You Can Pass This Exam For Free
Choose Your Study Path
You have IT experience but limited information systems auditing or governance background. You need to build both audit knowledge and the auditor mindset ISACA tests for.
Exam Overview
Format
150 multiple-choice questions, 240 minutes (4 hours). All questions are scenario-based and test IS audit judgment.
Scoring
Scaled score 200-800. Passing: 450. No penalty for wrong answers — always answer every question. Scores are scaled, so the raw number of correct answers needed varies by exam form.
Domains & Weights
- Information Systems Auditing Process18%
- Governance and Management of IT18%
- Information Systems Acquisition, Development and Implementation12%
- Information Systems Operations and Business Resilience26%
- Protection of Information Assets26%
Registration
$760 USD. Available year-round at PSI testing centers worldwide or online remote proctored. Exam fee is $575 for ISACA members, $760 for non-members. Requires 5 years of IS audit experience for certification (can sit exam first, then meet experience within 5 years of passing).
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Information Systems Auditing Process
This domain covers the IS audit lifecycle from planning through reporting. You need to understand risk-based audit planning, audit standards (ITAF), evidence collection, sampling methods, CAATs, control evaluation, and how to communicate audit findings effectively. This is the foundational domain that establishes the auditor mindset needed throughout the exam.
Key Topics
Must-Know Concepts
- Risk-based audit planning: audits must be prioritized based on risk assessment, not arbitrary rotation or management preference
- Audit charter: the formal document authorizing audit activity, defining scope, authority, responsibility, and reporting lines — must be approved by senior management or the audit committee
- ISACA ITAF: three levels of guidance — mandatory standards, recommended guidelines, and supportive tools and techniques
- Types of audit evidence by reliability: auditor-generated evidence (re-performance, CAATs) is more reliable than auditee-provided evidence
- Sampling methods: statistical sampling provides measurable confidence levels; non-statistical (judgmental) sampling relies on auditor expertise but cannot project results to the entire population
- CAATs: know when to use generalized audit software, test data, integrated test facility (ITF), embedded audit modules, and parallel simulation — each has specific use cases
- Control objectives and control testing: preventive controls prevent errors, detective controls identify errors, corrective controls fix errors, compensating controls substitute for primary controls
- Materiality: determines the significance of audit findings — a finding is material if it could influence the decisions of report users
- Audit follow-up: auditors must track remediation of findings and verify management has implemented agreed-upon corrective actions
- Communication of audit results: findings must include condition (what was found), criteria (what should be), cause (why it happened), effect (what impact), and recommendation (how to fix)
Common Exam Traps
Governance and Management of IT
This domain covers IT governance structures, frameworks, and how IT strategy aligns with business objectives. You need to understand the roles of the board, senior management, and IT leadership in governance, as well as frameworks like COBIT, IT investment and resource management, quality assurance, and organizational structures. The auditor evaluates whether governance structures are adequate and effective.
Key Topics
Must-Know Concepts
- IT governance: the board and senior management are responsible for IT governance, which ensures IT supports business objectives, resources are used responsibly, and IT risks are managed appropriately
- COBIT framework: ISACA's own governance framework — know its principles (meeting stakeholder needs, covering enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, separating governance from management)
- IT strategy alignment: IT strategic plan must align with the enterprise business plan. IT projects and investments should support documented business objectives
- IT organizational structure: reporting relationships matter — the CIO should report to the CEO or board, not buried under finance or operations, to ensure IT has strategic influence
- IT resource management: human resources, financial resources, and information resources must be managed to support IT strategy. Includes succession planning and knowledge management
- IT investment management: business cases, cost-benefit analysis, and ROI calculations drive IT investment decisions. Benefits realization must be measured post-implementation
- Enterprise architecture: frameworks (TOGAF, Zachman) that define the structure and operation of an organization's IT environment to align with business strategy
- Quality management: ISO 9001, CMMI maturity levels, and continuous improvement processes ensure IT service delivery meets defined standards
- IT policies, standards, and procedures: policies set direction (what), standards define requirements (how much), procedures detail steps (how). Auditors verify that all three exist and are followed
- Performance monitoring: IT balanced scorecard, KPIs, and KGIs measure whether IT is delivering value. Regular reporting to the board on IT performance is a governance responsibility
Common Exam Traps
Information Systems Acquisition, Development and Implementation
The lightest domain at 12%, covering SDLC, project management, change management, and application controls. Despite its lower weight, this domain tests critical concepts like when auditors should be involved in system development, how to evaluate change management processes, and the difference between application controls and general IT controls.
Key Topics
Must-Know Concepts
- SDLC phases from an audit perspective: feasibility study, requirements definition, system design, development, testing, implementation (parallel, phased, pilot, direct cutover), and post-implementation review
- Auditor involvement in SDLC: the auditor should be involved from the BEGINNING of the project (feasibility stage), not just at the end for testing. Early involvement reduces costly rework
- Change management process: all changes must follow a formal process — request, impact assessment, approval, testing, implementation, and post-implementation review. Emergency changes still require after-the-fact documentation
- Application controls: input controls (validation checks, sequence checks, limit checks, reasonableness checks), processing controls (run-to-run totals, control totals), output controls (reconciliation, distribution lists, report logging)
- Testing methods: unit testing, integration testing, system testing, user acceptance testing (UAT), regression testing. UAT must be performed by END USERS, not developers
- Separation of duties in development: developers should NOT have access to production environments. Testing should be done in separate test environments with test data, not production data
- Post-implementation review: conducted after system go-live to verify the system meets original requirements and delivers expected business benefits
- Project governance: steering committees, project sponsors, and defined roles/responsibilities ensure projects align with business objectives
- Configuration management: tracking and controlling changes to software, hardware, documentation, and related components throughout the system lifecycle
Common Exam Traps
Information Systems Operations and Business Resilience
One of the two heaviest domains at 26%. Covers IS operations management, IT service management, BCP/DRP, incident management, and infrastructure assessment. From an audit perspective, you evaluate whether operations are efficient, resilient, and recoverable. BIA, recovery metrics (RTO/RPO/MTD), and backup strategies are heavily tested.
Key Topics
Must-Know Concepts
- Business Impact Analysis (BIA): identifies critical business processes, assesses disruption impacts (financial, operational, reputational, legal), and establishes recovery priorities. Must be completed BEFORE BCP/DRP development
- Recovery metrics: RTO (time to recover), RPO (data loss tolerance), MTD (maximum tolerable downtime). MTD >= RTO. These metrics drive recovery strategy selection and backup frequency
- Backup strategies: full (complete copy), incremental (changes since last backup), differential (changes since last full backup). Grandfather-father-son rotation. Off-site storage is mandatory for disaster recovery
- Recovery sites: hot site (fully equipped, hours to recover), warm site (partially equipped, days to recover), cold site (empty facility, weeks to recover), mirror site (real-time replication, immediate failover). Cost increases with lower RTO
- BCP/DRP testing: tabletop/walkthrough (discuss the plan), simulation (practice without affecting production), parallel (test recovery while production continues), full interruption (switch to backup, highest risk). Full interruption provides the best validation but highest risk
- Incident management: detection, reporting, triage, containment, eradication, recovery, and post-incident review (lessons learned). Containment is the FIRST priority after detection to limit damage
- IT service management: SLA management, capacity planning, availability management, performance monitoring, and problem management (root cause analysis vs incident management)
- IS operations controls: job scheduling, operator procedures, system monitoring, help desk operations, and operations documentation. Segregation of duties between operators and programmers is essential
- Network infrastructure: routers, switches, load balancers, proxies, wireless access points. Know how to evaluate network architecture and identify single points of failure
- Data center operations: environmental controls, power management (UPS, generators, PDUs), physical security, fire suppression (gas-based in data centers), and monitoring systems
Common Exam Traps
Protection of Information Assets
The other heavily weighted domain at 26%. Covers the full spectrum of information asset protection: access controls, encryption, network security, endpoint security, physical security, vulnerability management, security awareness, and incident response. From an audit perspective, you evaluate whether protection controls are adequate, properly implemented, and effectively monitored.
Key Topics
Must-Know Concepts
- Access control principles: least privilege (minimum access needed), separation of duties (no single person controls a full process), need-to-know (access limited to job requirements), and defense in depth (layered controls)
- Access control models: DAC (owner-controlled), MAC (label/clearance-based, most restrictive), RBAC (role-assigned, most scalable for enterprises). RBAC is the ISACA-preferred model for large organizations
- Authentication factors: something you know (password), something you have (token/smart card), something you are (biometrics). Multi-factor authentication requires at least two DIFFERENT factors
- Encryption: symmetric (AES — fast, bulk data), asymmetric (RSA — key exchange, digital signatures), hashing (SHA-256 — integrity). PKI components: CA, RA, CRL, certificates
- Network security controls: firewalls (packet filtering, stateful inspection, application-level proxy), DMZ architecture, IDS (detection) vs IPS (prevention), VPNs, NAC, network segmentation
- Vulnerability management: vulnerability scanning identifies weaknesses; penetration testing actively exploits them. Patch management must be timely and tested before deployment
- Security awareness training: must cover all employees, be role-appropriate, updated regularly, and measured for effectiveness. Social engineering awareness is critical
- Incident response: prepare, detect, contain, eradicate, recover, lessons learned. Evidence preservation and chain of custody are critical if legal action may follow
- Physical security: layered approach (perimeter, building, floor, room, rack), environmental controls (HVAC, fire suppression, water detection, UPS), and visitor management
- Data classification: defines protection requirements based on sensitivity. Determines access controls, encryption requirements, handling procedures, and retention/destruction methods
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.