CertPrepNow
ISACACISAUpdated 2026-06-15

CISA Study Guide

Everything you need to pass the ISACA Certified Information Systems Auditor exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The CISA exam is passable with free resources if you study consistently for 8-14 weeks and think like an IS auditor, not an IT administrator:

  • ISACA CISA Exam Content Outline (free download from ISACA website)
  • ISACA free self-assessment questions (10 free practice questions)
  • COBIT framework overview and resources (free from ISACA)
  • NIST SP 800-53 security controls catalog (free)
  • NIST Cybersecurity Framework documentation (free)
  • ISO 27001/27002 overview materials (free summaries available)
  • 500+ free practice questions on this site

CISA is an auditor's exam. Free resources cover the technical knowledge, but success depends on learning to answer from an auditor's perspective: what would a professional IS auditor recommend? The ISACA QAE database ($299 for members) is the single most valuable paid resource if you can budget one purchase.

Choose Your Study Path

You have IT experience but limited information systems auditing or governance background. You need to build both audit knowledge and the auditor mindset ISACA tests for.

Week 1-2Study IS audit fundamentals (Domain 1, 18%): audit planning, risk-based audit approach, audit charter, audit standards (ISACA ITAF), types of controls (preventive, detective, corrective), and evidence collection methods (observation, inquiry, inspection, re-performance)
Week 3-4Learn IT governance and management (Domain 2, 18%): governance vs management, IT strategy alignment with business objectives, COBIT framework, enterprise architecture, IT balanced scorecard, IT investment and portfolio management, and quality management
Week 5-6Study IS acquisition, development, and implementation (Domain 3, 12%): SDLC phases, change management, requirements analysis, project governance, feasibility studies, post-implementation review, and application controls (input, processing, output)
Week 7-9Deep dive into Domain 4 (26%): IS operations, service management (ITIL), capacity and performance management, problem and incident management, database administration, network infrastructure, BCP, DRP, BIA, recovery metrics (RTO, RPO, MTD), and backup strategies
Week 10-12Deep dive into Domain 5 (26%): information asset protection, access control models (DAC, MAC, RBAC), encryption methods (symmetric, asymmetric, hashing), network security, firewall types, IDS/IPS, vulnerability management, security awareness training, and incident response
Week 13Practice 300+ questions focusing on the auditor mindset. For every question, ask: What would an IS AUDITOR recommend? Review all incorrect answers and identify the ISACA-preferred reasoning pattern
Week 14Take full-length practice exams (150 questions, 4 hours). Target 70%+ before scheduling. Focus on Domains 4 and 5 which together are 52% of the exam

Exam Overview

Format

150 multiple-choice questions, 240 minutes (4 hours). All questions are scenario-based and test IS audit judgment.

Scoring

Scaled score 200-800. Passing: 450. No penalty for wrong answers — always answer every question. Scores are scaled, so the raw number of correct answers needed varies by exam form.

Domains & Weights

  • Information Systems Auditing Process18%
  • Governance and Management of IT18%
  • Information Systems Acquisition, Development and Implementation12%
  • Information Systems Operations and Business Resilience26%
  • Protection of Information Assets26%

Registration

$760 USD. Available year-round at PSI testing centers worldwide or online remote proctored. Exam fee is $575 for ISACA members, $760 for non-members. Requires 5 years of IS audit experience for certification (can sit exam first, then meet experience within 5 years of passing).

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know definitions, and be able to apply them in audit scenarios. These appear across multiple questions throughout the exam.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 3-8 questions each across the exam.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 118% of exam

Information Systems Auditing Process

This domain covers the IS audit lifecycle from planning through reporting. You need to understand risk-based audit planning, audit standards (ITAF), evidence collection, sampling methods, CAATs, control evaluation, and how to communicate audit findings effectively. This is the foundational domain that establishes the auditor mindset needed throughout the exam.

Key Topics

Risk-Based Audit PlanningISACA ITAF StandardsAudit EvidenceSampling MethodsCAATsControl Self-AssessmentAudit Reporting

Must-Know Concepts

  • Risk-based audit planning: audits must be prioritized based on risk assessment, not arbitrary rotation or management preference
  • Audit charter: the formal document authorizing audit activity, defining scope, authority, responsibility, and reporting lines — must be approved by senior management or the audit committee
  • ISACA ITAF: three levels of guidance — mandatory standards, recommended guidelines, and supportive tools and techniques
  • Types of audit evidence by reliability: auditor-generated evidence (re-performance, CAATs) is more reliable than auditee-provided evidence
  • Sampling methods: statistical sampling provides measurable confidence levels; non-statistical (judgmental) sampling relies on auditor expertise but cannot project results to the entire population
  • CAATs: know when to use generalized audit software, test data, integrated test facility (ITF), embedded audit modules, and parallel simulation — each has specific use cases
  • Control objectives and control testing: preventive controls prevent errors, detective controls identify errors, corrective controls fix errors, compensating controls substitute for primary controls
  • Materiality: determines the significance of audit findings — a finding is material if it could influence the decisions of report users
  • Audit follow-up: auditors must track remediation of findings and verify management has implemented agreed-upon corrective actions
  • Communication of audit results: findings must include condition (what was found), criteria (what should be), cause (why it happened), effect (what impact), and recommendation (how to fix)

Common Exam Traps

The audit charter must be approved by the AUDIT COMMITTEE or BOARD, not by IT management. If IT management controls the audit charter, auditor independence is compromised
Statistical sampling allows the auditor to project results to the entire population with a measurable confidence level. Judgmental sampling CANNOT be projected to the population
Re-performance by the auditor provides the MOST RELIABLE evidence because the auditor directly executes the control. Inquiry alone (asking staff) is the LEAST reliable evidence
CAATs are most useful when testing LARGE POPULATIONS of data. For small populations, manual testing may be more efficient
The integrated test facility (ITF) processes test data alongside live data without the operators knowing. This tests controls under real conditions but carries the risk of contaminating production data
Quick Check: Information Systems Auditing Process

Question 1 of 3

An IS auditor discovers that the audit charter was last approved by the IT director three years ago. What is the PRIMARY concern with this finding?

Domain 218% of exam

Governance and Management of IT

This domain covers IT governance structures, frameworks, and how IT strategy aligns with business objectives. You need to understand the roles of the board, senior management, and IT leadership in governance, as well as frameworks like COBIT, IT investment and resource management, quality assurance, and organizational structures. The auditor evaluates whether governance structures are adequate and effective.

Key Topics

COBIT FrameworkIT GovernanceEnterprise ArchitectureIT StrategyIT Resource ManagementQuality ManagementPerformance Monitoring

Must-Know Concepts

  • IT governance: the board and senior management are responsible for IT governance, which ensures IT supports business objectives, resources are used responsibly, and IT risks are managed appropriately
  • COBIT framework: ISACA's own governance framework — know its principles (meeting stakeholder needs, covering enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, separating governance from management)
  • IT strategy alignment: IT strategic plan must align with the enterprise business plan. IT projects and investments should support documented business objectives
  • IT organizational structure: reporting relationships matter — the CIO should report to the CEO or board, not buried under finance or operations, to ensure IT has strategic influence
  • IT resource management: human resources, financial resources, and information resources must be managed to support IT strategy. Includes succession planning and knowledge management
  • IT investment management: business cases, cost-benefit analysis, and ROI calculations drive IT investment decisions. Benefits realization must be measured post-implementation
  • Enterprise architecture: frameworks (TOGAF, Zachman) that define the structure and operation of an organization's IT environment to align with business strategy
  • Quality management: ISO 9001, CMMI maturity levels, and continuous improvement processes ensure IT service delivery meets defined standards
  • IT policies, standards, and procedures: policies set direction (what), standards define requirements (how much), procedures detail steps (how). Auditors verify that all three exist and are followed
  • Performance monitoring: IT balanced scorecard, KPIs, and KGIs measure whether IT is delivering value. Regular reporting to the board on IT performance is a governance responsibility

Common Exam Traps

The BOARD is responsible for IT governance, not the IT department. IT management EXECUTES within the governance framework set by the board and senior management
IT strategic planning must be driven by BUSINESS objectives, not technology trends. The correct answer always aligns IT decisions with business value
An IT steering committee provides guidance and oversight but does NOT make operational IT decisions — that is management's responsibility
The CIO reporting to the CFO is a governance WEAKNESS because it subordinates IT strategy to financial management rather than treating IT as a strategic business enabler
COBIT separates governance from management explicitly. Governance includes Evaluate, Direct, and Monitor (EDM). Management includes Align, Plan, and Organize (APO), Build, Acquire, and Implement (BAI), Deliver, Service, and Support (DSS), and Monitor, Evaluate, and Assess (MEA)
Quick Check: Governance and Management of IT

Question 1 of 3

During a governance review, an IS auditor discovers that the CIO reports directly to the CFO. What is the PRIMARY risk of this reporting structure?

Domain 312% of exam

Information Systems Acquisition, Development and Implementation

The lightest domain at 12%, covering SDLC, project management, change management, and application controls. Despite its lower weight, this domain tests critical concepts like when auditors should be involved in system development, how to evaluate change management processes, and the difference between application controls and general IT controls.

Key Topics

SDLCChange ManagementProject ManagementApplication ControlsTesting MethodsPost-Implementation ReviewRequirements Analysis

Must-Know Concepts

  • SDLC phases from an audit perspective: feasibility study, requirements definition, system design, development, testing, implementation (parallel, phased, pilot, direct cutover), and post-implementation review
  • Auditor involvement in SDLC: the auditor should be involved from the BEGINNING of the project (feasibility stage), not just at the end for testing. Early involvement reduces costly rework
  • Change management process: all changes must follow a formal process — request, impact assessment, approval, testing, implementation, and post-implementation review. Emergency changes still require after-the-fact documentation
  • Application controls: input controls (validation checks, sequence checks, limit checks, reasonableness checks), processing controls (run-to-run totals, control totals), output controls (reconciliation, distribution lists, report logging)
  • Testing methods: unit testing, integration testing, system testing, user acceptance testing (UAT), regression testing. UAT must be performed by END USERS, not developers
  • Separation of duties in development: developers should NOT have access to production environments. Testing should be done in separate test environments with test data, not production data
  • Post-implementation review: conducted after system go-live to verify the system meets original requirements and delivers expected business benefits
  • Project governance: steering committees, project sponsors, and defined roles/responsibilities ensure projects align with business objectives
  • Configuration management: tracking and controlling changes to software, hardware, documentation, and related components throughout the system lifecycle

Common Exam Traps

The auditor should be involved from the BEGINNING of the SDLC, not just at implementation. Discovering control gaps during requirements is far cheaper than discovering them after go-live
User Acceptance Testing (UAT) must be performed by BUSINESS USERS, not IT staff or developers. UAT validates that the system meets business requirements from the user perspective
Emergency changes bypass the normal approval process but MUST still be documented and approved after the fact. Lack of after-the-fact approval is an audit finding
Parallel running (old and new systems simultaneously) is the SAFEST implementation approach but also the most expensive. Direct cutover is the riskiest but fastest
Developers with access to PRODUCTION environments is a critical segregation of duties violation. This is a common exam scenario where the answer is always to restrict developer production access
Quick Check: Information Systems Acquisition, Development and Implementation

Question 1 of 3

An IS auditor is assigned to review a new ERP system implementation that is currently in the requirements definition phase. What should the auditor do FIRST?

Domain 426% of exam

Information Systems Operations and Business Resilience

One of the two heaviest domains at 26%. Covers IS operations management, IT service management, BCP/DRP, incident management, and infrastructure assessment. From an audit perspective, you evaluate whether operations are efficient, resilient, and recoverable. BIA, recovery metrics (RTO/RPO/MTD), and backup strategies are heavily tested.

Key Topics

BIABCPDRPIncident ManagementIT Service ManagementBackup StrategiesCapacity ManagementInfrastructure Operations

Must-Know Concepts

  • Business Impact Analysis (BIA): identifies critical business processes, assesses disruption impacts (financial, operational, reputational, legal), and establishes recovery priorities. Must be completed BEFORE BCP/DRP development
  • Recovery metrics: RTO (time to recover), RPO (data loss tolerance), MTD (maximum tolerable downtime). MTD >= RTO. These metrics drive recovery strategy selection and backup frequency
  • Backup strategies: full (complete copy), incremental (changes since last backup), differential (changes since last full backup). Grandfather-father-son rotation. Off-site storage is mandatory for disaster recovery
  • Recovery sites: hot site (fully equipped, hours to recover), warm site (partially equipped, days to recover), cold site (empty facility, weeks to recover), mirror site (real-time replication, immediate failover). Cost increases with lower RTO
  • BCP/DRP testing: tabletop/walkthrough (discuss the plan), simulation (practice without affecting production), parallel (test recovery while production continues), full interruption (switch to backup, highest risk). Full interruption provides the best validation but highest risk
  • Incident management: detection, reporting, triage, containment, eradication, recovery, and post-incident review (lessons learned). Containment is the FIRST priority after detection to limit damage
  • IT service management: SLA management, capacity planning, availability management, performance monitoring, and problem management (root cause analysis vs incident management)
  • IS operations controls: job scheduling, operator procedures, system monitoring, help desk operations, and operations documentation. Segregation of duties between operators and programmers is essential
  • Network infrastructure: routers, switches, load balancers, proxies, wireless access points. Know how to evaluate network architecture and identify single points of failure
  • Data center operations: environmental controls, power management (UPS, generators, PDUs), physical security, fire suppression (gas-based in data centers), and monitoring systems

Common Exam Traps

BIA must be done FIRST, before BCP/DRP. The BIA identifies what needs to be recovered and how quickly. Without BIA, recovery priorities are guesswork
A tabletop exercise tests plan AWARENESS. A full interruption test provides the BEST ASSURANCE that the plan works. The exam tests which type of test is appropriate for different situations
Problem management identifies ROOT CAUSES of recurring incidents. Incident management restores service as quickly as possible. They are related but different processes
Hot sites are the most expensive but provide the fastest recovery. Cold sites are the cheapest but take weeks to activate. The BEST recovery site depends on the RTO requirement, not just budget
Incremental backups are faster to create but SLOWER to restore (need last full + all incrementals). Differential backups are slower to create but FASTER to restore (need last full + last differential only)
Quick Check: Information Systems Operations and Business Resilience

Question 1 of 3

An organization has completed a BIA and determined that its order processing system has an RTO of 4 hours and an RPO of 1 hour. Which recovery strategy is MOST appropriate?

Domain 526% of exam

Protection of Information Assets

The other heavily weighted domain at 26%. Covers the full spectrum of information asset protection: access controls, encryption, network security, endpoint security, physical security, vulnerability management, security awareness, and incident response. From an audit perspective, you evaluate whether protection controls are adequate, properly implemented, and effectively monitored.

Key Topics

Access ControlsEncryptionNetwork SecurityFirewallsIDS/IPSVulnerability ManagementSecurity AwarenessIncident ResponsePhysical Security

Must-Know Concepts

  • Access control principles: least privilege (minimum access needed), separation of duties (no single person controls a full process), need-to-know (access limited to job requirements), and defense in depth (layered controls)
  • Access control models: DAC (owner-controlled), MAC (label/clearance-based, most restrictive), RBAC (role-assigned, most scalable for enterprises). RBAC is the ISACA-preferred model for large organizations
  • Authentication factors: something you know (password), something you have (token/smart card), something you are (biometrics). Multi-factor authentication requires at least two DIFFERENT factors
  • Encryption: symmetric (AES — fast, bulk data), asymmetric (RSA — key exchange, digital signatures), hashing (SHA-256 — integrity). PKI components: CA, RA, CRL, certificates
  • Network security controls: firewalls (packet filtering, stateful inspection, application-level proxy), DMZ architecture, IDS (detection) vs IPS (prevention), VPNs, NAC, network segmentation
  • Vulnerability management: vulnerability scanning identifies weaknesses; penetration testing actively exploits them. Patch management must be timely and tested before deployment
  • Security awareness training: must cover all employees, be role-appropriate, updated regularly, and measured for effectiveness. Social engineering awareness is critical
  • Incident response: prepare, detect, contain, eradicate, recover, lessons learned. Evidence preservation and chain of custody are critical if legal action may follow
  • Physical security: layered approach (perimeter, building, floor, room, rack), environmental controls (HVAC, fire suppression, water detection, UPS), and visitor management
  • Data classification: defines protection requirements based on sensitivity. Determines access controls, encryption requirements, handling procedures, and retention/destruction methods

Common Exam Traps

Multi-factor authentication requires two DIFFERENT factor types. Two passwords are NOT multi-factor — that is just two instances of the same factor (something you know)
IDS DETECTS intrusions and alerts. IPS PREVENTS intrusions by blocking malicious traffic. IDS is passive, IPS is active. The exam tests whether you know which does what
Biometric false acceptance rate (FAR) and false rejection rate (FRR) are inversely related. The crossover error rate (CER) where FAR equals FRR indicates overall biometric system accuracy — lower CER means better accuracy
Social engineering attacks target PEOPLE, not technology. The best defense is security awareness training combined with policies, not technical controls alone
Gas-based fire suppression (FM-200, Inergen) is appropriate for data centers because it does not damage equipment. Water-based sprinklers damage IT equipment and should NOT be used in data centers
Quick Check: Protection of Information Assets

Question 1 of 3

An IS auditor reviewing a financial application discovers that the same employee can initiate, approve, and post transactions. What is the PRIMARY control concern?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

IT Governance vs IT Management

Use IT Governance when…

Sets direction, evaluates performance, and monitors compliance at the board and senior management level. Ensures IT strategy aligns with business objectives and establishes accountability.

Use IT Management when…

Plans, builds, runs, and monitors IT activities within the framework set by governance. Implements policies and procedures established by governance to deliver IT services.

Exam trap

Governance is about direction and oversight (board level). Management is about execution and operations (IT leadership level). The exam frequently presents scenarios where the correct answer depends on knowing which level should take action.

Preventive Controls vs Detective Controls

Use Preventive Controls when…

Controls designed to prevent an event from occurring. Examples: access controls, input validation, segregation of duties, encryption, change management approval processes.

Use Detective Controls when…

Controls designed to identify that an event has occurred. Examples: audit logs, intrusion detection systems, reconciliation, variance analysis, security monitoring.

Exam trap

Preventive controls stop problems BEFORE they occur. Detective controls identify problems AFTER they occur. The exam also tests corrective controls (fix problems after detection) and compensating controls (alternative controls when primary controls are impractical).

Substantive Testing vs Compliance Testing

Use Substantive Testing when…

Tests that verify the accuracy and integrity of data and transactions. Answers the question: Is the data correct? Examples: recalculation, reconciliation, data analysis with CAATs.

Use Compliance Testing when…

Tests that verify adherence to established policies, procedures, and controls. Answers the question: Are the controls being followed? Examples: reviewing approvals, checking segregation of duties.

Exam trap

Substantive testing checks DATA accuracy. Compliance testing checks CONTROL adherence. An auditor finding that transactions are accurate but controls are not followed is a compliance failure even though substantive results are satisfactory.

BCP (Business Continuity Plan) vs DRP (Disaster Recovery Plan)

Use BCP (Business Continuity Plan) when…

A comprehensive plan addressing the continuity of the entire business during and after a disruption, covering people, processes, facilities, and technology. Broader in scope.

Use DRP (Disaster Recovery Plan) when…

A plan specifically focused on restoring IT systems, infrastructure, and data after a disaster. A technical subset of the broader BCP focused on technology recovery.

Exam trap

BCP covers the entire BUSINESS. DRP covers IT SYSTEMS recovery. DRP is a subset of BCP. BIA must be completed before either plan is developed. The exam tests the sequence: BIA first, then BCP/DRP.

RTO (Recovery Time Objective) vs RPO (Recovery Point Objective)

Use RTO (Recovery Time Objective) when…

The maximum acceptable time to restore a system or process after a disruption. Drives recovery strategy selection (hot site vs warm site vs cold site).

Use RPO (Recovery Point Objective) when…

The maximum acceptable amount of data loss measured in time. Drives backup frequency decisions (real-time replication vs daily backups).

Exam trap

RTO measures TIME to recover. RPO measures DATA loss tolerance. A short RPO (near-zero) requires real-time data replication. A short RTO requires a hot site or active-active configuration. MTD (Maximum Tolerable Downtime) must be >= RTO.

Symmetric Encryption vs Asymmetric Encryption

Use Symmetric Encryption when…

Uses a single shared key for both encryption and decryption. Fast and efficient for bulk data. Examples: AES, 3DES. Challenge: secure key distribution.

Use Asymmetric Encryption when…

Uses a public/private key pair. Public key encrypts, private key decrypts (or vice versa for digital signatures). Slower but solves key distribution. Examples: RSA, ECC.

Exam trap

Symmetric = one key, fast, bulk data. Asymmetric = two keys, slower, key exchange and digital signatures. The exam tests when each is appropriate and how they combine in hybrid systems (TLS uses both).

Inherent Risk vs Residual Risk

Use Inherent Risk when…

The level of risk that exists before any controls are applied. Represents the raw risk exposure from a threat exploiting a vulnerability without mitigation.

Use Residual Risk when…

The level of risk remaining after controls have been implemented. Represents the actual risk exposure the organization accepts after mitigation efforts.

Exam trap

Inherent risk exists BEFORE controls. Residual risk exists AFTER controls. Management must formally accept residual risk. If residual risk exceeds risk appetite, additional controls are needed. The formula is: Residual Risk = Inherent Risk - Control Effectiveness.

General IT Controls (GITCs) vs Application Controls

Use General IT Controls (GITCs) when…

Broad controls over the IT environment that support the effective functioning of application controls. Include access security, change management, operations, and program development.

Use Application Controls when…

Controls specific to individual applications that ensure completeness, accuracy, validity, and authorization of transactions. Include input, processing, and output controls.

Exam trap

GITCs are infrastructure-wide and support ALL applications. Application controls are specific to ONE application. If GITCs are weak, the auditor cannot rely on application controls regardless of how well-designed they appear.

Top Mistakes to Avoid

Answering from an IT administrator's perspective instead of an IS auditor's perspective — the auditor evaluates and recommends, not implements and configures
Confusing IT governance (board-level direction and oversight) with IT management (operational execution and administration)
Thinking BCP and DRP are the same thing — BCP covers the entire business, DRP is a technical subset focused on IT recovery
Not remembering the correct sequence: BIA must be completed BEFORE developing BCP/DRP. Without BIA, recovery priorities are arbitrary
Mixing up RTO (time to recover systems), RPO (acceptable data loss), and MTD (maximum tolerable downtime before business failure) — each drives different recovery decisions
Confusing preventive controls (stop problems before they happen) with detective controls (identify problems after they happen) and corrective controls (fix problems after detection)
Treating statistical sampling and judgmental sampling as equivalent — only statistical sampling results can be projected to the entire population with measurable confidence
Forgetting that emergency changes still require after-the-fact documentation and approval — bypassing approval during an emergency does not eliminate the documentation requirement
Confusing symmetric encryption (one shared key, fast) with asymmetric encryption (public/private key pair, key exchange) — both are tested and serve different purposes
Assuming IDS and IPS do the same thing — IDS passively detects and alerts, while IPS actively blocks malicious traffic

Exam-Ready Checklist

Can explain all 5 exam domains and their relative weights (18%, 18%, 12%, 26%, 26%)
Consistently answer questions from an IS auditor's perspective: evaluate, assess, recommend — not implement, configure, manage
Understand the audit lifecycle: planning, fieldwork (evidence collection), reporting, and follow-up, including all evidence types ranked by reliability
Can distinguish governance (board-level) from management (operational) and know which level is responsible for each IT decision
Know COBIT framework governance vs management domains: EDM for governance, APO/BAI/DSS/MEA for management
Understand the complete SDLC from an audit perspective and know when auditor involvement should begin (feasibility, not testing)
Can explain BIA, BCP, DRP relationships and the correct sequence: BIA first, then BCP/DRP
Know all recovery metrics (RTO, RPO, MTD) and how each drives recovery strategy selection and backup frequency
Can match recovery site types (mirror, hot, warm, cold) to appropriate RTO requirements
Understand all access control models (DAC, MAC, RBAC) and know RBAC is preferred for large organizations
Know encryption types (symmetric, asymmetric, hashing), their use cases, and PKI components
Can distinguish between IDS (detect/alert) and IPS (detect/block) and know firewall types
Understand separation of duties violations and why they are critical audit findings
Scored 70%+ on at least two full mock exams (450/800 passing score) with strong performance across Domains 4 and 5

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions