CISA Domain Guide

CISA Exam Domains Explained: What You'll Be Tested On

Break down the five CISA exam domains, what each covers, how they're weighted, and where to focus your study time for the best results.

LearnZapp Team · 9 min read

If you're preparing for the CISA exam, you've probably noticed that the exam isn't just one giant topic—it's broken into five distinct domains. Understanding these domains isn't just academic. It's your roadmap for smart, efficient studying.

Here's the thing: not all domains carry equal weight. Some account for a quarter of your exam questions, while others are smaller slices of the pie. Know where to focus your study time, and you'll maximize your score. Ignore the domain breakdown, and you might waste weeks studying content that shows up in only 12% of questions.

Let's walk through each domain, what it covers, and how to approach it strategically.

Domain 1: Information Systems Auditing Process (18%)

This domain covers the fundamentals of how audits work. You'll need to understand the planning, execution, and follow-up phases that define professional IS auditing.

What it covers:

Planning is the foundation. You'll study IS audit standards, guidelines, and the ethical principles that guide auditors. This includes learning how to assess business processes, identify control types, and apply risk-based audit planning methodologies. You'll also learn different audit types—compliance audits, performance audits, operational audits—and when each is appropriate.

Execution is where theory meets practice. Here you'll cover audit project management, sampling methodologies, evidence collection techniques, and data analytics tools. You'll also need to understand how to communicate findings effectively and implement quality assurance processes.

Key topics to master:

  • ISACA audit standards and guidelines
  • Risk-based audit planning principles
  • Control identification and assessment
  • Audit sampling methods
  • Evidence collection and evaluation
  • Audit reporting and communication
  • Quality assurance in audit projects
  • Follow-up procedures for audit findings

Study tips:

This domain lays groundwork for everything else. If you're new to auditing, spend extra time here understanding the "why" behind audit processes, not just the steps. Memorize the standard audit phases and what happens at each stage. Practice identifying which audit type fits different scenarios.

Why auditors need this:

Without a solid grasp of audit fundamentals, you can't execute any audit effectively. This domain ensures you understand professional standards, ethical obligations, and the structured approach that makes auditing valuable.

Domain 2: Governance & Management of IT (18%)

This domain focuses on how organizations structure, direct, and control IT to support business objectives. It's about aligning IT with strategy and ensuring effective oversight.

What it covers:

IT Governance covers strategy alignment, frameworks (like COBIT), standards, policies, procedures, organizational structure, enterprise architecture, and enterprise risk management. You'll study maturity models to understand how organizations evolve their IT capabilities.

IT Management addresses the day-to-day oversight: resource management, managing service providers, monitoring performance, and maintaining quality assurance. This is where governance principles translate into operational control.

Key topics to master:

  • IT strategy and business alignment
  • Governance frameworks (COBIT, ITIL)
  • IT policies, standards, and procedures
  • Organizational structure for IT
  • Enterprise architecture principles
  • Enterprise risk management programs
  • Maturity models and capability assessment
  • Service provider management and oversight
  • Performance monitoring and metrics
  • IT quality assurance processes

Study tips:

Governance and management can feel abstract compared to technical security topics. Make it concrete by thinking about your own organization (or ones you know). How does IT align with business goals? What frameworks do they use? This will help you answer scenario-based questions on the exam.

Why auditors need this:

You'll audit governance structures regularly. Understanding how IT governance should work gives you a baseline to evaluate whether an organization has adequate controls in place. You'll assess whether IT strategies support business objectives and whether performance is being monitored effectively.

Domain 3: Information Systems Acquisition, Development & Implementation (12%)

This is the smallest domain by weight, but it covers critical territory: everything from deciding to build/buy technology, through development, to deploying it in production.

What it covers:

The acquisition and development phase includes project governance, business case development, feasibility studies, development methodologies (waterfall, agile, etc.), and control identification during development. You need to understand different SDLC approaches and their control implications.

The implementation phase addresses testing methodologies, configuration and release management, migration and deployment strategies, and post-implementation reviews. This is where you assess whether something was built right and is ready for the real world.

Key topics to master:

  • Project governance and oversight
  • Business case and feasibility analysis
  • Development methodologies and frameworks
  • Control identification in development
  • Systems development lifecycle (SDLC) controls
  • Testing methodologies and strategies
  • Configuration and release management
  • Migration and deployment processes
  • Post-implementation reviews and assessments
  • Change management in implementations

Study tips:

This domain is heavily scenario-based. You might see questions like, "An organization is moving to agile development. What controls should be modified?" Think through real examples. What control gaps exist when teams shift methodologies? How do you test a system before going live? These practical angles will help you answer exam questions.

Why auditors need this:

Many audit findings originate in how systems are acquired and implemented. Weak project governance, inadequate testing, or poor change management can lead to production failures, security vulnerabilities, or non-compliant systems. Understanding this domain helps you audit the entire lifecycle.

Domain 4: Information Systems Operations & Business Resilience (26%)

This is the largest domain on the exam. It covers the day-to-day operation of IT systems and the organization's ability to recover from disruptions.

What it covers:

Operations is broad. You'll cover data governance and management, systems performance monitoring, problem and incident management, change management, configuration and release management, patch management, service level management, database administration, hardware and infrastructure, asset management, job scheduling, and end-user computing.

Business Resilience addresses the organization's ability to withstand disruptions. This includes business impact analysis (BIA), system resiliency design, data backup, storage, and restoration strategies, business continuity planning (BCP), and disaster recovery planning (DRP).

Key topics to master:

  • Data governance and classification
  • Systems performance monitoring
  • Incident and problem management
  • Change management controls
  • Configuration management
  • Release and patch management
  • Service level management
  • Database administration and security
  • Hardware and infrastructure management
  • Asset inventory and management
  • Job scheduling and automation
  • End-user computing controls
  • Business impact analysis
  • System resiliency and redundancy
  • Data backup and recovery strategies
  • Business continuity planning
  • Disaster recovery planning and testing

Study tips:

Because this domain is so large, break it into chunks. Spend time on operations first: what controls prevent incidents, and how do you respond when they happen? Then move to resilience. Understand the relationship between BIA and BCP—BIA determines what systems are critical, and BCP defines how you protect and recover them. Pay special attention to backup and recovery strategies; these appear frequently on the exam.

Why auditors need this:

Daily IT operations are where most of your audit time will be spent. You'll review change management, incident response, system performance, and resilience strategies. A strong operational foundation prevents most security incidents and service disruptions. Auditors verify that critical systems have redundancy, that backups work, and that teams can recover quickly from failures.

Domain 5: Protection of Information Assets (26%)

This is the other largest domain, covering everything related to protecting data and systems from unauthorized access, modification, or destruction.

What it covers:

Security & Control includes security frameworks and standards, privacy principles, network and endpoint security, data classification, encryption and public key infrastructure (PKI), web security, virtualization security, mobile and IoT security. This is the technical security foundation.

Security Event Management covers security awareness training, attack methods and vectors, security testing tools, monitoring and detection tools, incident response processes, and digital forensics. This is how organizations detect, respond to, and investigate security incidents.

Key topics to master:

  • Security frameworks (NIST, ISO 27001, CIS)
  • Privacy regulations and controls
  • Network security architecture
  • Endpoint security and hardening
  • Data classification schemes
  • Encryption technologies and standards
  • Public key infrastructure (PKI)
  • Web application security
  • Virtualization security
  • Mobile device security
  • Internet of Things (IoT) security
  • Security awareness programs
  • Attack methods and threat vectors
  • Vulnerability assessment tools
  • Security testing methodologies
  • Security monitoring and alerting
  • Incident response procedures
  • Digital forensics fundamentals
  • Threat intelligence

Study tips:

This domain requires understanding both the "what" and the "why." Yes, you need to know encryption standards, but more importantly, you need to understand when and why to use them. Study real-world attack scenarios and how organizations defend against them. Focus on defense-in-depth: how multiple controls work together to protect assets. Don't memorize every tool name; instead, understand what categories of tools exist and what they do.

Why auditors need this:

Security breaches dominate news headlines, and organizations are acutely aware of security risks. You'll spend significant audit time evaluating whether an organization's security program is adequate. You'll review security controls, test for vulnerabilities, assess incident response capabilities, and verify that the organization can detect and respond to threats. This domain is where many audit findings originate.

How to Prioritize: Domain Weight Strategy

Start with Domains 4 and 5 (26% each). Together, they represent more than half of the exam. If you have limited study time, mastering these two domains gives you the best return on investment.

Next, tackle Domains 1 and 2 (18% each). These form the foundation. Domain 1 teaches you how to audit; Domain 2 teaches you what governance looks like. Without these, you'll struggle with scenario questions.

Save Domain 3 (12%) for after you're confident on the others. It's important, but it's the smallest slice. Don't skip it, but don't spend disproportionate time here if you're crunched.

Real-world tip: As you study, notice how domains interconnect. A control failure in Domain 4 (operations) might stem from a governance issue in Domain 2. A security incident in Domain 5 might require incident response procedures from Domain 4. Understanding these connections will deepen your knowledge and help you answer complex scenario questions.

Domains in Real Audit Work

On the job, you won't audit one domain at a time. Instead, you'll audit a business process or system, and your audit will touch multiple domains.

For example, auditing a data center might involve:

  • Domain 1: Designing and executing the audit
  • Domain 2: Reviewing governance and IT strategy alignment
  • Domain 3: Assessing controls over infrastructure changes
  • Domain 4: Evaluating operational controls, monitoring, and resilience
  • Domain 5: Reviewing security controls and physical security

Understanding domain boundaries helps you organize your knowledge, but recognizing how they overlap helps you think like an auditor.

Your CISA Study Roadmap

You now understand what each domain covers and how they're weighted. Use this breakdown to build a study plan:

  1. Assess your baseline knowledge in each domain
  2. Prioritize Domains 4 and 5 to maximize exam points
  3. Build foundational knowledge in Domains 1 and 2
  4. Round out with Domain 3
  5. Review connections between domains as you study

Ready to test your knowledge? Take a free CISA diagnostic test to see which domains need the most attention. No signup required—just get instant feedback on your strengths and gaps.

Take a free CISA diagnostic test — no signup required

Start your CISA journey with confidence. Understanding the domains is your first step toward passing the exam and becoming an effective IS auditor.

CISA Domain Guide ← Back to Blog

Contact Us

Have a question or feedback? We typically respond within 24 hours.

We'll reply to your email address. No spam, ever.