CISA exam format, syllabus and domains
The CISA exam has 150 multiple-choice questions, a 4-hour duration and five ISACA job-practice domains. The exam is not a memory test. It checks whether you can think like an information systems auditor when reviewing controls, evidence, governance, resilience and information security.
Key takeaways
- 150 MCQs: the exam covers five CISA job-practice domains.
- 4 hours: plan for roughly 1.6 minutes per question.
- 450 passing score: ISACA uses a 200-800 scaled scoring system.
- 52% of the exam: Domains 4 and 5 carry 26% each.
- India candidates: register with ISACA and schedule through the ISACA/PSI exam process.
If you are planning CISA from India, this guide should be your exam-structure reference. It explains the number of questions, duration, passing score, domain weights, syllabus coverage, timing strategy and common mistakes.
For the full certification path, use our how to get CISA certification in India guide. For guided preparation, EduDelphi’s CISA course in India includes live online classes, recordings, 3000+ practice questions, mock exams, office hours and ISACA exam guidance.
What is the CISA exam format in 2026?
The current CISA exam format is simple on paper: 150 multiple-choice questions, 4 hours, and five job-practice domains. ISACA says the exam tests knowledge and ability on real-life practices used by information systems audit, control and security professionals.
| Exam element | Official format | What it means for preparation |
|---|---|---|
| Question type | Multiple-choice questions | You must practise scenario-based MCQs, not only read theory. |
| Number of questions | 150 questions | Build stamina. The last 40 questions matter as much as the first 40. |
| Duration | 4 hours | Use timed mocks. Aim to answer most questions in 75-90 seconds and reserve review time. |
| Delivery | Computer-based exam through ISACA/PSI scheduling | Check available test-centre or remote-proctoring options before selecting a date. |
| Passing score | 450 on a 200-800 scaled score | Do not think in raw percentage only. Focus on consistent domain-wise performance. |
What are the CISA domain weights?
ISACA’s current CISA outline has five domains: two domains at 18%, one at 12%, and two at 26%. Domains 4 and 5 together make up 52% of the exam, so they deserve deeper practice than their position in the syllabus might suggest.
| Domain | CISA exam domain | Weight | Core focus |
|---|---|---|---|
| Domain 1 | Information Systems Auditing Process | 18% | Audit standards, risk-based planning, audit execution, evidence, reporting and follow-up. |
| Domain 2 | Governance and Management of IT | 18% | IT governance, enterprise risk, policies, data governance, vendor management and performance monitoring. |
| Domain 3 | Information Systems Acquisition, Development and Implementation | 12% | Project governance, system development, control design, testing, release, migration and post-implementation review. |
| Domain 4 | Information Systems Operations and Business Resilience | 26% | IT operations, change management, incidents, service levels, backup, BCP and disaster recovery. |
| Domain 5 | Protection of Information Assets | 26% | IAM, network security, encryption, cloud, monitoring, security testing, incident response and forensics. |
What does each CISA domain test?
Each CISA domain tests a different audit responsibility. The exam rarely rewards memorising definitions alone. It often asks what an auditor should review first, which evidence is strongest, which risk matters most, or which control weakness should be escalated.
18% Domain 1: Information Systems Auditing Process
This domain tests how audits are planned, executed and reported. Expect questions on audit standards, risk-based audit planning, control types, audit evidence, sampling, testing, data analytics, reporting and follow-up.
Common mistake: answering like a process owner instead of an auditor. Domain 1 expects independence, evidence quality and audit scope discipline.
18% Domain 2: Governance and Management of IT
This domain checks whether you understand governance structures, IT strategy, enterprise architecture, IT policies, enterprise risk, privacy, data governance, vendor management and IT performance reporting.
Common mistake: treating governance as documentation only. CISA questions often ask whether governance actually aligns IT activity with organisational objectives.
12% Domain 3: Acquisition, Development and Implementation
This domain covers project governance, business cases, system development methods, control design, implementation testing, configuration, release management, data conversion and post-implementation review.
Common mistake: focusing only on software development lifecycle labels. The audit issue is whether business needs, controls and implementation readiness were properly governed.
26% Domain 4: Operations and Business Resilience
This is one of the highest-weight domains. It includes IT components, asset management, job scheduling, interfaces, end-user computing, availability, incident management, change management, configuration, patching, log management, database management, BIA, backups, BCP and DR.
Common mistake: studying business continuity separately from day-to-day operations. In real audits, resilience depends on operational discipline before a disruption happens.
26% Domain 5: Protection of Information Assets
This domain covers security frameworks, physical and environmental controls, identity and access management, endpoint and network security, DLP, encryption, PKI, cloud, mobile, IoT, awareness, attack methods, monitoring, security testing, incident response, evidence and forensics.
Common mistake: answering like a security engineer only. CISA usually wants the auditor’s view: risk, control design, evidence, monitoring and governance accountability.
What is the CISA passing score?
The CISA passing score is 450 on ISACA’s 200-800 scaled scoring system. A scaled score is not the same as a simple raw percentage, so avoid guessing a fixed percentage needed to pass.
For practical preparation, treat 70%+ in mixed mocks as a useful checkpoint, not as an official guarantee. What matters is stable performance across domains and the ability to explain why each wrong answer is wrong.
How to read mock results
- Below 60%: return to concepts and domain notes before booking.
- 60-70%: review weak domains and practise scenario questions.
- 70-80%: start timed full mocks and exam-day strategy.
- 80%+ consistently: focus on speed, review discipline and avoiding careless errors.
How should India candidates manage exam time?
With 150 questions in 4 hours, CISA gives about 1.6 minutes per question. Indian candidates preparing with weekend or evening schedules should practise timed blocks early, because fatigue and second-guessing can damage performance even when concepts are strong.
| Exam stage | Suggested timing | What to do |
|---|---|---|
| First pass | About 170-185 minutes | Answer clear questions, mark uncertain ones, avoid getting stuck for more than two minutes. |
| Review marked questions | About 35-45 minutes | Re-read scenarios carefully and look for audit-role clues such as first, best, most appropriate or primary risk. |
| Final check | About 10-15 minutes | Confirm unanswered items, avoid unnecessary changes and check question navigation. |
Practise this timing inside mocks, not on the actual exam day. If you regularly run out of time, your issue is often reading discipline or overthinking close options.
How difficult is the CISA exam?
CISA is difficult because many questions have two attractive options. The correct answer usually reflects audit independence, risk priority, governance responsibility and evidence quality, not simply the most technical fix.
For example, a security professional may want to fix the control immediately. An auditor may first need to validate evidence, assess risk, report findings through the right channel, or check whether management owns the remediation plan.
- Expect scenario wording rather than direct textbook prompts.
- Read the question stem before the options.
- Identify whether the question asks for first action, best action, primary risk or strongest evidence.
- Do not choose an answer only because it sounds technically advanced.
How should you study the CISA syllabus?
The best CISA syllabus plan starts with audit language, then moves into governance, systems lifecycle, operations, resilience and information asset protection. Domain weight matters, but sequencing matters too: Domains 1 and 2 help you interpret the rest of the exam like an auditor.
| Phase | Domains | Goal | Practice target |
|---|---|---|---|
| Foundation | Domains 1 and 2 | Build audit, governance, risk and control language. | Short quizzes plus notes on audit terms. |
| Systems lifecycle | Domain 3 | Understand how projects, controls, testing and implementation are audited. | Scenario questions on change, release and project governance. |
| High-weight core | Domains 4 and 5 | Master operations, resilience, access, security and incident topics. | Heavy MCQ practice and weak-area reviews. |
| Exam readiness | All domains | Combine domains in timed mocks. | Full mock exams, review logs and retest cycles. |
For a daily schedule, use our CISA exam preparation guide for India. If you are still deciding whether to register now, read the CISA certification cost in India guide before paying official fees.
Want domain-wise practice instead of scattered self-study?
EduDelphi’s CISA training includes live online classes, recordings, 3000+ practice questions, mock exams, doubt-clearing, office hours and ISACA registration guidance.
Which CISA topics need extra attention?
Most candidates should give extra time to operations, resilience and asset protection because Domains 4 and 5 carry 26% each. However, beginners should not skip Domain 1, because audit-process logic affects how you interpret questions across the entire exam.
High-yield areas to practise
- Risk-based audit planning and audit evidence.
- IT governance, policies, data governance and vendor management.
- Change management, patching, configuration and incident management.
- Business impact analysis, backups, BCP and disaster recovery.
- Identity and access management, privileged access and monitoring.
- Cloud, encryption, endpoint security and incident response evidence.
How does the CISA exam compare with CISM, CIA and CISSP?
CISA is the strongest fit when your target role is IT audit, technology risk, control assurance or GRC. CISM leans toward information security management, CIA toward internal audit, and CISSP toward broader security architecture and operations.
If you are comparing credentials, use our CISA vs CISM vs CIA vs CISSP guide. If your concern is career outcome after the exam, review our CISA salary in India guide for role bands and job-market context.
How should you choose CISA exam support?
Choose CISA support based on question quality, trainer explanation, mock debriefs and audit-focused teaching. Competitor pages often list the five domains, but the real difference is whether the provider teaches how ISACA frames audit judgement under pressure.
A serious prep route should include live classes or strong recordings, domain-wise notes, scenario-based MCQs, mock exams, revision sessions, doubt-clearing and exam registration guidance. You can compare options in our best CISA training institutes in India guide.
FAQs
How many questions are in the CISA exam?
The CISA exam has 150 multiple-choice questions. ISACA states that these questions cover five job-practice domains based on real-life audit, control, governance, operations and information asset protection work.
How long is the CISA exam?
The CISA exam duration is 4 hours. That gives roughly 1.6 minutes per question, so candidates should practise timed mocks instead of only reading theory.
What is the CISA passing score?
ISACA reports CISA results on a scaled score from 200 to 800. A score of 450 or higher is required to pass.
What are the five CISA domains?
The five CISA domains are Information Systems Auditing Process, Governance and Management of IT, Information Systems Acquisition Development and Implementation, Information Systems Operations and Business Resilience, and Protection of Information Assets.
Which CISA domains have the highest weight?
Domain 4, Information Systems Operations and Business Resilience, and Domain 5, Protection of Information Assets, each carry 26%. Together, they represent 52% of the exam.
Is the CISA exam online in India?
CISA candidates in India register with ISACA and schedule through the ISACA/PSI exam process. Depending on availability and ISACA rules, candidates may choose a PSI test centre or remote proctoring.
Is CISA a technical exam or an audit exam?
CISA is an audit and assurance exam with strong technology content. You need to understand IT operations, security and resilience, but the question often asks for the best auditor action or evidence.
Should I study CISA domains in order?
Studying in order helps beginners because Domain 1 builds audit language and Domain 2 builds governance context. Experienced IT or security professionals can still start with weaker domains, then return to full mocks.
Official sources checked
ISACA policies and exam guidance can change. Verify official pages before paying fees, scheduling an exam or applying for certification.
Reviewed for exam accuracy by EduDelphi’s CISA faculty team.
EduDelphi has delivered CISA training for more than 13 years. This India CISA exam-format guide is reviewed against official ISACA guidance for learners preparing for IT audit, GRC, risk, control and assurance roles.
