Changes to CISA Job Practice Areas

April 3, 2019 by Fakhar Imam

In its press release on November 1st, 2018, the Information Systems Audit and Control Association (ISACA) announced its intention to update job practice areas of its Certified Information Systems Auditor (CISA) certification for 2019 and beyond. The new version of the exam will take effect in June 2019. However, candidates can currently acquire updated CISA material and book training courses to start preparing for the exam.

If you want to take the CISA exam with current job practice areas on or before May 24th, 2019, the final registration deadline is May 18th, 2019. This testing window starts from February 1st, 2019 to May 24th, 2019. Afterward, you must take the new exam.

The CISA certification concerns the security and deployment of modern IT technology and information systems. Thousands of cyberthreats are emerging every day, and security practitioners develop new strategies to prevent these threats. In addition, modern technological advancements also require analysts to keep their knowledge up to date in order to learn the deployment of these new technologies. For this to be done effectively, ISACA has updated CISA job practice areas to make it perfect for most recent industry trends impacting the IT audit realm.

What Are the Major Changes to CISA Job Practice Areas?

The number of domains will remain the same. However, slight changes have been made to exam content and weightage criteria. In addition, two subdomains have also been added to each of the five job practice areas. The following table shows a comparison of the 2016 CISA domains to 2019 CISA domains.

Domains % Weight
1. Current — The Process of Auditing Information Systems 21%
1. New — Information System Auditing Process 21%
2. Current — Governance and Management of IT 16%
2. New — Same as current 17%
3. Current — Information Systems Acquisition, Development and Implementation 18%
3. New — Same as current 12%
4. Current — Information Systems Operations, Maintenance and Service Management 20%
4. New — Information Systems Operations and Business Resilience 23%
5. Current — Protection of Information Assets 25%
5. New — Same as current 27%

In new job practice areas, knowledge statements are rewritten to make them perfect for current technologies and combined appropriately to eliminate redundancies.

The CISA 2019 job practice areas comprise 39 task statements. Of these, one was eliminated, 35 remain the same to the previous but were rewritten to utilize current terminology and five are new to deal with changes within the IT audit profession.What Are the Five New Tasks in CISA 2019?

ISACA updated the CISA 2019 outline with the help of the CISA Practice Analysis Task Force and the collective expertise of more than 4,000 CISA-certified professionals. The result was the addition of the five new tasks listed below:

  1. Since cybersecurity is a continuous phenomenon, the CISA Working Group added the evaluation of threats and opportunities related to emerging technologies, regulations and industry standards.
  2. Performing technical security tests is essential to identify threats and vulnerabilities.
  3. IT practices and policies are critical factors for organizations’ security. Therefore, organizations always identify new opportunities for process improvement in IT practices and policies
  4. Streamlining audit processes will require the use of data analytics tools
  5. To improve control and quality of information systems, it is essential to provide guidance and consulting services to the organization

What Do I Need to Know About the Short Summary of New CISA Job Practice Areas?

A short but comprehensive coverage of the new CISA domains is given below.

1. Auditing Information Systems

In this domain, you will learn how CISA certification offers standardized audit services to help enterprises in controlling and safeguarding information systems. You will also learn to be mindful of the practices that assist in finding the conclusion of the company’s current IT security, potential risks, and control solutions.

There are multiple subdomains here, including Planning and Execution. Planning involves risk-based audit planning, control types, business processes and information system audit standards, code of ethics and guidelines. Execution incorporates audit project management, sampling methodologies, data analytics, audit evidence collection techniques and reporting and communication techniques.

2. Governance and Management of IT

The second domain ensures that the essential processes, structures and leadership are available to accomplish the organization’s objectives and support strategies. In addition, this domain also confirms that you have obtained the necessary skills to identify important issues and provide a recommendation for supporting and protecting the governance of information and associated technology. You will learn these skills under subdomains such as IT Governance and IT Management.

3. Information Systems Acquisition, Development and Implementation

As the name of this domain implies, you are required to learn about Information Systems Acquisition, Development and Implementation in order to meet organizational objectives and strategies. Subdomains under this job practice area include Information Systems Acquisition and Development and Information Systems Implementation.

4. Information Systems Operations and Business Resilience

This domain confirms that you have the knowledge of IT asset management, system interfaces, data governance, end-user computing, system performance management, database management and change, release, configuration and patch management. Business resilience involves the understanding of Disaster Recovery Plan (DRP), Business Continuity Plan (BCP), Business Impact Analysis (BIA), System Resiliency and Data Backup, Storage and Restoration. These topics fall under the subdomains Information Systems Operations and Business Resilience.

5. Protection of Information Assets

This is the most important domain of CISA certification. Since cyberattacks are becoming more sophisticated, protecting information assets is one of the primary goals of CISA certification holders. In this critical domain, you will gain an in-depth insight into subdomains including Security Event Management (e.g., security awareness training and programs, attack methods and techniques, incident response management, and so on) and Information Asset Security and Control (e.g., privacy principles, physical and environmental controls, network and endpoint security, PKI and so on).

Will I Need to Retake the Exam When New Changes Go Into Effect?

No, you don’t need to retake the exam after the expiration of the current exam. CISA-certified professionals will gain exposure to the updated CISA exam by meeting the Continuing Professional Education (CPE) maintenance requirements. You will be obtaining a minimum of 20 CPE hours annually and 120 CPE hours for the three-year reporting period.


In this article, we reviewed the new changes occur to CISA Job Practice Areas. Like the previous exam, the new CISA exam consists of five domains. However, there is a slight change in the exam content and percentage. In addition, five new tasks have been added to new Job Practice Areas. The candidates taking the current CISA exam are not required to retake the exam. Instead, they just need to renew the exam through the ISACA CPE policy.



  1. ISACA to Update CISA Exam in 2019, ISACA
  2. How have the domains and exam content weighting changed?,  ISACA
  3. CISA Job Practice 2019, ISACA
  4. CISA Certification Overview, ISACA
Posted: April 3, 2019
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.

Leave a Reply

Your email address will not be published.