New CISA Syllabus: Change Effective June 2019

The CISA syllabus is changed every few years to reflect the constantly changing business environment of IT auditors. It last saw updates in 2016, which we marked in this post. Now, for 2019, we are seeing more syllabus changes to reflect the latest industry trends impacting the IT audit profession.

Are you curious about what these changes mean for you? If you’re looking to take the CISA exam this year, what do you need to know to pass it? In this post, I’m going to go over all of the new changes and additions to the CISA exam to help you properly prepare.

In the latest round of changes, a team comprising CISA task force members, independent reviewers, and 1,500+ practicing IS audit professionals participated in a review process that spanned over nine months. I will explain this in more detail later.

With that in mind, let’s look at the new CISA syllabus.

New CISA Syllabus in 2019

The last changes took place in 2016. In August 2016, the new syllabus was announced, changing the weighting of the 5 domains:

 Domains Before After
1. The process of auditing information systems 14% 21%
2. Governance and management of IT 14% 16%
3. Information systems acquisition, development, and implementation 19% 18%
4. Information systems operations, maintenance and support 23% 20%
5. Protection of information assets 30% 25%

We now have more changes in 2019 from those 2016 changes. In a press release in November of 2018, ISACA announced that they would be updating the CISA materials and training courses beginning in March 2019 for the new version of the exam that goes into effect June 2019. Now, the time has come for that new version of the exam.

“Now in its 40th year, the CISA certification is more relevant than ever as effective deployment of technology and information systems is essential for enterprises to thrive in the digital economy,” said Kim Cohen, ISACA’s director of certification in the press release.

“This content refresh for CISA, based on leading industry experts pinpointing the most beneficial knowledge and experience needed by global practitioners, will ensure CISA continues evolving to best serve certification-holders and their enterprises.”

The window to take the 2016 version of the exam closed after May. The final registration was May 18, 2019. This was for the testing window from February 1st, 2019 to May 24th, 2019. Starting in June, you have to take the new exam.

Understanding What CISA is About

When we explore what CISA is really all about, it’s easy to see why changes will need to happen from time to time. This certification is about the security and deployment of modern IT technology and information systems. In recent years, these systems have grown to an all-time high and there are no signs of it slowing down. This is the future.

There are thousands of new cyber threats coming out each day and this means security practitioners have to work harder than ever before to come up with new solutions. They also need to create new strategies to help prevent these threats in the first place.

It’s also important that people working in CISA fields keep their knowledge up regarding the ever-changing climate they work in, so they can deploy these new technologies, as needed. This is why ISACA updates and we have a new CISA syllabus this year.

Other CISA Exam Changes

The number of exam questions is reduced from 200 to 150 in 2016, with the last update. The duration remains to be 4 hours. These are not going to change with the 2019 updates. So, you still have the same number of questions and the same amount of time to finish them.

The reduction of number of questions actually gave more time to do each one. This means that candidates can now spend, on average, 1.6 minutes on each question instead of 1.2 minutes previously. So, if that’s staying the same, what is changing in 2019?

Major Changes to the CISA Job Practice in 2019

The biggest changes will be to the five domains. This has long been the focal point for the syllabus and the guide for what will be on the exam to help people practice and prepare. The new CISA syllabus will have changes in these domains, as well as in the percentages of info covered for each domain. See below for a layout of this.

When considering the five domains and how you study for them, it’s important to know there have been a few changes in the 2019 job practice areas. These aren’t really major changes, but they are still important to note, especially while prepping for the exam.

While the five domains that comprise the CISA exam change will remain similar in 2019, the exam weighting will change slightly, including a greater emphasis on the protection of information assets – a growing industry challenge.

The breakdown of percentages for the five domains will be as follows:

  1.  Information System Auditing Process (21 percent)
  2. Governance and Management of IT (17 percent)
  3.  Information Systems, Acquisition, Development and Implementation (12 percent)
  4.  Information Systems Operations and Business Resilience (23 percent)
  5.  Protection of Information Assets (27 percent)

As you can see, the domains are the same but the percentage of weight and material covered in the exam has changed a bit.

Previous Domain Percentages

For comparison, this is what it looked like before the changes to the new CISA syllabus:

  • 1: The process of auditing information systems (21%)
  • 2: Governance and management of IT (16%)
  • 3: Information systems acquisition, development, and implementation (18%)
  • 4: Information systems operations, maintenance and support (20%)
  • 5: Protection of information assets (25%)

As you can see, the changes are not huge. However, it’s still important to become familiar with what has changed.

While the five CISA domains remain similar, there a few noteworthy changes:

  • The 2019 job practice, or exam content outline, introduces subdomains to better organize task and knowledge statements within the broader domains.
  • Knowledge statements are rewritten to represent current technology and combined as appropriate to remove redundancies.
  • Of the 39 task statements in the 2019 CISA Job Practice:
    • 35 were carried forward from the current outline but rewritten to use current terminology
    • One was eliminated
    • 5 are new to the content outline to address emerging changes within the IT audit profession

These changes to the CISA Job Practice, or exam content outline, enhance the preparation experience of exam candidates by including knowledge areas that directly indicate the content of the CISA exam and tasks to identify context for how the knowledge is used in practice.

What Are the Five New Tasks in the 2019 CISA Job Practice?

In addition to the changes above, there are some new tasks that were added to the CISA job practice for this year. I have listed those for you below, as laid out by ISACA to help you prepare.

Below are the five new tasks in the 2019 New CISA Syllabus:

  • Perform technical security testing to identify potential threats and vulnerabilities.
  • Utilize data analytics tools to streamline audit processes.
  • Provide consulting services and guidance to the organization in order to improve the quality and control of information systems.
  • Identify opportunities for process improvement in the organization’s IT policies and practices.
  • Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices.

The CISA Working Group determined that the following 2016 CISA Job Practice task was not in scope for most IT auditors (as noted in its low survey ratings) and therefore removed it from the 2019 CISA Job Practice:

  • Conduct reviews to determine whether a project is progressing in accordance with project plans.

How is Each Domain Changed?

To fully understand the new CISA syllabus, let’s look at each domain and what will be covered within.

Auditing Information Systems

This first domain covers how standardized audit services help enterprises in controlling as well as safeguarding their information systems. You’ll also learn about the practices that assist for the company’s current IT security, potential risks, and control solutions.

This domain has multiple subdomains, including Planning and Execution. Planning involves risk-based audit planning, control types, business processes and information system audit standards, code of ethics and guidelines.

Governance and Management of IT

In the second domain, you learn about the essential processes, structures, and leadership that are available to accomplish the organization’s objectives. This domain also focuses on support strategies and will make sure you have the necessary skills to identify important issues within the organization. You need to show that you can provide recommendations for supporting and protecting the governance of information.

Subdomains include IT Governance and IT Management.

Information Systems Acquisition, Development and Implementation

In this third domain, you learn about Information Systems Acquisition. This section relies heavily on development and implementation.

Subdomains under this job practice area include Information Systems Acquisition and Development and Information Systems Implementation.

Information Systems Operations and Business Resilience

Now, this fourth domain is going to make sure you know about IT asset management, system interfaces, data governance, and end-user computing.  Management of system performance, databases and more is covered here.

Subdomains include Disaster Recovery Plan (DRP), Business Continuity Plan (BCP), Business Impact Analysis (BIA), System Resiliency and Data Backup, Storage and Restoration.

Protection of Information Assets

Finally, the fifth domain is what many people consider the most important. Cyber attacks are becoming more common than ever before and the protection of information assets is vital to any organization.

Subdomains include Security Event Management (e.g., security awareness training and programs, attack methods and techniques, incident response management, etc.) and Information Asset Security and Control (e.g., privacy principles, physical and environmental controls, network and endpoint security, PKI, etc).

How Do they Decide on these Changes?

Changes and updates to such an important exam, while necessary, are also a big deal. A lot of time, energy and resources go into preparing for an exam like this. There are standards that need to be set.

So, it’s a big deal when they make changes. You’re not alone if you have questions about how they decide on these changes and when they should be done. It’s always decided by ISACA and based on changing needs in the industry.

ISACA, which regularly updates its certification content to keep pace with industry demands and changes, recently completed a six-month assessment that resulted in the revised content outline. It’s researched by an appointed Task Force who studied people working in CISA fields all over the world to help make their decisions on what to change.

The CISA Practice Analysis Task Force is composed of nine expert members, and the collective expertise of more than 4,000 CISA-certified professionals from around the world also helped to develop the revised content outline.

Do You Need to Retake the Exam with the 2019 Changes?

Some people who have already taken CISA are now wondering if they have to take it again for the new changes. This is an understandable question, however, you’ll be happy to know that you do not have to take it again.

CISA-certified professionals gain exposure to the updated CISA exam by meeting the Continuing Professional Education (CPE) maintenance requirements. You are required to get your CPE every year anyway, and now you can devote those hours to the new content.

You will obtain a minimum of 20 CPE hours annually and 120 CPE hours for the three-year reporting period after taking the CISA exam and becoming certified. This is required for you to maintain your certification. So no, you do not need to retake the exam and you can get caught up on the changes through CPE.

Has CISA Job Practice Scoring Changed in 2019?

Scoring the CISA exam remains the same, with the same processes, as it continues to be scored against a passing point and converted to scaled scores. However, a new passing point is established by conducting a Standard Setting Analysis on the new/updated exam blueprint.

There is no further information on the details of the changes at this time. I hope that what we have provided will help you prepare for the new changes to CISA. If you’re ready to register, here’s some more information for you.

How to Register for the CISA Exam 2019

Now that you know about the changes that are coming June 2019, you may be wondering how you can register to take the exam yourself. Exam candidates can register for continuous testing for the CISA certification exam on the updated 2019 job practice.

Registration for continuous testing opened 2 April, scheduling will begin on 17 June and testing will begin on 19 June. For additional information please review the continuous testing FAQ and or the 2019 continuous testing Exam Candidates Guide.

CISA Certification Exam Cost

2019 CISA Exam Fee
Early-bird registration
Standard registration

The CISA exam fee itself has not increased since 2017, at least, so this is good news. If you want to save as much as possible, go for the early bird registration. It will save you $50 off whichever registration you choose (member or non-member) and that $50 really adds up.

While membership to the ISACA is optional, the costs of the actual CISA exam are not. You will need to pay fees to “sit” for your exam. This registration fee ensures people actually show up when they are supposed to in order to take the test. It also helps cover the expenses at testing centers, such as the proctors on site, and it helps with the processing of the scoring.

The info above refers to online registration. Mailing and faxing your registration will incur an additional cost of $75. This is because CISA, like many places today, is trying to go all digital as much as possible.

Please rate this

About the Author Stephanie

I am the author of How to Pass The CPA Exam (published by Wiley) and the publisher of this and several accounting professional exam prep sites.

follow me on:

Leave a Comment: