CISA Exam Domains 2025: Complete Breakdown & Strategic Study Guide
Domain Overview: Quick Reference
The CISA exam tests your knowledge across five distinct yet interconnected domains. Each domain has a specific weight determining how many questions you'll encounter. The August 2024 update shifted weightings to reflect current industry priorities and emerging challenges in IT audit.
Critical Weight Changes from August 2024
Domain 4 (Operations & Business Resilience) increased from 23% to 26% (+3%), reflecting the critical importance of incident response, business continuity, and operational excellence in modern IT environments.
Domain 1 (Auditing Process) decreased from 21% to 18% (-3%), streamlining traditional audit methodology content to make room for contemporary operational concerns.
These changes mean you should allocate your study time accordinglyâspend more time on Domains 4 and 5, which together represent over half the exam.
Domain 1: Information System Auditing Process (18%)
Information System Auditing Process
Domain 1 establishes the foundation of the IS audit profession by covering planning, execution, reporting, and follow-up activities. This domain validates your ability to conduct systematic, risk-based audits following professional standards.
Core Topics Covered
Audit Planning & Risk Assessment
Learn to develop comprehensive audit plans based on risk analysis. Understand how to define audit scope, establish objectives, identify resources needed, and create realistic timelines. This includes understanding various audit types (financial, operational, compliance, integrated) and when each applies.
Audit Standards & Methodology
Master ISACA's IS Auditing Standards (particularly S1, S2, S4, S9, S10, S12, S13, S14). Understand the systematic audit approach: planning, fieldwork, reporting, and follow-up. Know how to apply audit standards consistently across different audit engagements.
Evidence Collection Techniques
Study various evidence-gathering methods including interviews, document review, observation, testing (compliance testing, substantive testing), and data analytics. Understand evidence quality hierarchy: direct evidence > independent verification > management representation.
Data Analytics in Auditing
Familiarize yourself with how auditors leverage data analytics tools to enhance audit effectiveness. Understand sampling methodologies (statistical vs. judgmental), data extraction techniques, and continuous auditing concepts.
Audit Reporting & Communication
Learn to develop clear, actionable audit reports that communicate findings, recommendations, and risks to stakeholders. Understand report structure, tone considerations, and how to present complex technical issues to non-technical audiences.
Follow-Up Procedures
Know how to verify whether management has implemented audit recommendations and whether controls remain effective over time. Understand escalation procedures when critical issues aren't addressed.
Domain 1 Study Strategy
Focus on ISACA Standards: Memorize key provisions of S1 (Audit Charter), S2 (Independence), S4 (Professional Competence), S9 (Irregularities and Illegal Acts), S10 (IT Governance), S12 (Audit Evidence), S13 (Use of Risk Assessment), and S14 (Audit Evidence).
Understand Evidence Hierarchy: Direct observation and testing provide stronger evidence than documentation review. Independent third-party confirmations trump management representations. System-generated logs are more reliable than manually maintained records.
Practice Question Analysis: This domain frequently tests your ability to identify appropriate audit procedures for specific scenarios. Practice recognizing which evidence-gathering technique best addresses particular audit objectives.
Study Time Allocation: Dedicate 25-30 hours across 2-3 weeks. Spend 40% on audit planning and standards, 35% on evidence collection and testing, 25% on reporting and follow-up.
Common Domain 1 Mistakes
Confusing Auditor vs. Management Roles: Remember that auditors assess and recommendâthey don't implement controls or make management decisions. Questions deliberately blur these boundaries to test your understanding.
Forgetting Risk-Based Approach: Modern auditing prioritizes risk assessment. When questions ask about audit planning, the correct answer usually involves identifying and prioritizing risks before developing detailed procedures.
Overlooking Independence Requirements: Auditors must maintain independence in fact and appearance. Any answer suggesting the auditor implements controls, makes management decisions, or has financial interest in audit outcomes is typically wrong.
Domain 2: Governance and Management of IT (18%)
Governance and Management of IT
Domain 2 examines how organizations govern and manage their IT resources to support business objectives. This domain is particularly challenging for technical professionals without governance experience, as it requires thinking strategically about IT's role in the enterprise.
Core Topics Covered
IT Governance Frameworks
Master COBIT (Control Objectives for Information and Related Technologies), understanding its governance and management objectives. Know the five key governance domains and their objectives. Understand how COBIT integrates with other frameworks like ITIL, ISO standards, and NIST.
IT Strategy & Alignment
Learn how IT strategy derives from and supports business strategy. Understand strategic planning processes, how to assess IT's contribution to business value, and methods for measuring IT-business alignment (Strategic Alignment Model).
Enterprise Architecture
Study enterprise architecture frameworks (TOGAF, Zachman) and their role in aligning IT infrastructure with business needs. Understand how EA promotes standardization, reduces complexity, and enables strategic decision-making.
IT Resource Management
Cover IT investment management, portfolio management, and how organizations prioritize competing IT initiatives. Understand business case development, ROI calculations, and IT budgeting processes.
Performance Management
Learn performance measurement frameworks like Balanced Scorecard. Understand KPIs (Key Performance Indicators) vs. KGIs (Key Goal Indicators), how to develop meaningful metrics, and how dashboards communicate IT performance to stakeholders.
Risk Management
Study enterprise risk management (ERM) frameworks, risk assessment methodologies, risk appetite/tolerance concepts, and how IT risks integrate with overall enterprise risk management.
Third-Party Management
Understand vendor risk assessment, contract management, service level agreements (SLAs), and how organizations ensure third parties maintain appropriate security and controls.
Domain 2 Study Strategy
Master COBIT Framework: COBIT appears extensively in Domain 2 questions. Understand the governance vs. management distinction, the five governance objectives (Evaluate, Direct, Monitor), and how COBIT processes map to organizational objectives.
Understand Governance vs. Management: Governance = what decisions to make (board-level, strategic). Management = how to implement decisions (operational, day-to-day). Questions test whether you recognize which activities belong to which level.
Study Maturity Models: Capability Maturity Model Integration (CMMI) measures process maturity from Level 0 (incomplete) to Level 5 (optimizing). Understand characteristics of each level and how auditors assess process maturity.
Learn the Balanced Scorecard: Four perspectivesâFinancial, Customer, Internal Process, Learning & Growth. Understand how organizations use it to translate strategy into measurable objectives.
Study Time Allocation: Dedicate 25-30 hours across 2-3 weeks. Spend 35% on COBIT and governance frameworks, 30% on IT strategy and alignment, 20% on performance management, 15% on risk and third-party management.
Common Domain 2 Mistakes
Confusing Governance with Management: Governance establishes direction and oversight. Management executes and operates. Board approval of IT strategy = governance. Implementing approved projects = management.
Memorizing COBIT Without Understanding Application: Don't just memorize COBIT process names. Understand when and why organizations apply specific COBIT objectives. Questions present scenarios requiring you to identify which COBIT process addresses the situation.
Neglecting Business Perspective: Domain 2 tests whether you understand how IT supports business objectives, not just technical implementation. Always consider business value, strategic alignment, and stakeholder expectations.
Domain 3: Information Systems Acquisition, Development and Implementation (12%)
Information Systems Acquisition, Development and Implementation
Domain 3, the smallest weighted domain, covers how organizations acquire, develop, test, and implement information systems. While representing only 12% of the exam, this domain is essential for understanding how controls are built into systems from inception.
Core Topics Covered
Systems Development Life Cycle (SDLC)
Master various SDLC methodologies: Waterfall (sequential phases), Agile (iterative development), DevOps (continuous integration/deployment), and Hybrid approaches. Understand when each methodology suits different project types and organizational cultures.
Project Management
Study project management fundamentals including scope management, schedule development, resource allocation, and project monitoring. Understand project governance structures and how auditors assess project health.
Requirements Definition
Learn how organizations gather, document, and validate business and technical requirements. Understand techniques like Joint Application Development (JAD), prototyping, and user story development. Know why poor requirements lead to project failure.
System Design & Development
Cover design principles, architecture patterns, database design, interface development, and how controls integrate into system design. Understand separation of duties in development teams and configuration management practices.
Testing Methodologies
Master various testing types: unit testing (individual components), integration testing (component interactions), system testing (complete system), user acceptance testing (business validation), regression testing (unchanged functionality), and performance testing (scalability).
Change Control & Configuration Management
Understand formal change management processes including change requests, impact analysis, approval workflows, testing requirements, and rollback procedures. Study configuration management databases (CMDBs) and version control systems.
System Implementation
Learn implementation approaches: parallel (old and new systems simultaneously), phased (gradual rollout), pilot (limited scope first), and direct cutover (immediate replacement). Understand data conversion, migration strategies, and post-implementation reviews.
Domain 3 Study Strategy
Focus on SDLC Fundamentals: Understand each phase's objectives, deliverables, and controls. Know that Waterfall requires complete requirements upfront while Agile embraces changing requirements. DevOps emphasizes automation and continuous delivery.
Master Testing Hierarchy: Testing progresses from unit â integration â system â UAT. Each level requires different test cases, testers, and success criteria. Understand that user acceptance testing validates business requirements, not just technical functionality.
Understand Change Control: Effective change management requires: documented change request, impact analysis, approval authority, testing in non-production, documented rollback plan, and post-implementation review. Emergency changes still require documentation even if approval is expedited.
Study Time Allocation: Dedicate 15-20 hours across 1.5-2 weeks. Spend 30% on SDLC methodologies, 25% on testing, 25% on change control, 20% on project management and requirements.
Common Domain 3 Mistakes
Confusing Testing Types: Unit testing = developers test individual components. Integration testing = test component interactions. System testing = test complete system against requirements. UAT = business users validate business needs are met.
Assuming Development = Production: Production and development environments must remain separate. Developers shouldn't have production access. Production data shouldn't exist in development (or should be sanitized). Changes must be tested before production deployment.
Neglecting Post-Implementation Review: PIR validates that systems deliver intended benefits, identifies lessons learned, and confirms project closure. Many candidates overlook this critical final phase.
Domain 4: Information Systems Operations and Business Resilience (26%)
Information Systems Operations and Business Resilience
Domain 4 is tied for the largest exam component and saw the biggest weight increase (+3%) in the August 2024 update. This domain covers day-to-day IT operations, service management, andâcriticallyâhow organizations ensure business continuity when disruptions occur. The weight increase reflects the growing importance of operational resilience in today's threat landscape.
Core Topics Covered
IT Service Management (ITSM)
Master ITIL (Information Technology Infrastructure Library) framework and its key processes: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. Understand service desk functions, service catalog management, and how ITSM delivers consistent, measurable IT services.
Incident Management
Learn incident lifecycle: detection, logging, categorization, prioritization, investigation, resolution, and closure. Understand incident severity classifications, escalation procedures, and how organizations minimize service impact. Know the difference between incidents (unplanned interruptions) and service requests (standard user needs).
Problem Management
Study how organizations identify root causes of recurring incidents and implement permanent fixes. Understand problem vs. incident: incidents address symptoms immediately, problems identify and eliminate underlying causes. Learn about known error databases and proactive problem management.
Change Management (Operational)
Cover operational change management including standard changes (pre-approved, low-risk), normal changes (require authorization), and emergency changes (expedited but documented). Understand Change Advisory Board (CAB) functions and change windows.
Capacity & Performance Management
Understand capacity planning processes including current capacity assessment, demand forecasting, capacity modeling, and how organizations ensure adequate resources for future needs. Study performance monitoring, tuning, and how to identify capacity constraints before they impact service.
Availability Management
Learn availability concepts including uptime calculations, service level agreements (SLAs), redundancy strategies (active-active, active-passive), and how organizations design for high availability. Understand Mean Time Between Failures (MTBF) and Mean Time To Repair (MTTR).
Business Continuity Planning (BCP)
Master BCP lifecycle: business impact analysis (BIA), strategy development, plan development, testing, and maintenance. Understand Recovery Time Objective (RTO) vs. Recovery Point Objective (RPO), and how these drive continuity strategy. Study business continuity vs. disaster recovery distinctions.
Disaster Recovery (DR)
Learn DR site types: hot site (immediately available), warm site (requires setup time), cold site (empty facility requiring equipment), and cloud-based DR. Understand backup strategies (full, incremental, differential), backup rotation schemes (Grandfather-Father-Son), and offsite storage requirements.
DR Testing
Study DR test types in order of complexity: document review (least disruptive, validates plan currency) â tabletop exercise (walkthrough simulation) â parallel test (activate DR without switching production) â full interruption test (actual failover to DR, most disruptive but most realistic).
Domain 4 Study Strategy
Master ITIL Processes: Understand how each ITIL process contributes to service delivery. Focus especially on Incident, Problem, and Change Management as these appear frequently. Know that ITIL provides best practice guidance, not rigid requirements.
Understand RTO vs. RPO: RTO = maximum acceptable downtime (how long can operations be interrupted?). RPO = maximum acceptable data loss (how much data loss can be tolerated?). These metrics drive backup frequency, DR strategy, and technology investments. A 4-hour RTO requires DR capabilities that restore service within 4 hours. A 30-minute RPO requires backups at least every 30 minutes.
Study BIA Methodology: Business Impact Analysis identifies critical processes, dependencies, and recovery priorities. Understand how BIA results drive RTO/RPO targets. Questions often present BIA findings and ask you to recommend appropriate recovery strategies.
Memorize DR Testing Types: Know the progression from least to most disruptive: document review â tabletop â parallel â full interruption. Understand that most organizations perform tabletop exercises regularly (quarterly/annually) but full interruption tests rarely (every 2-3 years) due to risk and cost.
Study Time Allocation: This is the largest domain by question count. Dedicate 35-40 hours across 3-4 weeks. Spend 30% on BCP/DR (most critical), 25% on ITIL and service management, 25% on incident/problem management, 20% on capacity and availability.
Common Domain 4 Mistakes
Confusing Incident vs. Problem: Incident = resolve the immediate issue quickly (restore service). Problem = identify root cause and prevent recurrence. An incident might be "server down"âfix it now. The problem might be "inadequate cooling"âaddress that to prevent future incidents.
Misunderstanding RTO/RPO: RTO and RPO are independent targets. Low RTO doesn't automatically mean low RPO. You can restore service quickly (low RTO) but still lose significant data (high RPO) if backups aren't frequent. Understanding this distinction is crucial for exam questions.
Overlooking DR Testing Requirements: DR plans without regular testing provide false security. Questions may describe untested plans and ask about risks. The correct answer typically emphasizes that untested plans cannot be relied upon during actual disasters.
Domain 5: Protection of Information Assets (26%)
Protection of Information Assets
Domain 5 remains the second-largest domain, tied with Domain 4 at 26%. This domain covers information security principles, controls, and practices essential for protecting organizational information assets. The scope is vast, encompassing access controls, cryptography, network security, physical security, and data privacy regulations.
Core Topics Covered
Information Security Frameworks
Study major security frameworks: ISO 27001/27002 (comprehensive security standards), NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover), and NIST 800-53 (security controls). Understand how frameworks guide security program development and help organizations systematically address security risks.
Access Control Models & Systems
Master different access control models: Mandatory Access Control (MAC) where system enforces rules based on classification labels, Discretionary Access Control (DAC) where owners control access, Role-Based Access Control (RBAC) where permissions follow job roles, and Attribute-Based Access Control (ABAC) using multiple attributes for decisions.
Identity and Access Management (IAM)
Learn IAM components: identification (claiming identity), authentication (proving identity), authorization (granting permissions), and accountability (tracking actions). Understand multi-factor authentication (MFA), single sign-on (SSO), privileged access management (PAM), and identity lifecycle management.
Cryptography Fundamentals
Study symmetric encryption (AES, DESâsame key for encrypt/decrypt, fast but key distribution challenge), asymmetric encryption (RSAâpublic/private key pairs, slower but solves key distribution), and hashing (SHA, MD5âone-way fingerprints for integrity verification). Understand digital signatures, digital certificates, and Public Key Infrastructure (PKI).
Network Security
Cover network security controls: firewalls (packet filtering, stateful inspection, application-level), intrusion detection/prevention systems (IDS/IPS), VPNs (site-to-site, remote access), network segmentation (DMZ, VLANs), and wireless security (WPA3, 802.1X authentication).
Data Protection & Classification
Understand data classification schemes (public, internal, confidential, restricted), data lifecycle management (creation, use, archival, destruction), encryption at rest and in transit, data loss prevention (DLP) technologies, and secure disposal methods.
Privacy Regulations & Compliance
Study major privacy regulations: GDPR (European data protection), CCPA/CPRA (California privacy), PIPEDA (Canadian privacy), and understand principles including lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Learn data subject rights, privacy impact assessments, and data protection officer roles.
Physical & Environmental Security
Cover physical controls: perimeter security (fencing, gates, guards), building security (access cards, mantrap doors, CCTV), environmental controls (HVAC, fire suppression, power conditioning, UPS), and media handling (secure storage, transportation, destruction).
Security Operations
Learn security monitoring (SIEM systems), log management, vulnerability management (scanning, assessment, remediation), patch management, anti-malware technologies, and security incident response processes.
Domain 5 Study Strategy
Master the CIA Triad: Confidentiality (preventing unauthorized disclosure), Integrity (preventing unauthorized modification), Availability (ensuring authorized access when needed). Every security control serves one or more of these objectives. Questions often ask which control type protects which CIA element.
Understand Cryptography Fundamentals: Symmetric encryption uses same key for encryption/decryption (fast, but key distribution challenge). Asymmetric uses public/private key pairs (slower, but solves key distribution). Hashing creates one-way fingerprints (can't reverse to original). You won't need to perform calculations, but must understand when to use each.
Study Access Control Models: Mandatory Access Control (MAC) = system enforces rules based on labels. Discretionary Access Control (DAC) = owners control access. Role-Based Access Control (RBAC) = access based on job roles. Know when organizations should implement each model.
Know Defense-in-Depth: Security requires multiple layers (administrative, technical, physical). Questions test whether you understand that no single control is sufficientâorganizations need layered protection strategies.
Understand GDPR Principles: Lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability. Questions may describe data handling scenarios and ask which GDPR principle is violated.
Study Time Allocation: Dedicate 35-40 hours across 3-4 weeks. This domain makes or breaks CISA success. Spend 30% on access controls and identity management, 25% on cryptography and network security, 25% on data protection and privacy, 20% on security operations and physical security.
Common Domain 5 Mistakes
Focusing on Technical Details Over Concepts: The exam tests understanding of security principles and controls, not technical implementation. You don't need to configure firewallsâyou need to know what firewalls protect against and when they're appropriate.
Confusing Authentication and Authorization: Authentication verifies identity ("who are you?"). Authorization grants permissions ("what can you do?"). These are distinct security functions that work together. Multi-factor authentication strengthens identity verification, but doesn't automatically grant any permissions.
Memorizing Encryption Algorithms Without Understanding Use Cases: Don't just memorize RSA, AES, SHA. Understand when symmetric vs asymmetric encryption applies, why hashing can't be reversed, and how digital signatures provide non-repudiation.
Ignoring Privacy Regulations: GDPR and privacy topics receive increased emphasis. Study privacy principles, data subject rights (access, rectification, erasure, portability, objection), and privacy impact assessment processes.
Strategic Study Priority Framework
Not all domains require equal attention. Use this prioritization framework to allocate your study time effectively based on weight, difficulty, and your background.
Highest Priority: Domains 4 & 5
Combined 52% of exam (78 questions). High difficulty. Requires deep understanding of complex topics including business continuity, disaster recovery, ITIL, cryptography, access controls, and privacy regulations. Allocate 50-55% of total study time.
Why highest priority: These domains determine pass/fail for most candidates. A 65% score on Domains 4 & 5 combined with 85% on other domains may still result in overall failure due to the weight. Master these first.
Medium Priority: Domains 1 & 2
Combined 36% of exam (54 questions). Moderate to high difficulty. Essential foundations covering audit methodology and IT governance. Allocate 35-40% of total study time.
Why medium priority: Domain 1 tests fundamental audit skillsâyou must understand these concepts. Domain 2 (governance) is particularly challenging for technical professionals without business strategy exposure. Both are important but weighted less than 4 & 5.
Lower Priority: Domain 3
Only 12% of exam (18 questions). Moderate difficulty. Important but smallest domain. Allocate 10-15% of total study time.
Why lower priority: Don't neglect entirelyâyou still need solid understanding of SDLC, testing, and change control. However, avoid over-investment here. Focus on fundamentals and move on to higher-weighted domains.
Cross-Domain Study Strategies
Create Domain Comparison Charts
Many concepts appear across multiple domains with subtle differences. Build comparison tables that clarify distinctions:
| Concept | Domain 1 | Domain 4 | Domain 5 |
|---|---|---|---|
| Testing | Audit testing procedures (evidence gathering) | DR plan testing (tabletop, parallel, full) | Security testing (pen testing, vulnerability scanning) |
| Controls | Audit control objectives and evaluation | Operational controls for service delivery | Security controls for asset protection |
| Risk | Audit risk assessment | Business continuity risk (disruption) | Information security risk (CIA threats) |
| Policies | Audit policies and standards | Operations and service management policies | Security and privacy policies |
Use the Layered Learning Approach
Study each domain in three passes for maximum retention and understanding:
Pass 1 - Conceptual Understanding (40% of domain time): Read the Review Manual, watch video courses, understand the "why" behind concepts. Focus on comprehension, not memorization. Build mental models of how concepts relate.
Pass 2 - Application Practice (40% of domain time): Complete practice questions, work through scenarios, test your ability to apply concepts to realistic situations. Identify weak areas that need additional review. Use wrong answers as learning opportunities.
Pass 3 - Memorization & Refinement (20% of domain time): Create flashcards for terms and frameworks, memorize key standards and acronyms, review your wrong-answer log, polish your weakest topics. This pass transforms understanding into exam-ready knowledge.
Build Your "Auditor Mindset"
CISA questions test your ability to think like an auditor. When approaching questions across all domains:
- Prioritize risk-based approaches over exhaustive comprehensive reviews
- Choose systematic methodology over quick tactical fixes
- Favor formal processes and documentation over informal practices
- Select preventive controls over detective controls when both options are present
- Prefer stakeholder communication over working in isolation
- Remember independence requirements in all audit scenarios
Final Domain Strategy Insight
Success on the CISA exam requires more than domain knowledgeâit requires strategic prioritization. Candidates who pass allocate study time proportionally to domain weights while accounting for personal strengths and weaknesses. Use practice exams to identify your weak domains early, then invest disproportionate time in those areas.
Critical truth: A 70% score in Domains 4 and 5 combined with 85% in smaller domains can still result in overall failure. Master the high-weight domains first, then build competence in lighter-weighted areas. Don't fall into the trap of perfecting domains you already understand while avoiding challenging material.
Remember: the exam tests your judgment as much as your knowledge. Learn to think systematically, follow established frameworks, and apply risk-based decision-making across all five domains. Understanding ISACA's perspectiveâhow auditors should think and approach problemsâis often more valuable than memorizing technical details.
Ready to Master All 5 CISA Domains?
Test your knowledge with 2000+ CISA practice questions covering all exam domains. Track your progress by domain, identify weak areas, and pass with confidence.
No credit card required ⢠Domain-specific practice ⢠Updated for August 2024 changes