The CISA Domains – An Overview

March 16, 2011 by Kenneth Magee

ISACA’s 2011 CISA Exam material has been revised from six domains to five domains.  Prior to 2011 Domain 6 was Business Continuity and Disaster Recovery.  That old Domain 6 has been separated into two parts with Business Continuity being included in Governance and Management of IT which is Domain 2 and Disaster Recovery being merged into Domain4 which is Information Systems Opertions, Maintenance and Support.  The only domain title which stays the same is Domain 5 Protection of Information Assets.  Each domain also has a new weight for the exam and a new number of questions.  So the new names, weights, and number or questions are as follows:

Domain 1: The Process of Auditing Information Systems (14% of the exam or 28 questions)

Domain 2: Governance and Management of IT (14% of the exam or 28 questions)

Domain 3: Information Systems Acquisition, Development and Implementation (19% of the exam or 38 questions)

Domain 4: Information Systems Operations, Maintenance and Support (23% of the exam or 46 questions)

Domain 5: Protection of Information Assets (30% of the exam or 60 questions)

I will be updating the existing Domain articles over the next five weeks so check back often to get the latest.

It’s important as an auditor to understand the areas, not just to pass the exam, but to provide value to the IT audit process.


Posted: March 16, 2011
Articles Author
Kenneth Magee
View Profile

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.

16 responses to “The CISA Domains – An Overview”

  1. Jeff says:

    Do you have the same analysis information for domain 5 and 6?

  2. Lucio Molina says:

    The CISA domains are changed now they are five, please update

  3. Mohamed says:

    where is the same analysis for Domain 5

  4. kenneth says:


    All the CISA Domains have been updated for the new ISACA format. Please take a look.


  5. kenneth says:


    All the CISA domains have been update to the new ISACA format of five. The old domain 6 was split between Business Continuity and Disaster Recovery and merged into Domains 2 and 4 respectively. Please take a look at the new write-ups.


  6. kenneth says:


    Domain 5 has been added.


  7. Lucian says:

    I have passed the dec 2010 exam, and my personal opinion is that passing CISA doesn’t prove that you have the knowledge to be an auditor. I found Domain 5: Protection of Information Assets to be treated very superficial, and this is a high risk for the clients. In my opinion a combination CISA + CISSP + CEH (OSCP is the best) will give the client some assurance that the auditor can provide him with an acceptable service.

    I think the current version of CISA is made in order to allow the non-IT people to pass the exam.

  8. Art says:

    Hi Kenneth – Thanks for the 2010 -> 2011 mapping article it’s helped me get a picture of the major changes.

    I spoke to someone from one of the independent study guide publishers and he mentioned that less than 5% of the actual ‘material’ has changed and so in essence, 2010 material is still valid for the information itself.

    Is this something that you’ve also found?


    • kenneth says:

      The things that are changing, and ISACA has recognized this as well, is the whole area of mobile computing. While this may only be considered 5%, it would still be a good investment to pick up a copy of the 2011 CISA Review Manual.


  9. Jason says:

    Ok, I saw that you stated Domain 5 was added but the link has “page not found”

    • Kenneth Magee says:


      Thanks for pointing out the link problem. It has been fixed and you should be able to access the Domain 5 article.


  10. Parib says:

    Hi Kenneth! Thanks for the giving what to read in review manual. Domain 5 the link is still not ready. It says “page not found”. Please fix the problem. Now I know what to read and got the confidence. Thanks..

  11. Nick says:

    I just wrote the CISA exam for the December 2011 session and I have to say that while it was fantastic that Kenneth took the time to write these articles on the domains, he recommends study topics that are not tested. In fact, in some cases, the CISA review manual explicitly says that some areas will not be tested. For example, the CRM says you don’t need to know COBIT or the specifics of the OSI model. From writing the exam, I’ll add that you also don’t need to know how to calculate annual expected losses or details of other quality frameworks (e.g. ISO). While I agree, yes, you should know this as an IT auditor, you have to pay attention to the hints in the CRM so you don’t spend valuable study time on topics that ISACA says will not be covered in the exam. That being said, I studied all of the areas that Kenneth recommended anyways as I’m interested in transitioning from regular internal audit to IT auditing – it was a good checklist to run through to ensure I understood important IT concepts. If you stick with the official ISACA prep materials (e.g. practice questions and CRM) for what to study and expand on concepts that you don’t understand (thank you wikipedia), then you will be good to go.

  12. Ratnesh says:

    Dear Kenneth,

    I am one of your regular visitor and i found your webpage is very helpful for the candidate writing CISA exam.

    You have brilliantly categorized and mapped up the CISA scoring with topic in each domain. Just wanted to know the similar analysis for Domain 5 (Protecting of Information Assets).

    I would appreciate if you can update or send me the similar analysis for domain 5 as well.

    Thank You.

    Warm regards,

  13. Janine says:

    I am looking to study in December of 2013. Will you kindly be updating this information to reflect any necessary notes/changes, etc.?

    Your information and guidance are so very appreciated.


Leave a Reply

Your email address will not be published. Required fields are marked *