus and feel more confident in your ability to understand what will be on it. If you’re planning to take the exam, we highly recommend you use one of our recommended course guides to study. Even if you’re currently working in a CISA field, it’s still important you get proper study time to ensure you pass the exam on the first try.

Good luck in your CISA career!

Reference Materials

Please rate this

About the Author Stephanie

I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.

follow me on: