Learn What to Study for the ISACA CISA Examination

The CISA (Certified Information Systems Auditor) designation is obtained by passing the CISA exam, which is administered by the ISACA (Information Systems Audit and Control Association), and by meeting several other experience-related criteria. Thus, while anyone can take the CISA exam, in order to become certified, one must both pass the exam and have five years of information systems auditor experience. In some cases, fewer than five years experience in the field may be acceptable (e.g., candidates with a relevant bachelor’s or master’s degree can substitute their course work for one to three years of work experience). Whatever your background, however, you must adhere to ISACA’s Code of Professional Ethics and commitment to continuing professional education.

On the CISA exam, test takers should be prepared to respond to questions falling under five domains or content areas. Under each content area, they will be asked to respond to both task and knowledge questions. As a result, the best way to prepare is to possess a combination of relevant work experience and book-based knowledge. The five content areas that appear on the exam each carry a different weight and include the following:

• The Process of Auditing Information Systems (21%)
• Governance and Management of IT (16%)
• Information Systems Acquisition, Development and Implementation (18%)
• Information Systems Operations, Maintenance and Service Management (20%)
• Protection of Information Assets (25%)

To take the exam, candidates will need to visit the ISACA website. Candidates have four hours to complete 150 questions. Results are presented as a scaled score ranging from 200 to 800. A score of 450 or higher is considered a passing grade.

Content Area 1: The Process of Auditing Information Systems (21%)

The first content area focuses on the process of auditing information systems. Divided into task and knowledge statements, under this content area, test takers should be prepared to respond to a range auditing questions.

Specifically, candidates should possess the ability to:

• Execute a risk-based IS audit strategy in compliance with IS audit standards to ensure that key risk areas are audited.
• Plan specific audits to determine whether information systems are protected, controlled and provide value to the organization.
• Conduct audits in accordance with IS audit standards to achieve planned audit objectives.
• Communicate audit results and make recommendations to key stakeholders through meetings and audit reports to promote change when necessary.
• Conduct audit follow-ups to determine whether appropriate actions have been taken by management in a timely manner.

Candidates should also demonstrate knowledge of:

• ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and other applicable standards
• Risk assessment concepts and tools and techniques used in planning, examination, reporting and follow-up
• Evidence collection techniques used to gather, protect and preserve audit evidence
• Sampling methodologies and other substantive/data analytical procedures
• Knowledge of various types of audits and methods for assessing and placing reliance on the work of other auditors or control entities
• Audit quality assurance (QA) systems and frameworks
• Fundamental business processes (e.g., purchasing, payroll, accounts payable, accounts receivable) and the role of IS in these processes
• Control principles related to controls in information systems
• Risk-based audit planning and audit project management techniques, including follow-up
• Applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits

Content Area 2: Governance and Management of IT (16%)

The second content area or domain covered on the CISA exam focuses on governance and management issues (e.g., the ability to provide leadership and ensure organizational structures and policies uphold key IT strategies across one’s organization).

Among other tasks, candidates should possess the ability to:

• Evaluate the IT strategy, including IT direction, and the processes for the strategy’s development, approval, implementation and maintenance for alignment with the organization’s strategies and objectives.
• Evaluate the effectiveness of the IT governance structure to determine whether IT decisions, directions and performance support the organization’s strategies and objectives.
• Evaluate IT organizational structure and human resources (personnel) management to determine whether they support the organization’s strategies and objectives.
• Evaluate the organization’s IT policies, standards and procedures, and the processes for their development, approval, release/publishing, implementation and maintenance to determine whether they support the IT strategy and comply with regulatory and legal requirements.
• Evaluate IT management and monitoring of controls (e.g., continuous monitoring, quality assurance [QA]) for compliance with the organization’s policies, standards and procedures.
• Evaluate monitoring and reporting of IT key performance indicators (KPIs) to determine whether management receives sufficient and timely information.

In addition, CISA candidates should possess a thorough knowledge of:

• The purpose of IT strategy, policies, standards and procedures for an organization and the essential elements of each
• IT governance, management, security and control frameworks, and related standards, guidelines, and practices
• Organizational structure, roles and responsibilities related to IT, including segregation of duties (SoD)
• Organization’s technology direction and IT architecture and their implications for setting long-term strategic directions
• Processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures

Content Area 3: Information Systems Acquisition, Development and Implementation (18%)

The third content area on the CISA exam tests candidates understanding and knowledge of how to develop, purchase and implement an IT system that meets an organization’s broader needs and goals. Specific areas of knowledge include working with appropriate vendors, coordinating IT implementation teams, and assessing systems for potential risks. Like the other four areas on the exam, the third content area includes both task and knowledge related questions.

Specifically, candidates should possess the ability to:

• Evaluate the business case for the proposed investments in information systems acquisition, development, maintenance and subsequent retirement to determine whether the business case meets business objectives.
• Evaluate IT supplier selection and contract management processes to ensure that the organization’s service levels and requisite controls are met.
• Evaluate the project management framework and controls to determine whether business requirements are achieved in a cost-effective manner while managing risk to the organization.
• Conduct reviews to determine whether a project is progressing in accordance with project plans, is adequately supported by documentation, and has timely and accurate status reporting.
• Evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the organization’s policies, standards, procedures and applicable external requirements.
• Evaluate the readiness of information systems for implementation and migration into production to determine whether project deliverables, controls and the organization’s requirements are met.
• Conduct post-implementation reviews of systems to determine whether project deliverables, controls and the organization’s requirements are met.

To pass this part of the CISA exam, candidates must also be prepared to demonstrate, among other key areas knowledge, a thorough understanding of:

• Benefits realization practices
• IT acquisition and vendor management practices
• Project governance mechanisms (e.g., steering committees)
• Project management control frameworks, practices, and tools
• Risk management practices applied to projects
• Requirements analysis and management practices
• Control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data
• System migration and infrastructure deployment practices and data conversion tools, techniques, and procedures

Content Area 4: Information Systems Operations, Maintenance and Service Management (20%)

The fourth content area on the CISA exam focuses on task and knowledge areas concerned with the operation, maintenance and service of information systems. A blueprint of the key skills and knowledge fields required to ace this part of the exam are detailed below.

On the task side, candidates will be expected to demonstrate a capacity to:

• Evaluate the IT service management framework and practices (internal or third party) to determine whether the controls and service levels expected by the organization are being adhered to and whether strategic objectives are met.
• Conduct periodic reviews of information systems to determine whether they continue to meet the organization’s objectives within the enterprise architecture (EA).
• Evaluate IT maintenance (patches, upgrades) to determine whether they are controlled effectively and continue to support the organization’s objectives.
• Evaluate database management practices to determine the integrity and optimization of databases
• Evaluate change and release management practices to determine whether changes made to systems and applications are adequately controlled and documented.
• Evaluate problem and incident management practices to determine whether problems and incidents are prevented, detected, analyzed, reported and resolved in a timely manner to support the organization’s objectives.

Key areas of knowledge on this part of the exam include but are not limited to:

• Service management frameworks
• Service management practices and service level management
• Enterprise architecture (EA)
• System resiliency tools and techniques (e.g., fault-tolerant hardware, elimination of single point of failure, clustering)
• IT asset management, software licensing, source code management and inventory practices
• Control techniques that ensure the integrity of system interfaces
• Data backup, storage, maintenance and restoration practices
• Database management and optimization practices

Content Area 5: Protection of Information Assets (25%)

The final and most heavily weighted area of the exam focuses on the protection of information assets. Questions on this part of the exam cover everything from design to access controls to encryption.

There are six key tasks in which CISA candidates must demonstrate a high level of competency. These tasks include the ability to evaluate the following:

• Information security and privacy policies, standards and procedures for completeness, alignment with generally accepted practices and compliance with applicable external requirements.
• The design, implementation, maintenance, monitoring and reporting of physical and environmental controls to determine whether information assets are adequately safeguarded.
• The design, implementation, maintenance, monitoring and reporting of system and logical security controls to verify the confidentiality, integrity, and availability of information.
• The design, implementation, and monitoring of the data classification processes and procedures for alignment with the organization’s policies, standards, procedures and applicable external requirements.
• The processes and procedures used to store, retrieve, transport and dispose of assets to determine whether information assets are adequately safeguarded.
• The information security program to determine its effectiveness and alignment with the organization’s strategies and objectives.

On the final and most extensive part of the CISA exam, candidates must also demonstrate their understanding of 26 knowledge areas, including but not limited to the following:

• Privacy principles
• Techniques for the design, implementation, maintenance, monitoring and reporting of security controls
• Logical access controls for the identification, authentication and restriction of users to authorized functions and data
• Security controls related to hardware, system software (e.g., applications, operating systems) and database management systems.
• Network and Internet security devices, protocols and techniques
• Prevention and detection tools and control techniques
• Security testing techniques
• Information system attack methods and techniques
• Fraud risk factors related to the protection of information assets
• Methods for implementing a security awareness program

Need some practice before taking the CISA? Download Pocket Prep’s CISA Exam Prep App to study anywhere, anytime on your mobile device. We also highly recommend purchasing the CISA Review Manual, 26th Edition for additional reference.