Security Study Guide

ISACA CISA Study Guide

The ISACA Certified Information Systems Auditor (CISA) exam validates expertise in auditing, controlling, and securing an organization's information systems across the full audit lifecycle - planning, governance, system acquisition and development, operations and resilience, and asset protection. It is aimed at IS auditors, audit managers, IT consultants, compliance and security professionals who assess and assure technology controls. The 150-question exam runs 240 minutes, uses a scaled passing score of 450 out of 200-800, and weights five practice domains.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice ISACA CISA questions free Create free account

Domain 1: Information Systems Auditing Process

Key concepts you must know · 130 practice questions

Risk-based audit planning directs audit effort toward areas of highest inherent and residual risk; it is the primary basis for scoping and prioritizing engagements rather than auditing everything equally.
A control objective states the desired risk-mitigation outcome (what you want to achieve); a control is the specific mechanism, technology, or procedure implemented to achieve that objective.
Auditor independence and objectivity are foundational; an auditor must not audit an area where they have a financial interest, prior operational role, or other conflict of interest that could bias conclusions.
A compensating control is an alternative safeguard deployed when the preferred control is not feasible (e.g., due to cost or staffing) yet still reduces risk to an acceptable level - common where segregation of duties cannot be fully achieved.
Preventive controls stop incidents before they occur (e.g., access restrictions); detective controls identify incidents during or after they occur (e.g., logs, reconciliations); corrective controls restore normal operation after an incident.
Audit evidence must be sufficient, reliable, relevant, and useful; evidence obtained directly by the auditor from independent, objective sources is more reliable than evidence supplied by the auditee.
A finding documents the condition and associated risk; a recommendation proposes the corrective action - the two are reported separately so management owns the remediation decision.
When a significant deficiency is found, document it with supporting evidence (condition, criteria, cause, effect) and report it to appropriate management with recommendations.
Statistical (random) sampling lets the auditor project results to the whole population with a quantifiable confidence level; non-statistical (judgmental) sampling relies on auditor judgment and cannot be statistically projected.
Computer-assisted audit techniques (CAATs) and data analytics enable testing of entire populations rather than samples - for example, analyzing all billing or transaction data for anomalies.
Continuous auditing/monitoring uses automated, near-real-time testing of controls and transactions, enabling earlier detection of exceptions than periodic point-in-time audits.
If fraud or irregularity is suspected, report it through channels defined in the audit charter and avoid tipping off the suspects so evidence is not destroyed.
The audit charter is the formal document, approved by senior management or the board, that grants the audit function its authority, scope, and responsibility.
Materiality in IS auditing considers the potential impact of a control weakness on the organization, not just monetary value - small technical gaps can be material if they expose critical systems.

Domain 2: Governance and Management of IT

Key concepts you must know · 131 practice questions

The primary goal of IT governance is to ensure IT aligns with and advances business objectives while IT-related risks and resources are managed appropriately - it is a board and senior-management responsibility.
Segregation of duties divides critical tasks (initiate, approve, execute, record) so no single individual can both commit and conceal fraud or error.
An IT steering committee, composed of senior business and IT leaders, provides strategic oversight and aligns IT investments and priorities with business strategy.
Policies, standards, defined roles/responsibilities, and oversight form the control framework; policies and procedures serve as the criteria against which auditors evaluate actual practice.
Key performance indicators (KPIs) measure how well objectives are met; key risk indicators (KRIs) provide early warning of rising risk exposure.
Maturity/capability models such as CMMI rate process maturity on a graduated scale (typically Level 1 initial/ad-hoc through Level 5 optimizing) to guide continuous improvement.
An acceptable use policy (AUP) defines permitted and prohibited use of organizational IT resources by users.
For outsourced/third-party services, governance relies on contractual controls, SLAs, and a right-to-audit clause to retain assurance over the provider.
Service level agreements (SLAs) set measurable, enforceable performance targets (availability, response time) that can be monitored against actual delivery.
Enterprise architecture aligns individual project designs to a coherent strategic blueprint, reducing redundancy, technical debt, and integration conflicts.
Centralized IT governance improves standardization and control but can reduce business-unit agility; federated governance increases agility at the cost of consistency.
A data governance program establishes an authoritative source of record and clear ownership to prevent conflicting data, improve quality, and clarify accountability.
COBIT is ISACA's framework for governance and management of enterprise IT, distinguishing governance (evaluate, direct, monitor) from management (plan, build, run, monitor).
Cloud governance requires defining shared-responsibility boundaries with the provider and establishing a landing zone with baseline guardrails, approved service catalogs, and mandatory resource tagging by cost center.

Domain 3: Acquisition, Development and Implementation

Key concepts you must know · 129 practice questions

Building and verifying controls early in the SDLC is far cheaper and more effective than retrofitting them; the cost to fix a defect rises dramatically the later it is found.
User acceptance testing (UAT) is the final test phase, performed by business users to confirm the system meets documented business requirements and is fit for use before production go-live.
A post-implementation review evaluates, after the system has run long enough to generate meaningful data, whether the project met its objectives and captures lessons learned.
Authorized, tested changes are protected by formal change management with approvals plus separation of development, test, and production environments.
For COTS/third-party software the auditor's key concern is due diligence: vendor financial stability, security, support and maintenance arrangements, escrow, and contractual SLAs.
Referential integrity is enforced with foreign key constraints (e.g., FOREIGN KEY (cust_id) REFERENCES customers(id)) so child records cannot reference nonexistent parents.
Database performance is improved by appropriate indexing on frequently queried columns and by materialized views/precomputed aggregates for expensive recurring queries.
Scalability is achieved through horizontal scaling of stateless components behind a load balancer and asynchronous processing via message queues for spiky workloads.
Infrastructure as code (version-controlled, reviewed templates) makes environment provisioning consistent, repeatable, and auditable.
Secure development pipelines run static application security testing (SAST) on each commit and scan dependencies for known CVEs in the build.
Branch protection rules requiring pull-request review and passing status checks enforce code review and prevent unreviewed changes from merging.
Resilience patterns include circuit breakers (stop cascading calls to a failing dependency) and bulkhead isolation (confine failures to a subset of resources).
Safer release strategies include blue-green deployment (instant rollback to the prior environment) and canary release (expose the new version to a small subset of traffic first).
Microservices improve independent scalability and deployability but add operational and distributed-system complexity, while a monolith is simpler to operate but harder to scale in parts; an API gateway centralizes cross-cutting concerns like authentication, rate limiting, and routing.

Domain 4: Operations and Business Resilience

Key concepts you must know · 129 practice questions

RTO (recovery time objective) is the maximum acceptable time to restore a service after disruption; RPO (recovery point objective) is the maximum acceptable data loss measured as a point in time.
Backups must be periodically restore-tested; an untested backup may fail when needed due to corruption, incomplete sets, or unreadable formats.
A Business Impact Analysis (BIA) identifies critical business processes, quantifies impact over time, and establishes the RTO and RPO requirements that drive recovery strategy.
A hot site is a fully equipped, continuously operational alternate facility with real-time or near-real-time data replication, enabling rapid failover; a warm site has hardware but stale data; a cold site is bare space requiring full build-out.
DR test types in increasing rigor: checklist, tabletop/walkthrough, simulation, parallel (run recovery alongside production), and full interruption (cut over to recovery).
Unauthorized changes are detected by reviewing change/configuration logs and comparing them against approved change records.
Capacity and performance monitoring tracks resource utilization versus provisioned capacity to give early warning of exhaustion and support growth planning.
Job scheduling with monitoring and exception reporting ensures batch jobs run on time and failures are surfaced and acted upon.
Autoscaling matches compute capacity to demand automatically, avoiding both outages from resource exhaustion and waste from over-provisioning.
Cloud cost optimization includes reserved/committed-use discounts (lower unit cost for a usage commitment), shutting down non-production environments off-hours, and right-sizing consistently underutilized instances.
Storage lifecycle policies expire stale objects per retention rules and tier cold data to cheaper archive storage to control cost.
Caching reduces database load and lowers read latency for frequently accessed data; spot/interruptible instances suit fault-tolerant, interruptible batch processing.
Cron schedules follow minute hour day-of-month month day-of-week (e.g., 30 2 * * * runs a job at 02:30 daily); a backup can be created with tar -czvf and its contents verified with tar -tzvf.
Trend analysis of historical utilization data underpins capacity planning and forecasting of future resource needs.

Domain 5: Protection of Information Assets

Key concepts you must know · 115 practice questions

Least privilege grants each user, process, or service only the minimum permissions needed; need-to-know further restricts access to information required for the task - together they minimize exposure.
Logging and monitoring are detective controls providing an audit trail for accountability, anomaly detection, and investigation support.
Confidentiality of data is protected by encryption at rest (renders stored data unreadable without the key) and in transit (TLS), combined with least-privilege access controls.
Information classification and labeling (e.g., public, internal, confidential, restricted) ensure protection is commensurate with each asset's sensitivity and value.
Data loss prevention (DLP) relies on classifying and labeling sensitive data plus content inspection and policy enforcement on egress channels.
File integrity monitoring (FIM) detects unauthorized changes to critical files and system configurations.
Strong authentication combines strong password policies with multi-factor authentication (something you know, have, and are).
Physical controls protect facilities and hardware: badge readers, mantraps, CCTV, guards, and environmental controls.
An IDS detects and alerts on malicious or anomalous network activity; an IPS additionally blocks it inline.
Network segmentation limits lateral movement and contains a compromise to a single segment rather than the whole network.
Zero trust never implicitly trusts based on network location; it continuously verifies identity, device posture, and authorization for every access request.
Defense in depth layers controls (e.g., WAF, input validation, least-privilege database accounts, encryption) so one control's failure does not expose the whole system.
Encryption keys and credentials are managed in a centralized key management service / secrets manager that enables access control, automated rotation, and audit logging - never hard-coded in repositories or images.
Transport security best practice is configuring TLS 1.2 or higher, disabling SSLv3 and TLS 1.0, and redirecting HTTP to HTTPS with HSTS enforced.

ISACA CISA exam tips

Always answer from the perspective of an independent IS auditor: the BEST first step is usually to understand the environment and assess risk (planning) before testing, and to report findings rather than fix them yourself.
When two answers seem correct, choose the most preventive, most fundamental, or root-cause option; ISACA rewards addressing the cause over the symptom and favors governance/process answers over purely technical ones.
Memorize the distinctions between paired terms - control objective vs control, preventive vs detective vs corrective, RTO vs RPO, hot/warm/cold sites, KPI vs KRI - they appear repeatedly.
There is no penalty for wrong answers, so answer every question; budget roughly 90 seconds per item across 150 questions and 240 minutes, flagging tough ones to revisit.
Read the question stem for qualifiers like BEST, FIRST, MOST, and GREATEST - these change which of several plausible answers is correct, and watch for EXCEPT/NOT framing.

Study guide FAQ

What is the passing score and format of the CISA exam?

The CISA exam has 150 multiple-choice questions to be completed in 240 minutes (4 hours). It is scored on a scale of 200 to 800, and you need a scaled score of 450 or higher to pass. The scaled score is not a simple percentage; it reflects question difficulty across the five domains.

What are the experience requirements to become CISA certified?

Passing the exam is one part; to earn the certification you need at least five years of professional experience in information systems auditing, control, or security, gained within ten years before applying or within five years after passing the exam. Up to three years can be waived through approved education or related-experience substitutions.

Which domain carries the most weight, and where should I focus?

The two largest domains are Operations and Business Resilience and Protection of Information Assets (about 26% each in the current job practice), together making up roughly half the exam; Information Systems Auditing Process and Governance and Management of IT are next (about 18% each), and Acquisition/Development/Implementation is the smallest (about 12%). Give the heaviest weight to resilience and asset-protection topics, while still mastering the auditing process and governance concepts that underpin question framing across all domains.

Is CISA a technical or a conceptual exam?

It is primarily conceptual and process-oriented, testing how an independent auditor evaluates controls, risk, and governance rather than deep hands-on configuration. You should recognize technologies and command output at a high level, but the exam rewards audit judgment - choosing the most appropriate, risk-focused, root-cause response from an auditor's standpoint.

Test yourself: 634 ISACA CISA practice questions