🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CISA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CISA ISACA Coming Soon

CISA®

The course equips IT audit professionals with practical expertise in the five CISA domains—auditing process, IT governance, acquisition and development, operations resilience, and asset protection—enabling them to conduct, document, and report audits effectively.

240
Minutes
150
Questions
450/800
Passing Score
${'member': 575, 'non_member': 760}
Exam Cost

Who Should Take This

It is designed for senior auditors, risk managers, or security analysts who have at least five years of experience in information systems auditing, control, or security. These professionals seek to validate their competency, deepen their knowledge of governance and resilience frameworks, and earn the CISA credential to advance their careers.

What's Covered

1 All domains and objectives in the ISACA Certified Information Systems Auditor (CISA) exam: Domain 1 Information System Auditing Process
2 , Domain 2 Governance and Management of IT
3 , Domain 3 Information Systems Acquisition, Development and Implementation
4 , Domain 4 Information Systems Operations and Business Resilience
5 , and Domain 5 Protection of Information Assets

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

61 learning goals
1 Domain 1: Information System Auditing Process
4 topics

IS audit planning

  • Apply risk-based audit planning methodologies to develop an IS audit strategy that aligns with organizational objectives and regulatory requirements.
  • Analyze the IT environment to identify audit universe components, assess inherent and residual risks, and prioritize audit engagements accordingly.
  • Apply ISACA IT Audit and Assurance Standards, Guidelines, and Tools and Techniques to plan individual audit engagements with defined scope and objectives.
  • Develop audit resource allocation plans considering staff competencies, time budgets, and technology requirements for effective audit execution.

IS audit execution

  • Apply audit evidence collection techniques including inquiry, observation, inspection, and re-performance to obtain sufficient and appropriate evidence.
  • Implement computer-assisted audit techniques (CAATs) and data analytics to test automated controls and analyze large data populations for anomalies.
  • Analyze audit evidence to evaluate control design adequacy and operating effectiveness, identifying control deficiencies and their root causes.
  • Apply sampling methodologies including statistical and judgmental sampling to draw valid conclusions from audit populations.

IS audit reporting and follow-up

  • Develop audit findings with clearly defined criteria, condition, cause, effect, and recommendations that communicate risks to stakeholders effectively.
  • Evaluate management responses to audit findings and assess the adequacy of corrective action plans for addressing identified control deficiencies.
  • Design follow-up procedures to verify that management has implemented agreed-upon corrective actions and that residual risks are within acceptable levels.

IS audit quality assurance

  • Apply quality assurance and improvement programs to ensure IS audit activities conform to professional standards and deliver consistent results.
  • Analyze the effectiveness of the IS audit function by evaluating key performance indicators, stakeholder satisfaction, and alignment with audit charter objectives.
2 Domain 2: Governance and Management of IT
3 topics

IT governance frameworks

  • Analyze IT governance structures to determine whether they provide adequate direction, oversight, and accountability for IT investments and operations.
  • Apply COBIT framework principles to evaluate the alignment of IT governance processes with enterprise governance objectives and stakeholder needs.
  • Evaluate IT policies, standards, and procedures to determine their adequacy in addressing organizational objectives, regulatory requirements, and industry best practices.

IT strategic planning and management

  • Evaluate IT strategic plans to assess alignment with business strategy, feasibility of implementation, and adequacy of performance measurement mechanisms.
  • Apply IT resource management principles to assess whether personnel, technology, and financial resources are allocated effectively to support strategic objectives.
  • Recommend improvements to IT performance monitoring and reporting mechanisms based on gap analysis between current capabilities and strategic targets.

IT risk management and compliance

  • Apply IT risk management frameworks to evaluate the effectiveness of risk identification, assessment, response, and monitoring processes.
  • Analyze regulatory compliance requirements to assess the adequacy of IT controls in meeting obligations such as SOX, GDPR, HIPAA, and PCI-DSS.
  • Evaluate third-party and vendor risk management practices including due diligence, contract provisions, SLAs, and ongoing monitoring of outsourced IT services.
3 Domain 3: Information Systems Acquisition, Development and Implementation
3 topics

IS acquisition and development

  • Evaluate business case development and feasibility analysis processes to determine whether proposed IT investments align with organizational needs and deliver expected value.
  • Apply SDLC audit procedures to assess the adequacy of requirements gathering, system design, coding standards, testing, and quality assurance across waterfall and agile methodologies.
  • Analyze project management practices to evaluate scope management, risk mitigation, milestone tracking, and stakeholder communication effectiveness.

IS implementation and testing

  • Evaluate system testing methodologies including unit testing, integration testing, user acceptance testing, and regression testing to verify that controls operate as designed.
  • Apply data migration and conversion audit techniques to assess data integrity, completeness, and accuracy during system transitions.
  • Evaluate post-implementation review processes to determine whether systems meet business requirements and controls function as intended after deployment.

Change management and maintenance

  • Apply change management audit procedures to evaluate the adequacy of change request, approval, testing, and implementation processes.
  • Analyze configuration management controls to assess version control, baseline management, and unauthorized change detection capabilities.
  • Evaluate patch management processes to determine timeliness, completeness, and risk-based prioritization of security and system patches.
4 Domain 4: Information Systems Operations and Business Resilience
4 topics

IT service management and operations

  • Evaluate IT service management practices against ITIL frameworks to assess service delivery, service level agreement compliance, and capacity management.
  • Apply audit procedures to assess IT operations including job scheduling, batch processing, system monitoring, and problem management controls.
  • Analyze database management controls including data integrity, backup procedures, access controls, and recovery capabilities to ensure data availability.

IT infrastructure and network audit

  • Evaluate network architecture and infrastructure controls including firewalls, routers, switches, VPNs, and wireless security configurations.
  • Apply audit procedures to assess cloud computing environments including shared responsibility models, SaaS/PaaS/IaaS control boundaries, and data residency requirements.
  • Evaluate virtualization and containerization controls including hypervisor security, VM sprawl management, and container orchestration security configurations.

Business continuity and disaster recovery

  • Evaluate business impact analysis processes to assess the identification of critical business functions, recovery time objectives, and recovery point objectives.
  • Apply audit procedures to assess business continuity and disaster recovery plans for completeness, currency, and alignment with organizational risk tolerance.
  • Analyze DR testing results to evaluate plan effectiveness, identify gaps in recovery procedures, and recommend improvements to resilience strategies.
  • Design comprehensive business resilience audit programs that integrate BCP, DRP, and incident response assessment procedures for end-to-end coverage.

Incident management

  • Evaluate incident management processes to assess detection, escalation, containment, eradication, and recovery procedures for security events.
  • Apply audit procedures to assess incident response team readiness, communication protocols, and post-incident review effectiveness.
  • Recommend improvements to incident management frameworks based on analysis of incident trends, root cause patterns, and lessons learned from prior events.
5 Domain 5: Protection of Information Assets
5 topics

Information security governance and frameworks

  • Evaluate information security governance structures to assess alignment with enterprise governance, regulatory requirements, and industry frameworks such as ISO 27001 and NIST CSF.
  • Apply audit procedures to assess information security policies, standards, and procedures for completeness, currency, and organizational alignment.
  • Evaluate data classification schemes and information asset inventories to assess the adequacy of protection controls relative to data sensitivity levels.

Logical and physical access controls

  • Evaluate logical access control mechanisms including identity management, authentication methods, authorization models, and privileged access management.
  • Apply audit procedures to assess user access provisioning, periodic access reviews, segregation of duties, and access termination processes.
  • Evaluate physical and environmental controls including facility access, surveillance, environmental monitoring, and media handling to protect information assets.
  • Design access control audit programs that comprehensively assess logical, physical, and administrative controls across on-premises and cloud environments.

Network security and encryption

  • Evaluate network security controls including firewalls, IDS/IPS, network segmentation, and secure communication protocols for adequacy against identified threats.
  • Apply audit procedures to assess encryption implementation including key management, certificate lifecycle management, and cryptographic protocol configuration.
  • Evaluate endpoint security controls including antimalware, EDR, application whitelisting, and mobile device management for comprehensive endpoint protection.

Vulnerability management and security testing

  • Evaluate vulnerability management programs to assess scanning frequency, remediation timelines, and risk-based prioritization effectiveness.
  • Apply audit procedures to assess penetration testing scope, methodology, and remediation tracking for identified vulnerabilities.
  • Evaluate security awareness training programs to assess coverage, effectiveness measurement, and alignment with organizational threat landscape.
  • Design integrated security assessment strategies that combine vulnerability scanning, penetration testing, and control testing for comprehensive assurance.

Emerging technology audit

  • Evaluate AI and machine learning system controls including model governance, training data integrity, bias detection, and explainability requirements.
  • Apply audit procedures to assess blockchain and distributed ledger implementations including consensus mechanisms, smart contract security, and data immutability.
  • Evaluate IoT security controls including device authentication, firmware update mechanisms, network segmentation, and data privacy protections for connected devices.

Scope

Included Topics

  • All domains and objectives in the ISACA Certified Information Systems Auditor (CISA) exam: Domain 1 Information System Auditing Process (18%), Domain 2 Governance and Management of IT (18%), Domain 3 Information Systems Acquisition, Development and Implementation (12%), Domain 4 Information Systems Operations and Business Resilience (26%), and Domain 5 Protection of Information Assets (26%).
  • Professional-level IT audit knowledge including audit planning and execution, risk-based audit approaches, evidence collection and evaluation, audit reporting, follow-up procedures, and continuous auditing methodologies.
  • Core IT audit and assurance concepts: ISACA IT Audit Framework, COBIT, ITIL, ISO 27001, SOC reports, audit sampling, CAATs, data analytics for audit, IT general controls (ITGCs), application controls, change management auditing, access control reviews, and business continuity audit.
  • Governance and management of IT including enterprise IT governance frameworks, IT strategic planning, IT organizational structure, IT policies and standards, IT resource management, IT performance monitoring, and quality assurance.
  • Information systems acquisition, development, and implementation including SDLC methodologies, project management, system testing, data migration, post-implementation review, and change management.
  • Information systems operations and business resilience including IT service management, IT operations, hardware and software management, network infrastructure, disaster recovery planning, BCP, and incident management.
  • Protection of information assets including information security governance, logical and physical access controls, network security, encryption, vulnerability management, and data classification.
  • Emerging technology audit considerations including cloud computing, AI/ML systems, blockchain, IoT, and their impact on IT audit practices.

Not Covered

  • Detailed information security management program development and strategic planning (covered by CISM).
  • Enterprise IT governance strategy and value delivery frameworks at C-suite level (covered by CGEIT).
  • Deep risk management methodologies including quantitative risk modeling and risk appetite frameworks (covered by CRISC).
  • Privacy engineering and data protection by design implementation (covered by CDPSE).
  • Hands-on SOC operations, threat hunting, and real-time incident response techniques (covered by CCOA).
  • Vendor-specific audit tool administration beyond general CAAT concepts.

Official Exam Page

Learn more at ISACA

Visit

CISA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

ISACA®, CISA®, CISM®, CRISC®, CGEIT®, and CDPSE® are registered trademarks of ISACA. ISACA does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.