Certified Information System Auditor (CISA) domain(s) overview & exam material [Updated 2019]

Claudio Dodt
July 12, 2019 by
Claudio Dodt

Earning a Certified Information System Auditor (CISA) certification is a sound career advancement strategy for those who perform (or wish to perform) audits, control activities, monitoring and assessing information technology and business systems.

Regarded as the preferred information systems (IS) audit certification program by individuals and organizations around the world, the CISA, as with any meaningful achievement, requires a great deal of commitment, dedication and resilience.

Exam and domain overview

During the exam, candidates must answer 150 questions from job practice areas, organized into five domains, within four hours or less. The whole idea behind the CISA certification is making sure professionals, such as IT auditors, are ready to deal with real-world situations and this rationale is especially true for the job practice areas, each consisting of tasks and knowledge statements that try to represent the work performed in information systems audit, assurance and control.

CISA Certification Job Practice Areas by Domain, Source: ISACA®

According to ISACA, the international association responsible for the CISA, "These statements and domains are the result of extensive research, feedback and validation from subject matter experts and prominent industry leaders from around the globe.”

The five domains are the basis for the exam questions and the requirements to earn the certification. So, if your goal is to become a part of this exclusive group of certified and in-demand professionals, one of the first steps is getting to know each domain/job practice area.

Here is a quick review of each job practice domain and the task and knowledge statements for the CISA certification.

Domain 1 — The process of auditing information systems (21%)

The first domain is all about how to provide audit services, in accordance with ISACA’s view on IS audit standards, with the objective of assisting organizations in protecting and controlling information systems.

The main tasks include executing a risk-based IS audit strategy, in compliance with IS audit standards, and ensuring key risk areas are audited. It is also necessary to understand how to plan specific audits to determine whether information systems are protected and controlled. You also must understand how to conduct audits in accordance with IS audit standards to achieve planned audit objectives.

Another important point is the ability to communicate audit results and make recommendations to key stakeholders through meetings and audit reports. This is necessary to promote change when needed. You also must learn how to conducts follow-up audits to determine whether appropriate actions were taken by management in a timely manner.

For this domain, candidates must have knowledge of:

  • ISACA IT audit and assurance standards, guidelines, tools and techniques, code of professional ethics and other applicable standards
  • Risk assessment concepts, tools and techniques used in planning, examination, reporting and follow-up audits
  • A basic understanding of fundamental business processes, such as purchasing, payroll, accounts payable, accounts receivable and the role of IS in these processes
  • The principles related to information systems controls
  • How to perform risk-based audit planning and audit project management techniques, including follow-up
  • Basic understanding of applicable laws and regulations that affect the scope, evidence collection and preservation, and frequency of audits
  • Evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis, forensic investigation techniques, computer-assisted audit techniques [CAATs]) used to gather, protect and preserve audit evidence
  • Various sampling methodologies and other substantive/data analytical procedures
  • Basic reporting and communication techniques (e.g., facilitation, negotiation, conflict resolution, audit report structure, issue writing, management summary and result verification)
  • Audit quality assurance (QA) systems and frameworks
  • The various types of audits (e.g., internal, external and financial) and methods for assessing and placing reliance on the work of other auditors or control entities

Domain 2 — Governance & management of IT (16%)

The second CISA domain focuses on providing assurance the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization's strategy.

Candidates must demonstrate the ability to evaluate organizational IT strategy. This includes overall IT direction and processes for strategy development, approval, implementation and maintenance. You will need to understand how to determine if IT strategy aligns with the organization’s strategies and objectives, and validate the effectiveness of the IT governance structure to determine if IT decisions, directions and performance support the organization’s strategies and objectives.

Most tasks in this domain are related to checking the level of alignment with the organization’s strategies, objectives and regulatory/legal requirements, including areas such as the IT organizational structure and human resources (personnel), IT policies, standards and procedures, and related processes (i.e., development, approval, release/publishing, implementation and maintenance), IT resource management (including investment, prioritization, allocation and use), and IT portfolio management (including investment, prioritization and allocation).

The role of an IT auditor also requires an understanding of risk management practices in order to determine whether the organization’s IT-related risks are identified, assessed, monitored, reported and managed. Business continuity is also a major concern, as it is necessary to evaluate the organization’s business continuity plan (BCP), including alignment of the IT disaster recovery plan (DRP) with the BCP to determine the organization’s ability to continue essential business operations during the period of an IT disruption.

Other tasks related to auditing governance and management of IT include evaluating IT management and monitoring of controls (e.g., continuous monitoring, quality assurance [QA]) for compliance with the organization’s policies, standards and procedures, and checking monitoring and reporting of IT key performance indicators (KPIs) to determine whether management receives sufficient and timely information.

For this domain, candidates must also understand:

  • The objective of IT strategy, policies, standards and procedures for an organization, including knowledge of the essential elements of each item
  • The concepts of IT governance, management, security and control frameworks, and related standards, guidelines and practices
  • Basics of organizational structure, roles and responsibilities related to IT, including segregation of duties (SoD)
  • The relevant laws, regulations and industry standards that may affect the organization
  • How the organization’s technology direction and IT architecture influence the business’s long-term strategic directions
  • The processes for the development, implementation and maintenance of IT strategy, policies, standards and procedures
  • How to use capability and maturity models, and process optimization techniques
  • Key concepts related to IT resource investment and allocation practices, including prioritization criteria (e.g., portfolio management, value management and personnel management)
  • Good practices for IT supplier selection, contract management, relationship management and performance monitoring processes, including third-party outsourcing relationships
  • Knowledge of enterprise risk management (ERM)
  • The best practices for monitoring and reporting of controls performance (e.g., continuous monitoring, quality assurance [QA]), quality management and quality assurance (QA) systems
  • How to monitor and report on IT performance (e.g., balanced scorecard [BSC] and key performance indicators [KPIs])
  • The concepts of a business impact analysis (BIA) and the standards and procedures for the development, maintenance and testing of the business continuity plan (BCP), including the procedures used to invoke and execute the business continuity plan (BCP) and return to normal operations

Domain 3 — Information systems acquisition, development & implementation (18%)

A good IT auditor must also be prepared to make sure the practices for acquiring, developing, testing and implementing information systems meet the organization’s strategies and objectives.

As mentioned before, tasks are based on real-world challenges, so candidates are expected to understand how to evaluate a business case for proposed investments in information systems, including acquisition, development maintenance and subsequent retirement, to determine whether the business case meets business objectives.

It is also necessary to be able to evaluate IT supplier selection and contract management processes, and to make sure the organization’s service levels and requisite controls are met.

Other tasks include evaluating the company’s project management framework and controls, and determining whether business requirements are achieved in a cost-effective manner. This must be done while managing risk to the organization and conducting reviews to determine whether a project is progressing in accordance with project plans, and whether it is adequately supported by documentation with timely and accurate status reporting.

CISA candidates must also be able to evaluate controls for information systems during the requirements, acquisition, development and testing phases for compliance with the policies, standards, procedures and applicable external requirements adopted by the organization. They also must effectively validate the readiness of information systems for implementation and migration into production to determine whether project deliverables, controls and the organization's requirements are met. It is also necessary to know how to conduct post-implementation reviews of systems to determine whether project deliverables, controls and the organization's requirements are met.

For this domain, candidates must have a good knowledge of:

  • The main benefits of realization practices, (e.g., feasibility studies, business cases, total cost of ownership [TCO] and return on investment [ROI])
  • IT acquisition and vendor management practices (e.g., evaluation and selection process, contract management, vendor risk and relationship management, escrow and software licensing), including third-party outsourcing relationships, IT suppliers and service providers
  • Project governance mechanisms (e.g., steering committee, project oversight board, project management office) and project management control frameworks, practices and tools
  • How risk management practices are applied to projects, and the requirements of analysis and management practices (e.g., requirements verification, traceability, gap analysis, vulnerability management and security requirements)
  • Understanding the enterprise architecture (EA) related to data, applications and technology (e.g., web-based applications, web services, n-tier applications, Cloud services and virtualization)
  • A basic view of system development methodologies and tools, including their strengths and weaknesses (e.g., agile development practices, prototyping, rapid application development [RAD], object-oriented design techniques, secure coding practices and system version control)
  • Control objectives and techniques that ensure the completeness, accuracy, validity and authorization of transactions and data and the testing methodologies and practices related to the information system development life cycle (SDLC)
  • Knowledge of the configuration and release management related to the development of information systems and system migration and infrastructure deployment practices, including data conversion tools, techniques, and procedures
  • Understanding the project success criteria and project risks, and the post-implementation review objectives and practices (e.g., project closure, control implementation, benefits realization and performance measurement)

Domain 4 — Information systems operations, maintenance & service management (20%)

IT service management (ITSM) practices are another major part of the CISA examination, as IT auditors must provide assurance the processes for information systems operations, maintenance and service management meet the organization’s strategies and objectives.

For this domain, ISACA takes a straightforward approach, requiring auditors to be able to evaluate the IT service management framework and practices (internal or third party) to determine whether the controls and service levels expected by the organization are being adhered to and whether strategic objectives are met. It is also necessary to know how to conduct periodic reviews of information systems to determine whether they continue to meet the organization’s objectives within the enterprise architecture (EA).

Several domain tasks are oriented ensuring IT service management effectively and continuously supports the organization’s objectives. This includes evaluating operational-level activities such as job scheduling, configuration management, capacity and performance management, the timely application of patches and upgrades, and even evaluating database management practices to determine the integrity and optimization of databases and data quality. It also includes lifecycle management to determine whether they continue to meet strategic objectives.

Other ITSM processes must also be audited, including problem and incident management practices, to confirm if problems and incidents are prevented, detected, analyzed, reported and resolved in a timely manner to support the organization's objectives. The change and release management processes must also be validated to determine whether changes made to systems and applications are adequately controlled and documented.

An IT auditor must also evaluate end-user computing and IT continuity and resilience (backups/restores and disaster recovery plan [DRP]) to determine whether they are controlled effectively and continue to support the organization’s objectives.

For this domain, candidates must have knowledge of:

  • IT service management frameworks, practices and service-level management
  • The techniques for monitoring third-party performance and compliance with service agreements and regulatory requirements
  • A basic understanding of enterprise architecture (EA) and the functionality of fundamental technology (e.g., hardware and network components, system software, middleware, database management systems) including system resiliency tools and techniques (e.g., fault-tolerant hardware, elimination of single point of failure and clustering)
  • The key concepts related to IT asset management, software licensing, source code management and inventory practices
  • IT job scheduling practices, including exception handling
  • The control techniques that ensure integrity of system interfaces
  • Capacity planning and related monitoring tools and techniques, including knowledge of systems performance monitoring processes, tools and techniques (e.g., network analyzers, system utilization reports and load balancing)
  • The concepts of data backup, storage, maintenance and restoration practices, database management and optimization practices, data quality (completeness, accuracy, integrity) and life cycle management (aging, retention)
  • The ITSM processes for problem and incident management, change management, configuration management, release management and patch-management practices
  • Understanding the operational risk and controls related to end-user computing
  • Having a good understanding of IT continuity, including regulatory, legal, contractual and insurance issues related to disaster recovery, the concepts related to a business impact analysis (BIA) for disaster recovery planning, how to develop and maintain disaster recovery plans (DRPs), the benefits and drawbacks of alternate processing sites (e.g., hot sites, warm sites and cold sites), disaster recovery testing methods and the processes used to invoke the disaster recovery plans (DRPs)s

Domain 5 — Protection of information assets (25%)

CISA’s last domain is one of the most important for IT auditors: The protection of information assets covers everything related to information security, as auditors are required to provide assurance that the organization’s policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets.

It is important to understand the CISA is not ISACA’s main information security certification (that would be the CISM). However, as security represents one of the most relevant challenges for businesses today and this certification’s objective is preparing professionals to deal with real-world situations, this is a major topic for the exam, representing a quarter of questions candidates must answer.

The information security-related tasks that auditors must perform include evaluating the information security and privacy policies, standards and procedures for completeness, alignment with generally accepted practices, and compliance with applicable external requirements. Auditors should also be able to evaluate the design, implementation, maintenance, monitoring and reporting of physical and environmental controls to determine whether information assets are adequately safeguarded.

The same goes for the design, implementation, maintenance, monitoring and reporting of system and logical security controls, as they must be checked to confirm the confidentiality, integrity, and availability of information is maintained at appropriate levels.

Other tasks include:

  • Evaluating the data classification processes and procedures for alignment with the organization’s policies, standards, procedures and applicable external requirements
  • Checking the processes and procedures used to store, retrieve, transport and dispose of assets to determine whether information assets are adequately safeguarded
  • Assessing the information security program to determine its effectiveness and alignment with the organization’s strategies and objectives

For this domain, candidates must have a good knowledge of:

  • Generally accepted practices and applicable external requirements (e.g., laws, regulations) related to information security, including the techniques for the design, implementation, maintenance, monitoring and reporting of security controls
  • Principles related to privacy
  • The physical and environmental controls and supporting practices related to the protection of information assets, including physical access controls for the identification, authentication and restriction of users to authorized facilities and hardware
  • Logical access controls for the identification, authentication and restriction of users to authorized functions and data
  • The security controls related to hardware, system software (e.g., applications and operating systems) and database management systems.
  • The key concepts of security controls and risks associated with virtualization, the use of mobile and wireless devices, including personally owned devices (bring your own device [BYOD])
  • Security concepts for voice communications (e.g., PBX, Voice-Over Internet Protocol [VoIP]), network and Internet security devices, protocols and techniques, the configuration, implementation, operation and maintenance of network security controls, encryption-related techniques and their uses for information security, including public key infrastructure (PKI) components and digital signature techniques
  • The risks and controls associated with peer-to-peer computing, instant messaging and web-based technologies (e.g., social networking, message boards, blogs and Cloud computing)
  • Using data classification standards related to the protection of information assets
  • The processes and procedures used to store, retrieve, transport and dispose of confidential information assets
  • The concepts, security controls and risks associated with data leakage and end-user computing
  • The methods for implementing a security awareness program
  • Understanding information system attack techniques, and the usage of prevention and detection tools and control techniques, including security testing techniques (e.g., penetration testing and vulnerability scanning)
  • Accessing the processes related to monitoring and responding to security incidents (e.g., escalation procedures and emergency incident response team), including the processes followed in forensics investigation and procedures in collection and preservation of the data and evidence (i.e., chain of custody)
  • Understanding how fraud risk factors are related to the protection of information assets


The primary reason the CISA is such a distinguished certification is its focus on preparing IT auditors for real-world situations. At first, the five domain/job practice areas may seem overwhelming, but candidates must understand that this is a necessary rite of passage, a journey that even experienced IT auditors should take to enhance their capability to assess information systems and technology and provide leadership and value to their organization.

Earning a CISA can be a career-changing opportunity, but only the most determined candidates will succeed. If you are up to this challenge, consider enrolling in official training because there is no better way for understanding each CISA domain than learning from professionals who have completed the same exam.

For more on the CISA certification, view our CISA certification hub.

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.