Eight to sixteen weeks. That's the honest range for how long to study for CISA, and where you land in that range depends mostly on whether you've actually done audit work before — not on how much IT or security experience you bring.
I want to flag that distinction up front because it's where most candidates miscalculate. People with ten years in security infrastructure often assume they'll be on the short end of the timeline, and then they get blindsided by Domain 1 questions that have nothing to do with technology and everything to do with how an auditor thinks. More on that below.
The Quick Answer by Background
If you've spent real time doing IS audit work — internal audit, external audit, GRC, control testing — plan on 8 to 10 weeks of focused study. You already know the vocabulary and the mindset. You're filling gaps and learning ISACA's specific framing.
If you're transitioning into audit from IT operations, security engineering, or a sysadmin track, plan on 10 to 14 weeks. You'll move fast through Domains 4 and 5, but Domains 1 and 2 will be slower than you expect.
If you're early career or shifting fields entirely, 14 to 16 weeks is realistic. Sometimes longer if you're juggling the five-year experience requirement on the side.
These ranges assume 10 to 15 hours of study per week. Drop below 8 hours and you'll need to extend by a few weeks. Go above 20 and you'll plateau anyway — at some point the constraint becomes how much your brain can absorb, not how many hours you log.
What's Actually on the Exam
150 questions, four hours, scored 200-800 with a 450 pass mark. Five domains:
| Domain | Weight | What it covers |
|---|---|---|
| 1. Information Systems Auditing Process | 18% | Planning, executing, and reporting on audits |
| 2. Governance & Management of IT | 18% | IT governance, risk, alignment with business |
| 3. IS Acquisition, Development & Implementation | 12% | SDLC, project management, system implementation |
| 4. IS Operations & Business Resilience | 26% | Operations, monitoring, BCP, DR |
| 5. Protection of Information Assets | 26% | Security, IAM, encryption, incident response |
Notice that Domains 4 and 5 are 52% of the exam combined. Most study guides give every domain roughly equal coverage. Don't let yours do that. If you're tight on time, the cheapest weeks to cut are on Domain 3.
One detail worth knowing: you can sit for the exam before you have the five years of experience. ISACA gives you up to five years after passing to satisfy the requirement. Useful if you want to lock in the credential while you're building the work history.
The Thing Most Posts Don't Tell You
Here's the part I want to spend real time on, because it's where I've watched smart, technically strong people lose months.
CISA isn't a technical exam. It looks technical — there are questions about firewalls and encryption and disaster recovery — but it's testing whether you can think like an auditor. And the auditor mindset is genuinely different from how engineers and security pros usually approach problems.
A scenario I've seen play out more than once: someone with 10+ years in security ops starts CISA prep. They blow through Domains 4 and 5 in three weeks because the material is mostly familiar. They start practice questions and consistently score in the high 70s. They book the exam. They fail.
When they go back to look at what went wrong, the pattern is almost always the same. They were picking the technically optimal answer instead of the audit-appropriate answer. ISACA wants you to identify the control that addresses the risk, not the technology fix. They want you to recommend the policy before the implementation. They want you to flag the governance gap, not solve the engineering problem.
A concrete example. Question gives you a scenario: a company has weak password policies and a recent breach. What should the IS auditor recommend first? An engineer's instinct is to recommend MFA or a password manager rollout. The audit answer is almost always going to be: review the existing policy, identify the gap, recommend a policy update with management oversight, then talk implementation. The technically better answer is the wrong one because the auditor's job is to assess and recommend governance, not engineer the fix.
This is why technically strong candidates need almost as much study time as career-changers — they need to retrain a default instinct. If you're coming from a hands-on technical background, budget extra time on Domain 1 and Domain 2, even though they're "only" 18% each. They're where the mindset lives.
A pattern I've noticed: people scoring 75%+ on practice tests but consistently missing the same handful of question types are usually missing them for the same reason. They keep solving instead of auditing. If that's you, the fix isn't more questions — it's slowing down on each question and asking, "what would an auditor's first move be here?"
A Sample 12-Week Plan
This is built for someone with an IT or security background, putting in roughly 12 hours a week. Adjust the front and back if your situation differs.
Weeks 1-2. Get the lay of the land. Read the CISA Review Manual intro chapters, skim each domain at a high level, take a diagnostic so you know your real starting point. Don't memorize anything yet.
Weeks 3-5. Domain 1 and Domain 2. This is where I'd spend disproportionate time if you're coming from a non-audit background. Go slow. The audit process and governance frameworks (COBIT especially) need to feel intuitive, not memorized.
Weeks 6-7. Domain 3 (SDLC, project management). Move through this faster — the volume is lower and the concepts are familiar to most IT folks.
Weeks 8-9. Domain 4 (Operations & Business Resilience). Dense material, but if you've done ops work, much of it is review with new vocabulary. Focus on the BCP/DR sections — those generate a lot of exam questions.
Weeks 10-11. Domain 5 (Protection of Information Assets). Same logic as Domain 4 — familiar material, ISACA's framing.
Week 12. Two or three full-length practice exams. Time them. Review every wrong answer and write down why you missed it — was it a knowledge gap or a mindset gap? Those need different fixes.
If you have less than 12 hours a week available, stretch the plan to 14-16 weeks rather than compressing it. Compressing this material past 12 hours a week tends to produce shallow recall that doesn't survive the exam.
When You're Actually Ready
A few signals to watch for:
You're consistently scoring 70%+ on full-length practice exams (not on individual domain quizzes — those run easier).
You can talk through why a wrong answer is wrong, not just identify the right one.
You're not getting tripped up on the "first/best/most appropriate" question stems anymore. These are CISA's signature pattern, and they're a useful proxy: if those still feel like coin flips, you need more time.
You've finished a full 4-hour practice exam without your brain melting in hour three. CISA is a stamina test as much as a knowledge test.
If three out of four of those are true, schedule the exam. Waiting for a perfect 85% practice average usually means waiting forever.
The Cost Side
ISACA member rate for the exam is $575. Non-member is $760, and the membership itself runs $135-225, so doing the math: if you're not already a member, joining for the exam discount is a small win.
Study materials run anywhere from $200 (review manual + question database) to $800+ (boot camps, full courses, multiple question banks). Most people don't need the high end. The official ISACA review manual plus a quality question bank covers it.
Time is the bigger cost. 8-16 weeks at 10-15 hours per week works out to 80-240 hours of your life. Whether that math works depends on what CISA does for your career — for most people in audit, GRC, or security leadership tracks, the ROI is real, but it's worth thinking through before you start.
If you're still deciding between CISA and CISM specifically, that's a different conversation — the CISA vs CISM comparison covers when each one makes sense.
Where to Start
Before you commit to a 12-week plan or buy a stack of study materials, take a diagnostic and find out where you actually stand on each domain. Most candidates are wrong about their weak spots — security pros think Domain 5 will be easy and get crushed by Domain 1 framing; auditors think Domain 4 will be a slog and find it familiar.
LearnZapp has a free CISA diagnostic that takes about 20 minutes and gives you a domain-level breakdown. No signup. Use it to figure out which version of the timeline above actually applies to you, then build your plan around real gaps instead of guessed ones: free CISA diagnostic test.