5 CISA Domains Explained (Ace Exam in 2024)

CISA Domains

CISA is divided into five knowledge domains, each covering different but overlapping areas of IT auditing. Preparing for each domain is crucial for understanding everything you need to pass the CISA exam.

Getting a Certified Information Systems Auditor (CISA) certification is one of the first things you should consider if you want to move into an IT auditing career because it shows employers you know how to apply your IT and cyber security skills to auditing. 

So, if you want to be an auditor, nailing these domains is key.

Below, we’ve explained each of the CISA domains and how it’s weighted in the exam. We’ve also given you a couple of practice questions for each domain so you can better understand what the CISA exam will be like.

If you’re ready, let’s jump into it. 

About the CISA Exam

CISA is a certification offered by the Information Systems Audit and Control Association (ISACA) that aims to validate a student’s ability to conduct an IS or IT audit. 

It’s designed primarily for IT auditors, information security professionals, risk managers, and those working in IT control (i.e., IT policy and procedure).

Obtaining your CISA certification should demonstrate to employers that you can assess whether an organization’s information system adheres to its own program and policies, as well as rules, regulations, and best practices. 

It’s a great certification to pick up to progress your IT career.

To become CISA certified, you must pass the four-hour CISA exam and demonstrate five years of work experience in information security, system audit, control, or assurance. Two of these must be in roles directly related to one or more of the five CISA exam domains.

You’ll be tested on the following areas:

Here are the most important details to know about the CISA test:

Length4 hours (240 minutes)
Number of questions150
Question typesMultiple-choice, knowledge-based
Passing grade450/800
Initial cost$760 (non-member)/$575 (member)

ISACA CISA Exam Domain Weighting

Topics for each of the five CISA domains don’t show up equally in the exam. In particular, the CISA exam focuses more on Domains 4 and 5 than other domains.

1. Information System Auditing Process18%
2. Governance and Management of IT18%
3. Information System Acquisition, Development, and Implementation12%
4. Information Systems Operations and Business Resilience26%
5. Protection of Information Assets26%

Curious about how CISA stacks up against other popular certifications? Check out our comparisons:

CISM vs CISA: Which Is Best for Your Career?

CISSP vs CISA: Which Certification Is Best for You?

CISA Domains

Domain 1: Information System Auditing Process

The first domain covers the basics of IT auditing, from the auditing process to assurance standards and best practices. 

It aims to validate your ability to assess an organization’s information security, control, and risk practices and procedures according to standardized auditing guidelines and methods.

For this domain, you’ll learn how to plan an appropriate audit based on common auditing standards and procedures, as well as the needs of the organization you’re auditing.

In the CISA exam, you can expect Domain 1 questions to cover topics such as different types of audits, evidence-collection techniques, auditing standards, and audit reports. 

This domain accounts for 18% of CISA exam content, and is split into two broad sections: (A) Planning, and (B) Execution.

Here are some key terms to remember:

  • IAR: Information Asset Register
  • RACE Matrix: Risk Assessment and Control Evaluation Matrix
  • COBIT: Control Objectives for Information and Related Technologies
  • DRP: Disaster Recovery Plan
  • GDPR: General Data Protection Regulation

Example questions from this domain (answer key follows):


  1. Evaluating business processes. The other answers are steps in the risk analysis process but are accomplished only after business processes are evaluated, and the purpose and importance of business activities are determined.
  2. Operational audit. Though similar in processes and procedures, the other answers do not specifically focus on the IS management of a business process.

Domain 2: Governance and Management of IT

The second domain validates a candidate’s ability to recognize good IT governance and management structures and practices and assess how well an organization is structured. This includes governance procedures, policies, and leadership.

For this domain, you’ll learn what makes for an efficient and effective organizational structure and what makes for good governance from managers and managerial teams.

Thinking of getting into security management? Check out our guide on The Best Security Management Certificates for You.

Domain 2 questions will cover topics such as organization structure, resource management, organizational maturity, and IT quality assurance.

This domain accounts for 18% of CISA exam content, and is split into two broad sections: (A) IT Governance, and (B) IT Management.

Here are some key terms to remember:

  • BSC: Balanced Scorecard
  • MEI: Management Effectiveness Inspection
  • COSO: Committee of Sponsoring Organizations
  • ITG: IT Governance
  • ITIL: Information Technology Infrastructure Library
  • CMMI: Capability Maturity Model Integration

Example questions from this domain (answer key follows):


  1. Capability Maturity Model Integration (CMMI). CMMI is an integrated capability maturity model that measures the maturity level of an organization’s process. The other frameworks are not used to measure maturity.
  2. Balanced scorecard. A balanced scorecard is a tool that measures the performance of an organization in four key areas. The other activities are used for other purposes.

Domain 3: Information System Acquisition, Development, and Implementation 

The third domain validates a candidate’s ability to discern how well an organization’s information system choices align with the organization’s goals. This includes managerial decisions such as which project management frameworks to follow and what type of software subscriptions to use to aid business objectives.

For this domain, you’ll learn all about project management roles, implementations, and practices, as well as the business application systems and methods best used to drive companies towards their goals.

In the CISA exam, you can expect Domain 3 questions to cover topics such as project management methodologies, infrastructure deployment practices, and control designs.

This domain accounts for 12% of CISA exam content, and is split into two sections: (A) Information Systems Acquisition and Development and (B) Information Systems Implementation.

Here are some key terms to remember:

  • Agile: A kind of continuous development framework
  • PMI: Project Management Institute
  • SDLC: Software Development Lifecycle
  • SaaS: Software as a Service
  • WBS: Work Breakdown Structure

Example questions from this domain (answer key follows):


  1. Delivering the raw information to someone else to process and then purchasing the results. The others are alternatives when making a “make versus buy” decision on software applications. The first answer is not normally an option, as there may be regulatory and intellectual property issues with delivering raw information to a third party and then purchasing the processed results.
  2. Contractually link service quality to payments for service. Although none of the other answers is the best, all are nevertheless essential for a contract with an offshore service provider.

Domain 4: Information Systems Operations and Business Resilience

The fourth domain validates a candidate’s ability to assess the effectiveness and efficiency of an organization’s operational structure and policies which should ensure a secure and continuous flow of information. 

In other words, this domain validates a candidate’s ability to audit how well an organization can ensure business continuity by responding to problems and ensuring continuous and efficient operation.

You can expect Domain 4 questions to cover topics such as data governance, incident response and management, database management, and disaster recovery plans. 

Domain 4 questions are the most common in the CISA exam, along with Domain 5, so it’s important to know this material. 

This domain accounts for 26% of CISA exam content and is split into two sections: (A) Information Systems Operations and (B) Business Resilience.

Here are some key terms to remember:

  • ITSM: IT Service Management
  • SLA: Service Level Agreement
  • KEDB: Known Error Database
  • SIP: Service Improvement Plan
  • BCP: Business Continuity Plan

Example questions from this domain (answer key follows):


  1. Application portfolio. The CIO needs to create an application portfolio to catalog, manage, and measure applications in the environment. A project portfolio is used to track projects. A CMDB is a repository for every component in an environment that contains information on every configuration change made on those components. A data dictionary is a set of data in a database management system that describes the structure of databases stored there.
  2. Scheduled downtime. Downtime for any hardware undergoing preventive maintenance must be planned for in advance. Normally, data backup and restore issues occur if maintenance is unplanned following a hardware failure. Server failover is normally not affected by planned preventive maintenance.

Domain 5: Protection of Information Assets

The fifth domain validates a candidate’s ability to assess an organization’s information-safeguarding policies and processes. This includes not only an organization’s ability to protect against unauthorized access or accidental data loss or destruction but also whether its IS practices adhere to privacy laws and regulations.

In the CISA exam, you can expect Domain 5 questions to cover topics such as public key infrastructure (PKI), network security, Internet-of-Things (IoT) security, and organizational security awareness.

Alongside Domain 4, this domain accounts for the most material in the exam, so it’s important to understand this domain well.

This domain accounts for 26% of the CISA exam content and is divided into two sections: (A) Information Asset Security and Control and (B) Security Event Management.

Here are some key terms to remember:

  • ISP: Information Security Policy
  • PKI: Public Key Infrastructure
  • IDS: Intrusion Detection System
  • IAM: Identity and Access Management
  • ITAM: Information Technology Asset Management

Example questions from this domain: (answer key follows)


  1. Detective and deterrent. Video surveillance is both a detective control (because it can record unwanted activity) and a deterrent control (because its presence may deter unwanted activity).
  2. Use the maximum signal strength possible. The other answers are all good practices for securing a wireless network. Using the maximum signal strength extends the wireless network unnecessarily, which can increase security risk.


The CISA exam’s five domains cover content that tests your IT auditing knowledge across various areas, from the basic information systems auditing process to organizational structure and data loss prevention. 

An IT auditor is often expected to recommend improvements for an organization’s entire operational, managerial, and procedural IS policies and practices, so the CISA exam covers a broad range of IT auditing material.

Learning all this material requires more than study time. It also requires focus, diligence, and sustained motivation. 

This is where the StationX Accelerator Program can help. In addition to the 1,000+ tests, courses, and labs it provides, it also gives you access to mentorship and discussion forums to help keep you on track and motivated in your journey toward becoming CISA-certified

To dive in right away, consider one of the following CISA courses:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Jacob Fox

    Jacob is a professional technology writer, academic researcher, and cyber security buff. When he's not working towards his PhD in philosophy, he's writing about the latest computer hardware developments or fiddling with his most recent technology impulse buy. If you'd like to talk tech or writing with Jacob, you can contact him or connect with him on LinkedIn.