Five CISA exam domains, wildly different weights. If you study them like they're equal, you'll burn weeks on Domain 3 (12% of the exam) and not nearly enough on Domains 4 and 5 (26% each). That's most of the CISA game — figuring out where the points actually live and pointing your study hours in that direction.
Here's what each domain covers, where the real difficulty is, and how I'd allocate study time if I were planning it from scratch.
One quick note on weights: the ISACA domain percentages below reflect the current exam outline (the 2019 job practice update, still in effect). If you're reading an older prep book that shows different splits, go with ISACA's current numbers, not the book.
Domain 1: Information Systems Auditing Process (18%)
Audit fundamentals. Planning, execution, evidence, reporting, follow-up. The part of the exam that tests whether you think like an auditor — not whether you know specific technologies.
You'll see questions on ISACA audit standards, risk-based audit planning, sampling methods, evidence collection, and communicating findings. Most of it is process-oriented, and a lot of it becomes second nature once you've run a couple of real audits. If you haven't, this domain can feel abstract. It's a lot of "what do you do when X happens during fieldwork?" — and the right answer is almost always whatever ISACA's standards say to do, not whatever makes the most technical or practical sense.
I worked with someone who had twelve years in network engineering and was scoring 80%+ on practice tests for Domains 3, 4, and 5. He kept bombing Domain 1. The reason: when a question asked what to do after identifying a control weakness mid-audit, his instinct was "fix it." The ISACA-correct answer was "document the finding, report it through the proper channels, and don't alter the subject of the audit." He had to retrain his instincts for the exam. That's pretty much the whole trick with Domain 1.
Domain 2: Governance & Management of IT (18%)
This is the domain that separates people who've worked inside a mature IT organization from people who haven't. COBIT, ITIL, enterprise risk management, strategy alignment, maturity models. All of it shows up in practice in real enterprises, but if your experience is startups or small IT shops, you may have never seen most of it live.
Questions here are almost entirely scenario-based. Something like: "Management wants to implement X. What governance consideration matters most?" The exam isn't testing whether X is a good idea — it's testing whether you can recognize the governance layer sitting on top of the decision.
If you've spent time at a mature enterprise, this domain mostly studies itself. If you haven't, you'll need to put real hours into reading COBIT objectives and governance framework mechanics, because you can't shortcut that familiarity with practice questions alone. I've seen people try. It doesn't work — the exam asks too many questions that require recognizing the purpose of a control, and you can't recognize purpose without context.
Domain 3: Information Systems Acquisition, Development, and Implementation (12%)
Smallest domain. SDLC, build/buy decisions, testing, configuration and release management, deployment, post-implementation reviews.
If you're short on time, this is the domain to defend rather than master. Get to competent. Don't spend three weeks here when Domain 4 and 5 are where the actual exam points sit.
Two things trip people up: questions that compare agile vs. waterfall control implications, and post-implementation review questions. Both are scenario-heavy, and both tend to have one answer that's right for real-life engineering and a different answer that's right for CISA. Pick the CISA answer.
Domain 4: Information Systems Operations & Business Resilience (26%)
Tied for biggest domain. Also the messiest. ISACA crammed a lot in here: data governance, systems performance, incident and problem management, change management, configuration and release, patch management, SLAs, database administration, infrastructure, asset management, job scheduling, end-user computing, BIA, BCP, DRP, backup and recovery.
When people tell me they failed the CISA on a first attempt, Domain 4 is usually where it happened. Not because the material is conceptually hard — it's because the domain is sprawling and candidates underestimate how much specific, somewhat rote material they need to keep in their heads. You have to know what a business impact analysis produces, how it feeds into a BCP, how a BCP differs from a DRP, and what each document owns. Those relationships alone have probably twenty distinct exam questions written about them.
If I were planning study time for Domain 4, this is where I'd concentrate:
- The BIA → RTO/RPO → BCP → DRP chain. Know the order, know what each stage produces, and know who owns each. Distractors love to scramble the order.
- Change management controls — specifically separation of duties, emergency change procedures, and back-out plans. Emergency change questions are a favorite trap, because candidates want to pick the "restore service fast" answer and the ISACA-correct answer is almost always "document first, then restore."
- Backup strategies (full, incremental, differential), on-site vs. off-site rotation, and encryption of backup media. Not conceptually hard, but the exam loves the specifics.
- Incident and problem management. Know the lifecycle. Know the difference between an incident and a problem. Yes, it's basic ITIL stuff. Yes, they still test it.
The operational monitoring material (performance, capacity, service levels) is more straightforward, but it's volume-heavy — plan for a lot of reading and a lot of practice questions to burn it in.
One pattern I've noticed: candidates who are strong in security often assume Domain 4 will be easy because "operations is just security with a different label." It isn't. Operations questions care about availability, recovery, and process integrity — not confidentiality. If you answer like a security person, you'll get a lot of correct-sounding answers wrong.
Domain 5: Protection of Information Assets (26%)
The other 26% domain. Security frameworks, privacy, network and endpoint security, encryption and PKI, web and application security, virtualization, mobile, IoT, security awareness programs, attack vectors, testing, monitoring, incident response, and digital forensics.
If you have a security background, this is where you recover the points you'll lose on Domains 1 and 2. If you don't, this is the other domain where you need to put in real study hours — though honestly, for most CISA-level questions, conceptual understanding beats deep technical knowledge. You don't need to know Cisco ASA vs. Palo Alto. You need to know what a stateful firewall is and when you'd use one.
A few things worth knowing cold:
- Symmetric vs. asymmetric encryption and when each gets used. Most PKI questions hinge on this.
- How firewalls, IDS/IPS, and SIEM tools relate at a control level — not a configuration level.
- Incident response phases and what happens in each.
- Digital forensics basics, especially chain of custody. CISA loves chain of custody questions.
Skip the vendor-specific stuff. The exam doesn't care about product names.
One thing that surprises security practitioners: CISA's privacy questions feel different from what you see on security-focused certs. They're closer to governance — "which framework applies here, what notice obligations exist, who owns the data." If you're coming from a technical security background, spend a little extra time on the privacy section, because the framing is different from what you're used to.
Where the points actually live
Domain 4 and 5 together are 52% of the exam. Domain 1 and 2 are 36%. Domain 3 is 12%. That's just the math.
If I were building a CISA study plan from scratch, I'd allocate hours roughly in proportion to domain weight, with a small bias toward Domain 4 because of how sprawling it is:
| Domain | Weight | Suggested study time |
|---|---|---|
| 1. Auditing Process | 18% | 15% |
| 2. Governance & Management | 18% | 15% |
| 3. Acquisition, Development, Implementation | 12% | 10% |
| 4. Operations & Resilience | 26% | 30% |
| 5. Protection of Information Assets | 26% | 25% |
| Mixed-domain practice exams | — | 5% |
Those numbers aren't sacred. If you already work in IT governance, flip some time from Domain 2 into Domain 5. If you're a security person, do the opposite. The point is: don't default to equal coverage.
For a more detailed week-by-week schedule, see how long it actually takes to study for the CISA. And if you're still deciding between CISA and a more management-focused cert, CISA vs. CISM covers the split pretty honestly.
Domains overlap more than the outline suggests
One last thing worth flagging. In real audit work, you never audit one domain at a time — you audit a business process or system, and the audit touches three or four domains simultaneously. A data center audit hits Domain 1 (fieldwork), Domain 2 (governance), Domain 4 (operations), and Domain 5 (security controls). A vendor risk review lives between Domains 2 and 5. A cloud migration audit crosses Domain 3 and Domain 5.
The exam writers know this. A lot of harder scenario questions live at the seams between domains, which is why studying each domain in a sealed box tends to produce candidates who know the material but get confused on the exam. When you read practice questions, notice which domain the question is really testing — it's often not the one you'd expect from the surface-level topic.
Before you build out a full study plan, figure out where you actually stand. Most candidates guess wrong about their weakest domain — I've watched plenty of security professionals assume they'll crush Domain 5 and then discover that CISA asks governance-flavored security questions they haven't seen before. LearnZapp has a free CISA diagnostic that gives you a per-domain breakdown in about 20 minutes. No signup. Take it before you've committed to a study schedule, not after.