Complete CISA Exam Guide 2025

Last updated: January 8, 2025

The Certified Information Systems Auditor (CISA) exam is one of the most respected credentials in IT audit and information security. This comprehensive guide covers everything you need to know about the CISA exam format, content, registration process, and preparation strategies to pass on your first attempt.

CISA Exam Format and Structure

The CISA exam consists of 150 multiple-choice questions that must be completed within 4 hours (240 minutes). This gives you approximately 1.6 minutes per question, though you'll likely spend more time on complex scenario-based questions and less on straightforward recall questions. The exam uses computer-based testing (CBT) at Pearson VUE centers worldwide, with an intuitive interface that allows you to flag questions for review and navigate freely between questions.

Scoring System

CISA uses a scaled scoring system ranging from 200 to 800 points. You need a minimum scaled score of 450 to pass. The scaled scoring accounts for question difficulty—harder questions contribute more to your score than easier ones. This means you don't need to answer 75% of questions correctly; the actual percentage required varies based on which specific questions you answer correctly. ISACA doesn't publish raw score to scaled score conversion tables, so focus on thorough preparation rather than trying to calculate minimum passing percentages.

Question Types

All 150 questions are multiple-choice with four answer options (A, B, C, D). Questions fall into two categories:

• Knowledge-based questions: Test your recall of specific frameworks, processes, definitions, and best practices. Example: "What is the primary purpose of a business impact analysis (BIA)?"
• Scenario-based questions: Present a situation and ask you to apply audit principles to determine the best course of action. Example: "An auditor discovers that database administrators have access to modify audit logs. What should the auditor recommend first?"

Scenario questions typically comprise 60-70% of the exam and require deeper understanding than simple recall. Our CISA Review Manual includes 500+ practice questions with both types to build your pattern recognition skills.

CISA Exam Domains and Weighting

The exam covers five domains with specific percentage weights that determine how many questions come from each area:

1. Information System Auditing Process (21%): ~32 questions covering audit planning, risk assessment, evidence collection, and reporting
2. Governance and Management of IT (17%): ~26 questions on IT governance, strategic planning, and organizational structure
3. Information Systems Acquisition, Development and Implementation (12%): ~18 questions about SDLC, project management, and change control
4. Information Systems Operations and Business Resilience (23%): ~35 questions on IT operations, incident management, and business continuity
5. Protection of Information Assets (27%): ~41 questions covering information security, access controls, and encryption

Notice that Domains 4 and 5 together account for 50% of the exam (76 questions). Prioritize these high-weight domains in your study plan while ensuring you don't completely neglect lower-weight areas.

Registration and Scheduling

CISA exams are offered year-round at Pearson VUE testing centers in three testing windows:

• February 1 - May 15
• June 1 - September 15
• October 1 - January 15

Registration Process

1. Create an account at isaca.org
2. Complete the exam registration form and pay the exam fee
3. Receive a confirmation email with your authorization to test
4. Schedule your exam appointment at a Pearson VUE center through the ISACA website
5. Receive appointment confirmation with center location and check-in requirements

Exam Fees

• ISACA Members: $575
• Non-members: $760

The $185 savings for members means that joining ISACA ($135 annual membership) actually saves you $50 on the exam fee, plus you get access to member resources and discounts on other ISACA certifications.

Exam Day: What to Expect

Arrive at the testing center 30 minutes before your scheduled appointment. You'll need to present two forms of identification (one government-issued photo ID and one secondary ID with your name). The testing center will provide a locker for personal belongings—you cannot bring anything into the testing room except your ID.

Testing Environment

You'll be seated at a computer workstation in a proctored room with other test-takers (possibly taking different exams). The proctor will provide scratch paper and pencils for calculations or notes. You can request additional scratch paper during the exam if needed. The testing software includes a basic calculator, though most CISA questions don't require calculations.

During the Exam

• Pace yourself: With 240 minutes for 150 questions, aim to complete 37-38 questions per hour
• Flag difficult questions: Don't get stuck on hard questions—flag them and return after completing easier ones
• Read carefully: Pay attention to qualifiers like "FIRST," "BEST," "PRIMARY," and "MOST important"
• Eliminate wrong answers: If unsure, eliminate obviously incorrect options to improve your odds
• Trust your preparation: Your first instinct is usually correct—only change answers if you're certain

Breaks

You can take breaks during the exam, but the clock continues running. Most candidates take one 5-10 minute break around the halfway point (after 75 questions) to refresh mentally. Use the restroom, stretch, and have a snack if needed, but remember you're losing testing time.

Results and Score Reporting

You'll receive a preliminary pass/fail result immediately upon completing the exam. The testing center will print a score report showing your scaled score and performance by domain. Official results are typically available in your ISACA account within 5-7 business days.

If you pass, congratulations! You can begin the certification application process (requires documenting 5 years of work experience). If you don't pass, the score report shows which domains need improvement. You can retake the exam after a 30-day waiting period—use this time to focus on weak areas identified in your score report.

Preparation Timeline

Most working professionals need 3-5 weeks of focused study (2-3 hours daily) to pass CISA on their first attempt. This timeline assumes you have relevant IT experience and use quality study materials. Our recommended preparation approach:

Week 1-2: High-Weight Domains

Focus on Domains 4 and 5 (Operations/Resilience and Protection of Information Assets) since they comprise 50% of the exam. Master key concepts, frameworks, and best practices in these areas. Complete domain-specific practice questions to identify weak spots.

Week 3: Remaining Domains

Cover Domains 1-3 (Audit Process, Governance, and Acquisition/Development). While lower-weight, these domains still contribute 50% of your score. Don't skip them entirely or you'll leave points on the table.

Week 4: Integration and Review

Take full-length practice exams under timed conditions. Review incorrect answers to understand why you missed them. Focus final study time on your weakest domains identified through practice exams. Review rapid review cheat sheets the night before your exam.

Key Success Factors

• Use current materials: The 2025 exam includes updated content on cloud auditing, AI governance, and remote work security. Outdated study guides miss these topics.
• Practice with realistic questions: Scenario-based questions require application skills you can only develop through practice.
• Follow a structured plan: Random, unstructured study leads to gaps in coverage. Use a daily study plan that ensures comprehensive domain coverage.
• Focus on high-weight domains: Allocate study time proportionally to exam weights—don't spend equal time on all domains.
• Understand frameworks: CISA heavily tests frameworks like COBIT, ITIL, and ISO standards. Know their purposes, components, and applications.

← Back to Home